If you use SecurityScorecard for vendor risk management, you've probably run into a common challenge: you have a long list of vendors but no clear structure for monitoring them differently. Treating every vendor the same wastes time and creates alert fatigue, but manually tiering hundreds of vendors is tedious and hard to keep consistent.
The Vendor Tiering Agent handles that work for you. It uses SecurityScorecard's Predictive Business Impact model to recommend a tier for each vendor based on how much they could affect your business if something goes wrong, and walks you through each tier so you can confirm or adjust assignments before anything is finalized. Once you're done, it places vendors into the appropriate portfolios and sets up monitoring rules for each tier, so you're getting the right alerts for the right vendors without any extra configuration.
This feature is currently in Early Access. Learn how to turn it on for your organization here.
To access the Vendor Tiering Agent, go to Ask AI , or click the search bar at the top of your SecurityScorecard page, then select ChatSSC.
Step 1: Get started
Select the Vendor Tiering Agent and click Get Started. You will see a message showing how many vendor slots you have remaining.
Step 2: Add your vendors
If you already have vendors in SecurityScorecard, you can skip this step. If you are just getting started, choose one of the following options:
- Detect — automatically detects your vendors
- Upload CSV — upload a spreadsheet (.CSV format) of your vendors
Step 3: Agent recommends impact tiers
The agent evaluates each vendor using SecurityScorecard's Predictive Business Impact model and recommends a tier based on potential business impact.
Vendors are grouped into four tiers:
| Tier | What it means |
|---|---|
| Critical | Vendors whose compromise or failure would have an immediate, severe impact on your operations. These receive the closest monitoring. |
| High | Vendors that are important to operations but not immediately business-critical. These are still monitored closely. |
| Medium | Vendors with moderate exposure. These are monitored on a regular cadence. |
| Low | Vendors with limited impact if something goes wrong. These are monitored at a lighter level. |
The agent works through each tier one at a time, starting with Critical. For each tier, the Companies page opens, allowing you to review which vendors were assigned to that group.
You can change any vendor's tier before moving on. When you're satisfied with the assignments, click Continue to move to the next tier.
Note: If a vendor already has a tier assigned, the agent does not override it. For example, if a vendor is tagged as Medium but the agent recommends Critical, it will be flagged as a recommendation only. Your existing assignment remains unchanged.
After all tiers have been reviewed, you will see a summary showing how many vendors were assigned a business impact. Some vendors may not receive an impact assignment if there is not enough data to make a confident prediction. You can assign impact to those vendors manually later.
Step 4: Vendors sorted into portfolios
Each vendor is automatically assigned to a portfolio that matches its business-impact tier, one tier at a time. The agent looks for an existing portfolio with the matching tier name and creates one if needed. After each portfolio is created or updated, it opens so you can see which vendors were added.
Step 5: Monitoring rules created
Once the portfolios are ready, the agent configures monitoring rules for each one based on business impact. The Rules page opens so you can review the rules and make any necessary adjustments.
From that point on, you will begin receiving alerts based on the monitoring set for each tier.