How We Work

A structured methodology for external risk verification

VERA’s assessment process is designed to be repeatable, auditable, and independent of vendor cooperation. Each phase produces documented evidence that supports defensible risk conclusions.

01
Phase One

Discovery & Scoping

VERA establishes the organization’s internet-facing footprint by identifying owned domains, IP ranges, cloud infrastructure, and affiliated entities. This forms the scope boundary for all subsequent collection and analysis.

Scope confirmation includes subsidiary mapping, acquired entities, and known third-party hosting relationships to reduce the likelihood of omitted exposure.

  • Domain and subdomain enumeration
  • ASN and IP range attribution
  • Cloud provider and CDN identification
  • Subsidiary and brand entity mapping
02
Phase Two

Evidence Collection

VERA performs passive intelligence collection across a continuously expanding set of risk categories using public and independently verifiable sources.

Collection combines direct-source verification with AI-assisted OSINT analysis where information is distributed across the public web. Only retrieved source evidence is used in the assessment process.

  • Attack surface exposure, TLS posture, security headers, and protective controls
  • DNS and email authentication including SPF, DKIM, DMARC, DNSSEC, MTA-STS, and BIMI
  • Known vulnerabilities, end-of-life software, and CISA KEV matches
  • Breach disclosures, credential leaks, and ransomware reporting
  • Certification and compliance verification against issuing body registries
  • Public code repositories, exposed secrets, and credential leakage
  • Observable security maturity indicators across staffing, tooling, and operations
  • Financial, legal, sanctions, and reputational risk indicators
03
Phase Three

Verification & Corroboration

Candidate findings pass through a multi-stage verification process before they can influence assessment results. This reduces noise, prevents entity misattribution, and ensures findings remain traceable to confirmed supporting evidence.

Findings must relate to the correct organization, remain relevant to the assessed risk category, and satisfy source credibility standards before contributing to risk scoring.

  • Source credibility analysis before and after content retrieval
  • Entity attribution validation against the assessed organization
  • Context and relevance checks for each risk category
  • Confirmation requirements for breach and incident-related findings
  • Secondary AI-assisted cross-checking against confirmed evidence
04
Phase Four

Scoring & Reporting

Verified findings are scored across weighted risk categories and combined into a composite VERA Score.

Assessment outputs are structured for both executive and technical audiences, providing high-level risk summaries alongside detailed evidence citations and remediation observations.

Score to risk grade

A
90–100
Low Risk
B
80–89
Moderate
C
70–79
Elevated
D
60–69
High Risk
F
0–59
Critical
  • Weighted category scoring based on relative risk significance
  • Composite scoring adjusted by vendor criticality tier
  • Executive summary with plain-language rationale and overall grade
  • Technical appendix with supporting evidence citations
  • Documented findings and reassessment support

Review the methodology in a live report

Walk through an anonymized assessment with a VERA analyst.

View Sample Report Talk to the Team
Scroll to Top