What is Endpoint Data? Ingrid The Desktop Software and Mobile Software risk vectors are considered as endpoint data. These risk vectors are similar to Server Software, but are for end-user systems that are using outdated (unsupported) operating systems or versions of web browsers. Newer versions of operating systems and web browsers typically address stability issues, bugs, and exploits.Download the endpoint OS-browser versions (04-MAR-2026) list.Use Cases for Endpoint Data Identify devices that are at-risk in order to apply system updates, apply software updates, and reduce an organization's attack surface. Understand how devices at an insured are a risk for known vulnerabilities and other threats. Verify questionnaire data from vendors. Example: Verify claims that their organization is free of a particular operating system. Verify other contractual agreements with clients or vendors. Example: Verify that they've adhered to a policy of keeping end-user operating systems up-to-date. Resources Data Collection Methods Software Support Life Cycle & End-of-Life Policy User Count Thresholds for Grading Endpoint Risk Vectors Desktop Software Mobile Software Risk Vector Overview Assessment Finding Details Graded OS Graded Browsers Desktop Software Finding Messages Risk Vector Overview Assessment Finding Details Graded OS Graded Browsers Mobile Software Finding Messages Frequently Asked QuestionsHow come I’m not observing any data for these risk vectors?The worldwide Internet Privacy legislation has a limit on the geographical scope of data that can be gathered. We are continuously expanding the geographical scope of endpoint data in order to include information on operating systems and browsers that are available for a larger set of countries.How does my outdated guest network software affect these risk vectors?Since data is externally collected, we are unable to determine if a network is being used for guest networks. Guest networks are not differentiated from business networks and still pose a risk to an organization, even if they’re completely segregated from the business networks.Does endpoint data include Bring Your Own Device (BYOD)?Connecting a personal device to a corporate network infrastructure is a risk and adds another potential surface of attack for a threat actor to gain access to company data and sensitive information.Given the Meltdown flaw and Spectre (a CPU flaw that indirectly exposes sensitive information in the memory), we are continuing to see an increasing interest in endpoint data, as they help to identify companies who have not yet implemented patches or updates to protect against the vulnerabilities. March 13, 2026: OS & browsers list 04-MAR-2026 version. January 8, 2026: OS & browsers list 17-DEC-2025 version. December 12, 2025: OS & browsers list 3-DEC-2025 version. November 18, 2025: OS & browsers list 5-NOV-2025 version July 21, 2025: OS & browsers list 19-JUL-2025 version. July 15, 2025: OS & browsers list 10-JUL-2025 version. July 8, 2025: OS & browsers list 03-JUL-2025 version. Related articles How are the Desktop Software and Mobile Software Risk Vectors Observed? Desktop Software Risk Vector Desktop Software Findings OS & Browser Version Evaluation Finding Behavior Feedback 15 comments Sort by Date Votes Nimitt Javeri July 15, 2017 04:06 Very relevant feature esp. in context of present day risk environment. 0 Andreas Tomek July 18, 2017 12:29 How do you determine the risk? 0 Betsy Ludsten July 18, 2017 15:30 It looks like this would include BYOD as well, is that correct? 0 Dhawal Shrivastava July 21, 2017 07:51 Appears to be a great addition. Looking forward for actual data and its usefulness. 0 Chuck Jones February 06, 2018 17:13 How do you capture this information? 1 David February 15, 2018 14:39 Hi Chuck, Great question. We have a data provider that has a vast network of sensors deployed throughout the internet that captures user-agent string data. These user-agent strings include both browser and operating system version as well as an IP address, which are then associated back to companies. These risk vectors do include BYOD and we believe they should. Connecting a personal device to corporate network infrastructure is a risk and adds another potential surface of attack for a threat actor to gain access to company data and sensitive information. Given the recent Meltdown and Spectre vulnerabilities, we are continuing to see an increasing interest in these risk vectors as they help to identify companies who have not yet implemented patches or updates to protect against the vulnerabilities. Please do let us know if you have any other questions! 2 Steve Kurutz April 03, 2018 13:20 Not a fan of this factor. We accommodate a guest network that uses an outbound IP address that is within our BitSight-detected block. We don't control our guests' choice of hardware and OS, and we aren't about to assign a wholly separate (not attributed to us) IP block to them so that their endpoints don't get included in our rating. We have controls on that network severely restrict what can happen on these networks; no connections to our nonpublic internal systems, no peer-to-peer, restricted outbound protocols, etc. I have similar feelings toward the "desktop browser" and "desktop OS" ratings, although the volume of managed (internal) endpoints helps us keep the impact of guests minimal. Perhaps BitSight should consider allowing those of us who subscribe to the service to designate "guest" IP ranges that are treated separately? 8 jason abbott June 09, 2018 13:17 I completely agree with @Steve Kurutz, this factor for Mobile and Desktop software doesn't take into account the way we segregate and secure our guest networks. There has to be a way to fix this factor to take these mitigating controls under consideration. I can't force guests to use current software or hardware, but I can keep them from accessing my internal devices. 3 Betsy Ludsten June 11, 2018 16:23 Also, being unable to identify which device is being scanned is wholly unhelpful-- anything on the guest network may never come back again, whereas with anything that is company owned, how are we supposed to find it? We use a standard image, which means that any given time we have dozens to hundreds of very similar machines that access the network via the same visible ip addresses. Yes, they should all be up to date, but sometimes a scheduled browser upgrade push comes (far) behind an emergency zero day patching effort. 3 John Umman June 19, 2018 08:33 what is the decay off period for this issue type ? 0 Bhumika Anand June 27, 2018 06:05 Will an MDM resolve this? Additionally, plus one on separate guest network part, visitors actually connect via this and these will definitely contribute to a ratings downgrade. 0 Permanently deleted user October 12, 2018 14:23 Information related to Compromised (Botnet, Torrent, etc) findings is misleading with regards to companies that provide GuestNet access. Guest Networks are in effect, public and segregated from the main corporate network. Public, in that anyone can connect; there are no security control requirements around GuestNet access; and Segregated, In that, these networks are complete isolated from the main corporate business network. The inability to suppress GuestNet access creates misleading and inaccurate results. The negative affect is a loss of credibility of your entire platform altogether. Happy to help improve this perception. 0 Brian Mulligan October 29, 2018 20:19 Hi Ainsley, Thanks for the feedback, we do not want rating to be misleading. We've presently included guest wireless networks in the rating for a number of philosophical reasons. 1) We cannot externally validate the efficacy of the segmentation/segregation between guest networks and corporate networks. 2) Employees often join guest wifi networks specifically to circumvent security controls in place on corporate wifi and before rejoining the corporate wifi. To the extent that happens, the employee machines and data may be exposed to a security issues in the guest wifi. We are looking at ways we can enhance our communication of guest wifi information in the platform, please reach out to me, brian.mulligan@bitsighttech.com if you'd like to discuss further. 0 Elaine Tiller April 01, 2019 19:23 Hi Brian, We have the same concern with the usage of the guest network. How do you propose that companies offer a guest network and not get a bad rating in this category? In order for us to efficiently do business with third party visitors, we need to offer this service. It appears that those who have commented are nearly all in agreement. Thank you, Elaine T. 0 Brian Mulligan April 03, 2019 16:13 Hi Elaine, Many organizations create a self published company that excludes the infrastructure for their guest networks and designate it as their Primary Rating. We introduced the Primary Rating capability since the comment above (and in response to feedback like this) and it has become a popular way to improve communication around these kinds of issues. 0 Please sign in to leave a comment.