Transparency
Transparent methodology for vendor risk monitoring
Gjall aggregates publicly available security signals and applies AI analysis to help you understand risk across your vendor portfolio. Here's exactly how — including what we don't do.
All signals are sourced from free, publicly available databases. We don't pay for proprietary threat intelligence.
Real-time incident and degradation data pulled directly from vendor-operated status pages.
Signal: Ongoing outages and degradations reported by the vendor themselves.
The US government's curated list of vulnerabilities confirmed to be actively exploited in the wild.
Signal: Highest-signal security feed available — zero noise by design. Every entry is a confirmed exploit in active use.
The authoritative database of all publicly disclosed security vulnerabilities.
Signal: Filtered to CVSS 7.0+ so only HIGH and CRITICAL severity findings surface.
A probability score (0–100%) from FIRST.org estimating the likelihood a CVE will be exploited in the next 30 days.
Signal: Combined with CVSS severity for better prioritization — most high-CVSS CVEs are never exploited.
Vulnerability disclosures directly from GitHub's advisory database.
Signal: Covers the open source ecosystem — critical for software supply chain risk.
Troy Hunt's authoritative breach database covering billions of exposed credentials.
Signal: Alerts when a vendor appears in a confirmed data breach.
Community-sourced incident detection via the tech community's primary discussion forum.
Signal: Security incidents often surface on HackerNews before vendor status pages are updated.
Each vendor receives a 0–100 score based on recent signal volume. Scores decay over time.
Each vendor receives a risk score from 0–100 based on recent security signals. Scores decay automatically over time as incidents age — reflecting that a vendor's current posture matters more than historical events.
| Signal | Points |
|---|---|
| CRITICAL alert (CISA KEV or CVSS 9.0+) | +20 pts |
| HIGH alert (CVSS 7.0–8.9) | +10 pts |
| MEDIUM alert | +5 pts |
| Each day without new incidents | −5 pts (decay) |
| Score | Level | Meaning |
|---|---|---|
| 80–100 | Critical | Significant recent security activity |
| 60–79 | High | Notable recent security activity |
| 40–59 | Medium | Some recent security activity |
| 0–39 | Low | Minimal recent security activity |
Important caveat on risk scores
Risk scores reflect the volume and severity of security signals detected for a vendor — not an assessment of the vendor's overall security posture. A high score means we detected significant public security activity. It does not mean the vendor is insecure or that your organization is at risk. Always review individual alerts to determine relevance to your specific usage.For HIGH and CRITICAL alerts, Claude (Anthropic) provides additional context.
Raw vulnerability data is hard to prioritize. For HIGH and CRITICAL alerts, Gjall passes the public alert data through Claude to generate four pieces of additional context:
Confidence score
0–100% estimate of how likely this alert affects a typical customer of the vendor.
Priority classification
Immediate / This Week / Monitor / Ignore — actionable triage guidance.
Plain English summary
Non-technical explanation of the issue and its potential business impact.
Recommended actions
Specific next steps with rough effort estimates (e.g., 'Rotate API keys — 15 min').
Data privacy
What we send to AI: Only the CVE description, vendor name, severity score, and EPSS data — all publicly available information.
What we never send: Your company name, customer ID, which vendors you monitor, or any identifying information.
Training: Anthropic's API does not train models on API data per their commercial terms.
A three-step process with mandatory human review.
Auto-classification
For well-known vendors (Stripe, Okta, AWS, GitHub, Cloudflare, etc.) Gjall pre-classifies criticality based on vendor type and typical enterprise usage patterns.
AI-assisted classification
For unknown vendors, Gjall asks four business questions and uses AI to suggest a criticality tier. The suggestion is based solely on how your organization uses the vendor, not on the vendor's general reputation.
Human confirmation (required)
All AI suggestions must be reviewed and confirmed by a qualified person at your organization before they affect monitoring behavior. Unconfirmed vendors default to Medium criticality.
Disclaimer
AI criticality suggestions are informational only and do not constitute professional security advice. Your organization retains full responsibility for vendor risk classifications. By confirming a classification, an authorized person at your organization acknowledges they have reviewed and approved the assessment.Supporting evidence — not certification.
Gjall's monitoring activity generates evidence that supports specific SOC 2 and ISO 27001 controls. Audit reports map each piece of evidence to the relevant control automatically.
What Gjall doesn't do — and why it matters.
We believe in being explicit about what our product can and cannot do. These are real limitations, not fine print.
Questions about our methodology?
We're happy to discuss our data sources, scoring logic, or AI model usage in detail.