A complete, transparent breakdown of how the NIS2 Engine assesses supply chain risk entirely from the outside-in.
Every security assessment performed by the NIS2 Compliance Engine is 100% passive. We observe only what is publicly visible on the open internet — the same information available to any browser, email server, or search engine. We never interact with a vendor's internal systems, attempt authentication, or send any form of payload.
This approach is legally equivalent to reading a company's publicly listed phone number. We are not knocking on the door — we are reading the sign outside it.
Passive external reconnaissance of publicly accessible infrastructure is universally recognized as lawful under:
Your organization, as our client, initiates these assessments under your legal right and contractual obligation to perform third-party vendor due diligence. You confirm this authorization when adding each vendor domain to your account.
We query the public Domain Name System — the same system your browser uses every time you visit a website.
Checks performed:
none means even if SPF fails, no action is taken.Every SSL/TLS certificate ever issued for a domain is permanently logged in public Certificate Transparency logs maintained by Google, Cloudflare, and other certificate authorities. This is a legal requirement under RFC 6962.
Checks performed:
dev.vendor.com, staging.vendor.com, old.vendor.com that may have weaker security than the primary domainWe establish standard HTTPS connections — identical to what your browser does — and observe what the server presents.
Checks performed:
We make a single standard HTTP GET request to the vendor's primary domain — identical to what happens when anyone visits their website in a browser.
Checks performed:
/admin, /.env, or /phpmyadmin publicly accessible?We cross-reference the vendor's public IP address and domain against multiple free, public threat intelligence databases.
Checks performed:
We combine DNS findings to produce an overall email security grade.
Assessment covers:
Grading:
-all + DMARC p=reject + DKIM presentWe want to be unambiguous about the boundaries of our scanning:
Scoring is entirely deterministic. The same domain scanned twice under identical conditions will always produce the same score. There is no subjective judgment in the numeric score.
We begin at 100 points and apply deductions based on a fixed penalty table. Each deduction corresponds to a specific, verifiable finding. The penalty table is publicly documented and does not change between scans.
The AI component of our platform — powered by Google Gemini — is used exclusively to write the plain-English narrative sections of your report. It does not calculate, adjust, or influence the numeric score in any way. The score is always the output of deterministic Python code applied to raw scan data.
This design ensures your score is legally defensible and reproducible. If a regulator questions a finding, you can point to the exact data source and the exact penalty rule that produced it.
| Finding | Penalty | NIS2 Article |
|---|---|---|
| Expired SSL certificate | -40 | 21.2(g) |
| Google Safe Browsing flagged | -40 | 21.2(e) |
| Active data breach detected | -35 | 21.2(e) |
| Critical CVE on public infrastructure | -35 | 21.2(d) |
| Zone transfer possible | -30 | 21.2(d) |
| Exposed database port | -30 | 21.2(d) |
| Self-signed certificate | -30 | 21.2(g) |
| TLS 1.0 enabled | -25 | 21.2(g) |
| Wildcard CORS policy | -25 | 21.2(j) |
| TLS 1.1 enabled | -20 | 21.2(g) |
| No HTTPS redirect | -20 | 21.2(j) |
| Missing HSTS header | -15 | 21.2(j) |
| Missing CSP header | -15 | 21.2(f) |
| SPF softfail (~all) | -15 | 21.2(a) |
| DMARC policy=none | -15 | 21.2(a) |
| No DMARC record | -15 | 21.2(a) |
| High CVE on infrastructure | -15 | 21.2(d) |
| Exposed admin panel | -12 | 21.2(f) |
| Error page stack trace leak | -12 | 21.2(f) |
| No DNSSEC | -10 | 21.2(d) |
| No CAA records | -10 | 21.2(g) |
| Certificate expiring within 30 days | -10 | 21.2(g) |
| Missing X-Frame-Options | -5 | 21.2(f) |
| Missing X-Content-Type-Options | -5 | 21.2(f) |
| Missing Referrer-Policy | -5 | 21.2(f) |
| Missing Permissions-Policy | -5 | 21.2(f) |
| No DKIM found | -5 | 21.2(a) |
| Server version disclosed | -5 | 21.2(f) |
| Cookie missing security flags | -5 | 21.2(f) |
| TLS 1.3 not supported | -5 | 21.2(g) |
| Residential IP hosting | -5 | 21.2(d) |
We believe in complete transparency about what automated scanning cannot detect:
For comprehensive NIS2 compliance, automated scanning should be used alongside — not as a replacement for — contractual security requirements, vendor questionnaires, and periodic manual review for critical suppliers.
Raw scan data is retained for 24 months to support audit trail requirements. PDF reports are retained indefinitely in your account. You may request deletion of all data associated with your account at any time by contacting us.
If you are a vendor and believe your domain has been incorrectly assessed, contact us at methodology@yourdomain.com. We will respond within 5 business days.