ZDaaS is SecurityScorecard’s continuous monitoring and early-warning service for emerging zero-day vulnerabilities that affect public, internet-facing systems.
When a new zero-day is identified, ZDaaS issues a validated report that includes:
- Affected products and versions
- Impacted vendors in your monitored portfolio
- Remediation or mitigation guidance
- Confidence ratings showing the level of endpoint validation
2. Why is ZDaaS needed if SecurityScorecard already scans for vulnerabilities?
When a new zero-day vulnerability is disclosed, there is a gap between when it becomes publicly known and when SecurityScorecard’s platform scanners are updated to detect it. During this gap, vendors in your portfolio may be exposed without your visibility.
SecurityScorecard’s platform scanners are designed to be safe and non-intrusive so they can collect data continuously without triggering defensive shutdowns by ISPs. Because of that, they require time to update CVE detection logic.
ZDaaS fills this gap by operating independently, using specialized scanners and manual validation methods to enable faster, more intrusive testing of internet-facing endpoints, giving you visibility hours or days before standard platform coverage.
This means customers get visibility hours or days before standard platform coverage.
3. How does ZDaaS identify and validate vulnerabilities?
ZDaaS analysts monitor:
- SecurityScorecard platform data
- External open-source intelligence and vulnerability feeds (NVD, CVE Details, threat intel forums)
Once a potential zero day is identified, analysts and DFIR specialists:
- Custom-built validation scripts and virtual machines for safe, legal endpoint testing
- Confirm version exposure on real, public endpoints
- Attribute endpoints to specific vendors
- Assign a confidence level (High / Medium / Low) based on validation depth
4. What types of vulnerabilities does ZDaaS report on?
ZDaaS focuses exclusively on internet-facing zero-day vulnerabilities that meet all four of these criteria:
- Likely to be exploited or have proof-of-concepts available
- Affect software used across large vendor ecosystems
- Critical severity (CVSS ≥ 9.0) or high exploitation potential
- Can be safely validated externally
5. What information is included in a ZDaaS report?
Each report includes:
- Analyst Overview: Description of the zero-day, exploitation context, and affected products
- Vulnerability Scope: Products and versions affected, CVSS scores, and attack chains
- Indicators of Compromise (IOCs): Network and filesystem indicators seen in exploitation
- Remediation Measures: Patch references, mitigations, and configuration steps
- Vendor Attribution List: Vendors in your portfolio running vulnerable systems
- Confidence Ratings: Validation accuracy for each finding (High, Medium, or Low)
6. How should I use this report?
ZDaaS reports support three workflows:
- Internal security. Prioritize patching or containment for your own assets.
- Vendor risk management. Review the list of vendors attributed to vulnerable systems, engage with those vendors to confirm patching or mitigation, and document responses and update risk statuses in your platform.
- MAX Platinum customers. The SecurityScorecard team contacts affected vendors directly on your behalf to coordinate faster remediation.
7. How often are ZDaaS reports released?
ZDaaS is event-driven, not scheduled. Reports are published whenever a new zero-day emerges that meets impact and exploitation criteria, typically within hours of discovery.
8. How does ZDaaS help my organization?
- Early warning. Gain visibility before public advisories or mass exploitation.
- Reduced risk exposure. Patch or mitigate faster than threat actors exploit.
- Supply chain protection. Identify impacted vendors across your ecosystem.
- Actionable intelligence. Receive clear guidance, not just raw data.
- Improved platform accuracy. Findings enhance your existing MAX and SecurityScorecard data.
9. What is the “Confidence Level” in my report?
The confidence level indicates how certain the ZDaaS team is that a given endpoint or vendor is impacted:
| Confidence | Description |
|---|---|
| High | Endpoint directly validated as vulnerable using multiple data sources and scan confirmations. |
| Medium | Product confirmed, but specific endpoint details could not be fully verified. |
| Low / Advisory | Product or vendor potentially affected, but validation could not be performed at the endpoint level. Used for situational awareness. |
10. Is ZDaaS legal and safe for my organization?
Yes. ZDaaS scanning and validation techniques are legally compliant with applicable laws and limited to public, internet-facing endpoints. No private networks are probed, and no terms of service are violated.
11. How do I escalate findings or get help engaging vendors?
If you are a MAX Platinum customer, your SecurityScorecard MAX Team coordinates directly with vendors on your behalf. For all other customers, your account manager can help with:
- Reviewing report findings
- Preparing vendor communications
- Explaining mitigation priorities
12. Why do I see a ZDaaS / MAX “BOT” account in my SecurityScorecard instance?
The ZDaaS/MAX BOT account is a dedicated account that pulls the most current vendor lists from your monitored portfolios so the ZDaaS team can accurately compare your portfolio against validated ZDaaS findings. You should expect to see this account in your instance as a standard part of the service.
Why does the BOT require Admin privileges?
Admin-level visibility allows the account to read all portfolios in your instance. With lower permission levels, the account can only view the portfolios it created, which can lead to incomplete vendor coverage and inaccurate comparisons.
Why do we use a BOT account for this process?
A dedicated BOT account ensures your ZDaaS coverage is:
- Complete: All portfolios are included, regardless of who created them
- Timely: Vendor lists can be pulled quickly during time-sensitive zero-day events
- Continuous: Ensures the vendor list used in ZDaaS comparisons reflects what you are currently monitoring in the platform