Sign in Subscribe
Third-party Featured

BitSight Monitors Your Vendors From the Outside. Someone Needs to Watch the Inside.

BitSight has earned its place in vendor risk programmes worldwide. But there is a layer it was never built to see: what happens after a vendor connects to your SaaS environment. This is the gap where most modern third-party breaches actually occur, and where external security ratings go silent.

Oskars Vientiess

6 min read
BitSight Monitors Your Vendors From the Outside. Someone Needs to Watch the Inside.

BitSight is one of the most trusted names in third-party risk management. Its security ratings give CISOs a continuous, data-driven view of vendor external posture: open ports, dark web credential exposures, botnet signals, and SSL misconfigurations. For organisations managing dozens of vendor relationships, BitSight's external ratings are one of the most reliable signals available.

But there is a layer BitSight was never designed to see. And that is where most real third-party breaches actually happen.

This article covers what BitSight does well, where its visibility ends, and how FrontierZero fills the gap with inside-out monitoring of vendor activity across your SaaS environment.

What BitSight Monitors and Why It Matters

BitSight scans what is publicly observable about a vendor's infrastructure: compromised systems, botnet communications, unpatched vulnerabilities, email security configurations, and exposed credentials. That data produces a continuous security rating that reflects the cyber health of a vendor's external-facing environment.

Independent research validates the approach. Studies by Marsh McLennan and Moody's Analytics show a statistically significant correlation between BitSight ratings and real-world breach likelihood. Forrester named BitSight a Leader in its 2026 Cybersecurity Risk Ratings Platforms Wave, with the highest possible scores across 11 criteria.

For security teams, this is useful in three concrete ways:

  • Vendor onboarding. Get a baseline view of a supplier's security hygiene without a questionnaire. A rating shows their public-facing posture the same way an attacker would.
  • Continuous monitoring. A vendor rated 780 in January could have a leaked credential or misconfigured server by April. BitSight catches those changes in real time.
  • Risk tiering. Not every vendor relationship warrants the same scrutiny. External ratings help focus attention where the exposure is greatest.

The limitation is not that BitSight is inaccurate. It is that it watches the outside of your vendors' walls while the access layer inside your environment remains unmonitored.

The Blind Spot: What Happens After a Vendor Connects

A vendor with a BitSight score of 800 can still compromise your environment.

Once a third party connects to your SaaS stack through an OAuth integration, a delegated admin account in Microsoft 365, or a connected app in Salesforce, they are no longer on the outside. They are inside. And external scanning has no visibility into what they do once they get there.

Consider the scenario:

  • A vendor employee logs into your Microsoft 365 environment via delegated admin credentials.
  • They have access to email, SharePoint, and user management functions.
  • Their company's BitSight score is 790, healthy by any external measure.
  • But this specific employee's account has no MFA enforced for external logins.
  • Their credentials appeared in a breach dump six weeks ago.

No external rating would catch this. The risk is not in the vendor's infrastructure. It is in what their account is doing inside yours.

This isn't a limitation of BitSight specifically; it's a structural gap in how vendor risk has traditionally been framed.

This pattern appears in breach after breach. The HackerOne breach involved a contractor using authorised access to exfiltrate vulnerability reports. The Jaguar Land Rover breach traced back to third-party identity and supply chain exposure. The Vimeo breach and the Zara breach both followed a similar third-party access pattern. In none of these cases was the vendor's external score the signal. The signal was internal activity that no one was watching.

Two Questions Every CISO Needs Answers To

Third-party risk comes down to two distinct questions, and most programmes only answer the first:

1.  Is this vendor secure?  What does their external infrastructure look like? Are they patching? Do they have dark web exposures? BitSight answers this well.

2.  What is this vendor doing inside my environment right now?  Which of their accounts have active access? What permissions do they hold? Are they still in your systems after the project ended?

SaaS providers secure their platform. Everything inside your environment, including the users, vendors, and permissions operating within it, is your responsibility. A healthy vendor can still have a compromised employee account. A high-scoring supplier can still have an OAuth integration that is quietly over-permissioned.

External posture and internal behaviour are not the same thing. You need visibility into both.

