Vendor External Posture

What it is

External posture monitoring scans a vendor's public domain from the outside — the same vantage point an attacker has — and grades how well the vendor protects email and web traffic. It's a lightweight, no-questionnaire-required signal of a vendor's security hygiene that you can collect on every vendor automatically. The approach is similar to SecurityScorecard or BitSight, scoped to the checks TATER can verify directly and at no extra cost.

What gets checked

• SPF record — is a Sender Policy Framework record published? (Missing SPF means the vendor's domain can be spoofed in phishing aimed at you.)
• DMARC policy — is DMARC published, and how strong is it? p=reject is the strongest; quarantine / none are weaker (warning).
• TLS certificate — does the site serve a valid certificate over HTTPS, who issued it, and how many days until it expires? An expired or near-expiry cert is a red flag.
• HSTS — does the site enforce HTTPS via HTTP Strict Transport Security?

Each check contributes to a weighted 0-100 score (TLS and DMARC weigh most) that maps to a letter grade A-F. Checks that can't run (for example a domain that doesn't resolve to a public address) are skipped, not counted against the vendor.

Scanning a vendor

1. Open Vendors (Assets group) in TATER Security and click a vendor to open its detail page.
2. Make sure the vendor has a Website on record (External Posture uses the website domain).
3. Click 🔍 Scan Posture in the header. Within a few seconds the External Security Posture card shows the grade, score, scanned domain, and a per-check breakdown.

Continuous monitoring

A nightly sweep automatically re-scans every vendor that has a website, so the posture grade and the certificate-expiry watch stay current without anyone clicking a button. New vendors are picked up on the next nightly run; you can always trigger an immediate scan with the button.

Fleet view & reporting

• Insights → Vendor External Posture shows the grade distribution across all your vendors, average score, how many are failing (score under 60), and which vendor certificates expire within 30 days.
• External posture is stored on the vendor record (externalPostureScore, externalPostureGrade), so it travels with the vendor in vendor risk reviews and exports.

For AI agents (MCP)

Two MCP tools let an AI assistant fold external posture into a vendor risk review:

• get_vendor_posture (read) — returns the latest grade/score and per-check results across vendors.
• scan_vendor_posture (write, Admin) — triggers a fresh scan of a specific vendor's domain.

Security & limits

• Scans only probe public domains. Domains that resolve to private, loopback, link-local, or carrier-grade-NAT addresses are rejected before any connection is made (SSRF protection) — so the scanner can't be pointed at your internal network.
• The scan is passive and lightweight: a DNS lookup plus a single TLS/HTTPS handshake. It does not log in, submit forms, or probe for vulnerabilities.
• External posture is one input to vendor risk — combine it with questionnaires, SOC 2 / ISO certifications, and contract review for a full picture.