Product Use Cases
Vendor Onboarding Questionnaire Automation Risk Scoring
Integrations Pricing Blog About
Sign In Request Access

Use Case

Risk scores that map to your actual posture — not a generic benchmark

Clarito scores each vendor against the specific risk thresholds your team has defined. A score of 74 means something, because it's measured against your accepted posture, not an industry average.

Request Access

The Problem

Why generic risk scores aren't enough

Benchmarks aren't your posture

External scoring services compare vendors to an industry-average benchmark. But a fintech's acceptable data handling threshold differs from a logistics company's. Your accepted posture for a Tier 1 data processor is different from your standard SaaS vendor. Generic benchmarks don't model your risk tolerance — they model everyone's.

No drill-down by domain

A single composite number can hide structurally different risk profiles. A vendor scoring 65 with a weak incident response plan versus a vendor scoring 65 with weak data handling controls are not the same risk — one requires a different remediation conversation with a different team. You need the domain breakdown to know which problem you're actually dealing with.

Black-box scoring

Some vendor scoring services produce a number with no traceable methodology. When a regulator or internal auditor asks why you approved a vendor with a 61 composite score, "the scoring service rated them acceptable" is not a defensible answer. You need the specific control findings — what was assessed, what was passing, what was flagged, and who made the final call.

How Clarito Scores

Traceable scores against your defined posture

Define posture templates per vendor tier

Set minimum thresholds for each control domain based on your vendor's tier: critical (core data processors), standard (operational vendors), low-risk (peripheral services). A critical vendor needs stronger access controls than a low-risk one — Clarito reflects that.

Per-domain scoring with severity flags

Every composite score breaks down into domain scores — Access Control, Data Handling, Incident Response, Business Continuity. Gaps are rated high / medium / low based on which controls are missing and how critical they are to your posture definition.

posture-template.json 
{
  "tier": "standard",
  "min_composite": 65,
  "domain_thresholds": {
    "access_control": 70,
    "data_handling": 75,
    "incident_response": 60,
    "business_continuity": 55
  },
  "auto_approve_below": false
}

We finally have a risk score that our CTO understands because it traces back to actual control gaps, not a black-box number from an external service.

Kenji Watanabe

Director of Information Security — Mid-market SaaS platform

Score vendors against your posture, not an industry average

Request access and define your first accepted posture template. We'll walk through your tier structure together on the first session.

Request Access