Cyber Insurance & Third-Party Risk

Score third-party infrastructure exposure, identify shared providers, and quantify supply-chain blast radius.

Updated May 2026recipes Integration

Cyber Insurance & Third-Party Risk Documentation

You're conducting non-intrusive external assessments of an organization's internet-facing infrastructure for underwriting or vendor risk scoring.

Quick Triage

External Posture Snapshot

Build a rapid profile of a company's external DNS and email infrastructure.

-- Infrastructure overview: registrar, nameservers, mail servers, SPF
MATCH (h:HOSTNAME {name: "stripe.com"})
OPTIONAL MATCH (h)-[:HAS_REGISTRAR]->(r:REGISTRAR)
OPTIONAL MATCH (ns:HOSTNAME)-[:NAMESERVER_FOR]->(h)
OPTIONAL MATCH (mx:HOSTNAME)-[:MAIL_FOR]->(h)
OPTIONAL MATCH (h)-[:SPF_INCLUDE]->(spf:HOSTNAME)
RETURN h.name,
       collect(DISTINCT r.name) AS registrar,
       collect(DISTINCT ns.name) AS nameservers,
       collect(DISTINCT mx.name) AS mailservers,
       count(DISTINCT spf) AS spf_includes

Sample output:

[{
  "h.name": "stripe.com",
  "registrar": ["iana:447"],
  "nameservers": ["ns-423.awsdns-52.com", "ns-705.awsdns-24.net"],
  "mailservers": ["aspmx.l.google.com"],
  "spf_includes": 1
}]

Tip: SPF include count above 0 indicates the organization has published an email authorization policy. The presence of recognized cloud DNS providers (AWS Route53, Azure DNS, Google Cloud DNS) in nameservers is a positive hygiene signal.

Threat Exposure Check

Check whether any of a company's IPs are currently listed in threat feeds.

-- Threat feed hits for a domain's IPs
MATCH (h:HOSTNAME {name: "cloudflare.com"})
      -[:RESOLVES_TO]->(ip:IPV4)
OPTIONAL MATCH (ip)-[:LISTED_IN]->(f:FEED_SOURCE)
RETURN ip.name, collect(f.name) AS threat_feeds

Tip: Major cloud providers like Cloudflare and AWS host many customers — the fact that an IP is on their network says little about the specific customer. Focus on whether the specific hostname resolves to a threat-listed IP, not whether the CDN's overall address space has listings.

Hosting Provider Identification

Identify who is hosting a company's primary web infrastructure.

-- Hosting provider: domain -> IP -> BGP prefix -> ASN -> name
MATCH (h:HOSTNAME {name: "cloudflare.com"})
      -[:RESOLVES_TO]->(ip:IPV4)
      -[:ANNOUNCED_BY]->(ap:ANNOUNCED_PREFIX)
      -[:ROUTES]->(a:ASN)
      -[:HAS_NAME]->(n:ASN_NAME)
RETURN DISTINCT a.name AS asn, n.name AS provider LIMIT 5

Sample output:

[{"asn": "AS13335", "provider": "CLOUDFLARENET - Cloudflare, Inc."}]

Tip: Enterprise organizations typically host across 2-5 ASNs (primary CDN, cloud provider, legacy data center). Multiple ASNs with distinct providers indicates better infrastructure resilience.

Domain Threat Score

Get a standardized threat score for underwriting use.

-- Composite threat assessment for a domain
CALL explain("cloudflare.com")

Sample output:

[{
  "indicator": "cloudflare.com",
  "type": "domain",
  "found": true,
  "score": 4.05,
  "level": "INFO",
  "explanation": "cloudflare.com is listed in 2 threat feed(s). Score 4.1 (Informational - minimal risk)."
}]

Tip: The level field gives a normalized tier: NONE, INFO, LOW, MEDIUM, HIGH, CRITICAL. For automated underwriting rules, use level rather than the raw score — the tier boundaries are calibrated for human-readable risk language.

Splunk equivalents

For third-party risk scoring inside Splunk, see Splunk Use Cases and the whisper_explain macro in Investigation Macros.

PreviousCompliance & Risk AssessmentNextLaw Enforcement & Cybercrime