Fourth Party Data Collection Methods

⇤ Network Mapping Process

Our fourth party data set is made up of inputs from qualitative and directly observed data.

Qualitative

Collected via Natural Language Processing of web scraped data with sources including documents from company websites, job postings, resumes, and government filings. This identifies service provider products based upon mentions in these sources. In general, we recommend using this data to drive prioritization and encourage validating any usage of a particular fourth party service provider that may be of concern.

Note that given the nature of source documents used to identify relationships, you might encounter third parties that are shown to have products, but no longer or have not used it. There may also be other organizations using the product that have not been identified by this approach.

This data can be found in your portfolio using the Service Provider / Products filter.

Directly Observed

Includes data extracted from certificate chains, SPF records, IP ranges, nameservers, embedded code snippets that reflect a specific product, and the like.

This identifies products that are exposed to the Internet. When products are detected using this method, there is greater confidence that the organization is using the product. However, exposing certain products to the Internet might not be standard practice. Therefore, the absence of this detection is not a guarantee that an organization is not using the product.

This data can be found in your portfolio using the Software filter.

Data Retention

Fourth Party observations are retained for 1 year following the last observation.

Example: A product is detected on February 1, 2024 and is never detected again. The data is removed the following year on February 1, 2025.