Skip to content

ANNOUNCEMENT: Get Software Supply Chain Accountability with a Software Bill of Materials (SBOM). Learn More >>

Speak with an Expert



Product Security Assessments

Identify and prioritize vulnerabilities based on business impact, historical data, CVSS scores, threat intelligence, and live threat scenarios.

Identify vulnerabilities, orchestrate mitigation, and leverage critical data to manage your extended supply chain of IT and OT component risk.

Evaluate a given product’s capability and configurability to cybersecurity controls mapped to regulatory frameworks and weighted by product archetype and known vulnerability risk profile.

A formal evaluation of hardware or software based on inherent product risk, product security controls, and vulnerability risk profile. Over 50 procedures utilize open source intelligence to identify risks across risk management, cybersecurity, negative news, compliance, sentiment, financial, privacy and fourth-party. All results are documented with full-resolution screenshot evidence. The categories are assigned a risk score, from 0-100, based on assessment results or findings.

Use manual and semi-automated methods to identify, categorize, and document product vulnerabilities, security control configurations, and product components, performing quality assurance checks and manage the results in Fortress Platform.


Data driven risk evaluations and analyst assessments


Triage suppliers based on criticality


Continuous monitoring and remediation workflows


Configuration management, file authenticity assurance, remediation

Narrow the gap between vendor, asset, and product security management disciplines

Inherent product risk evaluates the potential for harm to products across the risk categories such as data/systems access, cloud, mobile, offshore, safety, grid reliability, security, compliance, and supply chain. The risk score for this section limits the potential for vulnerability and controls assessment scores to contribute to the overall risk score.

The Product Security Controls section evaluates 59 individual security controls in 10 different categories. The level of risk for each product security control is ranked based on potential impact in an IT/OT environment. Each control is mapped to control frameworks such as NERC CIP, NIST SP 800-53, NATF, and CIS. Each category is then given a score which is calculated based on each individual control score.

All of the categories are then averaged to provide an overall score for all Product Security Controls. Furthermore, the section can raise 5 different results for every control questions such as Default, Configurable, Not Present, Not Applicable, and Unknown. Configurable results are given further details based on product documentation on how to specifically configure a section to apply a security control. Not Present results are given a definition where impact for the lack of a specific control in the environment are detailed. The Vulnerability Risk Profile evaluates the product for known vulnerability and third-party vulnerabilities that may affect the product. The vulnerabilities are then analyzed to create a trend; whether the count is increasing, decreasing, or stable, and to create a timeline based on the vendor’s ability to respond to known vulnerabilities. The vendor is evaluated on its ability to notify, disclose, and remediate vulnerabilities found for the product.

Speak with an Expert

The Fortress Assessment team is made up of industry leaders with deep expertise in validated control assessments, TPRM, and certifications including CISA, CISSP, CompTIA Security+, and CTPRP.

Speak with an Expert

Learn how to upgrade your organization’s cyber supply chain diligence while advancing your digital transformation.