When we started building ThingsRecon, one of the first problems we hit was deceptively simple: given a list of suppliers connected to an organization's digital environment, how do you decide which ones matter most?

The obvious answer (rank them by their security score) turned out to be the wrong answer. A supplier with a mediocre security score but a single, low-traffic DNS reference poses a fundamentally different risk than a supplier with an excellent score whose JavaScript is executing in the browser of every user on your primary e-commerce platform. The score does not capture the relationship. And the relationship is what determines the blast radius.

We needed a way to measure not just the supplier's security posture, but the depth and nature of their digital relationship with the client. We called the resulting metric Digital Proximity and filed a patent request. It is, as far as we know, the first measure of its kind.

What is Digital Proximity?

Digital proximity is a composite score that reflects how embedded a supplier is in an organization's digital surface. It is calculated from the volume, variety, and criticality of digital signals connecting the organization to the supplier.

A signal can be almost anything:  

• A DNS record pointing to a supplier's infrastructure

• An HTTP header referencing a supplier's service

• A JavaScript library loaded from a supplier's CDN

• An API endpoint called from an organization's application

• A certificate issued by a supplier's PKI

• A tracking pixel embedded in a page

Each signal type carries a different weight. A script executing in the browser of your users is a more significant connection than a DNS TXT record used for email verification. The proximity score reflects these differences.

The resulting number tells you how much of a given supplier's infrastructure is present in your digital environment, and, by extension, how large the impact would be if that supplier's infrastructure were compromised or unavailable.

How Digital Proximity Changes Risk Prioritization

Most supply chain risk frameworks prioritize suppliers based on contract value, data classification, or regulatory criticality, all of which are useful dimensions.  

Digital proximity adds a fourth dimension that the others cannot capture: actual digital exposure.

Consider a scenario where a mid-tier SaaS platform, perhaps a learning management system, has been embedded across an organization's intranet applications. It’s not a tier-one supplier by contract value. It processes no personally identifiable data, and it’s not in scope for the organization's most rigorous annual assessment. But its scripts execute on authenticated internal pages. Its CDN serves assets to a significant proportion of the employee base. Its proximity score is high.

If that supplier's CDN is compromised — as has happened multiple times in recent years through supply chain attacks targeting JavaScript library providers — the blast radius is significant. Proximity scoring surfaces that risk. Contract-based tiering does not.

In practice, we regularly find that the highest-proximity suppliers are not the ones with the highest scrutiny in the TPRM program. They are the ones that have grown their digital footprint gradually through product integrations, developer choices, and expanding service scopes, without triggering a formal reassessment. Their risk has grown faster than the program.

The Technical Foundation for Digital Proximity

Calculating digital proximity requires solving two hard problems simultaneously: comprehensive discovery and reliable connection mapping.

Comprehensive discovery means finding all the digital signals, not just the obvious ones. Most existing tools look at DNS records and HTTP headers. ThingsRecon goes deeper, crawling the logic inside JavaScript files to find API calls and external references, following script chains to identify CDN dependencies, tracking header sequences to map authentication flows.  

We use geolocated scanning nodes in over 40 regions because digital infrastructure behaves differently from different locations — some assets are only visible from certain geographies, and geo-fencing can hide significant portions of a supplier's surface from single-location scans.

Connection mapping means understanding which signals relate to which suppliers and which parts of those suppliers' infrastructure. A single large platform vendor may have dozens of domains and IP ranges serving different services. We build and maintain supplier ecosystem maps that allow us to attribute connections accurately, so when we say Microsoft's proximity score is high, we can show you exactly which Microsoft services and infrastructure components are creating that score.

The combination of comprehensive discovery and accurate attribution is what makes the proximity score meaningful. Without it, you have a list of domain names. With it, you have an evidence-based map of your real digital supply chain.

Proximity as a Vendor Risk Management Conversation Starter

One of the most valuable uses of proximity scoring we have seen in practice is as a conversation starter with suppliers. When you go to a high-proximity supplier with evidence that a specific component — not their entire estate, but the specific API endpoint or script tag that connects to your environment — has a hygiene issue, the conversation changes character entirely.

Instead of 'your annual questionnaire says you patch within 30 days, can you confirm?' you have: 'this component, which executes in our users' browsers, is running a version with three known vulnerabilities, the oldest of which is 18 months old, can you give us a remediation timeline?' That is a conversation grounded in evidence that cannot be dismissed with a policy statement.

This is the practical payoff of moving from generic scores to contextual signals: it makes remediation conversations possible and productive, rather than bureaucratic exercises in paper compliance.

What Comes Next

Digital proximity is one component of a broader approach to supply chain intelligence that we are continuing to develop. The next layer is fourth-party proximity: mapping not just the suppliers you are connected to, but the infrastructure those suppliers depend on, and scoring the indirect exposure that creates.

We are also developing proximity trending: tracking how each supplier's proximity score changes over time, so that organizations can identify which supplier relationships are growing in digital depth without corresponding growth in risk scrutiny. In most organizations, that list is longer than anyone expects.

The goal, ultimately, is to replace the static vendor register with a living map: a continuously updated, evidence-based picture of the real digital ecosystem and the risk it carries. Digital proximity is the measurement that makes that map meaningful.

If you’d like to see it applied to your digital ecosystem, request a free Proximity Snapshot.

‍