Digital Proximity is ThingsRecon's metric for how deeply a supplier's infrastructure connects to yours. It turns third-party risk into a single score based on actual exposure, not self-reported questionnaires.
Digital Proximity quantifies third-party risk by scoring how deeply each supplier's infrastructure connects to yours, using signals like DNS records, JavaScript, APIs, and certificates instead of self-reported questionnaires. The result is a single number per supplier that reflects real exposure and blast radius, letting security and procurement teams prioritize the suppliers that matter most right now.
Security rating companies have developed a color-coded risk score that describes the supplier’s security posture in general, not the supplier's actual relationship with your organization. Digital Proximity was built by ThingsRecon to close that gap.
Why don't vendor security scores show real exposure?
Vendor security scores rate a supplier in isolation, using self-reported questionnaires and point-in-time audits. They say nothing about how that supplier actually connects to your specific environment. A supplier with a strong score can still sit deep inside your infrastructure through scripts, APIs, and shared certificates, while a poorly scored one might touch almost nothing you run.
This is the gap between a security rating and what a supplier is actually exposing you to. It's why a supplier can pass every questionnaire your TPRM program throws at them and still be the reason a breach reaches your production environment. The Fiserv incident is a recent example of exactly this pattern: a well-established provider, embedded across a sector, turning into a single point of failure that no vendor questionnaire had flagged.
Digital Proximity approaches the problem differently. It looks past the CVSS score attached to a given vulnerability and asks a more useful question: how much of this supplier's infrastructure is actually present in your digital environment, and what happens if it goes down or gets compromised. That's the metric we ended up needing to build ourselves, because nothing on the market measured connection depth directly.
From one supplier conversation to a full portfolio view
A single proximity score is useful in a one-on-one conversation with a supplier. It becomes a different tool entirely once you apply it across an entire supplier base and start looking at the shape of the portfolio instead of individual entries.
In a recent engagement with a national cyber resilience body, we mapped proximity scores across the supplier base of an entire monitored sector rather than a single organization. What came out of it wasn't a list of vendors sorted by contract size. It was a heat map showing which suppliers sat closest to the most organizations at once, and therefore which single point of failure could ripple across the sector fastest if it went down.
That kind of cascading, sector-wide impact is exactly what contract-based vendor tiering is structurally unable to see, because it was never designed to look across organizations at once.
A similar pattern shows up inside a single organization. In one proof-of-concept scan for a global manufacturing client, the discovery process mapped 166 active suppliers connected to the client's digital environment and surfaced 543 exposed API endpoints across that supplier base, some without authentication and several carrying exposed secrets.
Of the roughly 6,500 hygiene issues the scan flagged, only 23 needed immediate action. Proximity scoring is what made that triage possible: it separated the suppliers with deep, meaningful digital connections from the long tail of suppliers who barely touch anything, so the security team could stop treating every finding as equally urgent.
How do proximity scores fit into an ongoing risk program?
A proximity score is only useful if it updates as the relationship changes. Static, annual assessments miss the supplier that quietly expands its footprint through a new integration six months after the last review. A live program tracks proximity continuously and flags material changes, so a security team spends its attention on what actually moved instead of re-reviewing every supplier from scratch every quarter.
This matters most under regulation that demands continuous oversight rather than a once-a-year checkbox. In a rollout with a regulated financial services client working toward DORA compliance, the sharpest early feedback wasn't about the platform's coverage. It was a request to filter out noise: flag the suppliers whose proximity and hygiene combination crossed a defined risk appetite threshold, and leave the rest for periodic review rather than treating every finding as an alert.
DORA and NIS2 both push in this direction, asking organizations to identify and monitor the assets and relationships that matter, continuously, rather than documenting them once a year and hoping nothing changes in between.
That same logic applies to external dependencies an organization never directly chose: a marketing tool a developer added two years ago, a CDN a supplier switched to without telling anyone.
Proximity scoring catches those relationships because it measures what's connected, not what's written down in a contract.
What quantifying risk changes for procurement and the board
Once Digital Proximity has a number attached, it stops being a security-only conversation. A procurement lead can look at the same score and understand why a renewal negotiation with a specific supplier deserves more scrutiny than the contract value alone would suggest. A board member can see a portfolio-level view of which relationships carry the most concentrated digital risk, without needing to read a stack of individual vendor questionnaires first.
This is also where proximity scoring differs from the broader category of TPRM, EASM, and GRC tools it sits alongside. Most of those tools are built to document and manage a process. Proximity scoring is built to answer a narrower, sharper question: given everything connected to you right now, which relationships would hurt the most if something went wrong?
If you're currently comparing TPRM platforms for their reporting or workflow features, proximity is worth checking for separately, because plenty of platforms manage the process well without ever measuring the thing the process is supposed to be protecting against.
Where this goes next
Quantifying third-party risk with a single supplier-level number is the first step. The next layer is understanding what your suppliers are connected to in turn, since a clean proximity score at the first tier doesn't guarantee anything about the second or third tier sitting behind it.
Getting the first number right, consistently, updated, and grounded in actual discovery rather than a questionnaire, is what makes every layer after it possible to build on.
If you want to see what your own supplier base looks like through this lens, request a free Proximity Snapshot and get an evidence-based scan on which of your suppliers carry the most risk.