BitSight and FrontierZero: How the Layers Fit Together

The table below shows what each tool monitors and what questions each answers. These are complementary layers, not competing products.

Capability

BitSight

FrontierZero

Monitoring layer

External infrastructure: internet-facing assets, open ports, SSL issues, botnet signals, dark web credential exposure.

Internal SaaS activity: vendor accounts, OAuth tokens, permission scopes, and data flows inside your environment.

What triggers an alert

Changes in a vendor's external posture: new vulnerabilities, credential leaks, botnet activity, misconfigured services.

Changes in vendor behaviour inside your SaaS stack: new permissions granted, accounts active after engagement ends, anomalous access patterns.

Vendor account visibility

Organisation-level. BitSight rates the vendor as an entity, not individual employees or accounts.

Per-identity. Tracks which specific vendor employees have active access, what they are accessing, and when.

OAuth and connected app discovery

Not in scope. Does not inventory OAuth integrations or connected apps inside your SaaS environment.

Full discovery of all OAuth integrations and third-party app connections, including those granted by employees without IT involvement.

Shadow vendor connections

Not detected. Employee-granted OAuth connections to unsanctioned vendors are outside the scan surface.

Detected. Maps unsanctioned vendor connections alongside formally provisioned ones.

Orphaned access detection

Not available. Monitors vendor external posture, not whether their access inside your systems remains active.

Core feature. Flags vendor accounts and OAuth tokens that remain active after a contract or project ends.

Permission scope analysis

Not available. Does not analyse what permissions a vendor holds inside your SaaS applications.

Analyses permission scopes across connected vendor integrations and flags access that exceeds what was declared.

Vendor risk rating

Yes. Security rating (250 to 900) based on external signal data, correlated with breach likelihood by Marsh McLennan and Moody's.

Contextual risk signals per connection. Designed to complement external ratings, not replace them.

Best used for

Vendor onboarding, supply chain risk tiering, regulatory reporting, and continuous monitoring of external vendor posture.

Post-onboarding access governance: what vendor connections are active right now, and which have outlived their purpose.

What Inside-Out Vendor Monitoring Actually Covers

Where BitSight monitors the vendor from the outside, FrontierZero monitors the access from the inside. In practice,that that means:

  • Full OAuth and integration inventory. Every third-party connection across your SaaS environment, including shadow integrations that employees granted without IT involvement.
  • Per-account visibility. Not 'is this vendor's score healthy?' but 'which of their eight employees have active access, what are they accessing, and does anything look anomalous?'
  • Orphaned access detection. When a vendor engagement ends, their OAuth tokens and delegated credentials often do not expire automatically. FrontierZero flags access that has outlived the relationship.
  • Permission scope analysis. Identifies integrations where the permissions granted exceed what the vendor actually needs or declared.

This is the layer that catches what external ratings cannot see. And it is the layer that most third-party breaches exploit.

Why Internal Activity Monitoring Is Becoming the Priority

External security ratings solved a real problem: scalable vendor assessment without questionnaire fatigue. That was the right first step.

But the threat surface has shifted. The modern third-party breach vector is not a misconfigured server visible from the outside. It is a legitimate OAuth integration with more permissions than declared. It is a vendor account still active months after the project closed. It is a shadow SaaS connection that bypassed procurement entirely.

Both layers matter. External posture tells you whether a vendor is a reasonable choice to work with. Internal monitoring tells you whether that choice remains safe after the relationship begins. The gap most programmes have is in the second layer.

Want to see what your vendor connections actually look like right now?

FrontierZero's free External Connections Report maps every third-party integration in your SaaS environment, with risk context attached. No demo required.

Frequently Asked Questions

Does BitSight monitor what vendors do inside my SaaS environment?

No. BitSight monitors a vendor's external-facing infrastructure: open ports, credential exposures, SSL configurations, and network hygiene. It does not have visibility into what happens after a vendor is granted access to your SaaS applications or data. That is a different monitoring layer entirely.

Can a vendor with a high BitSight score still cause a breach?

This is true of any external rating methodology, not BitSight specifically. A vendor's external score reflects the health of their public-facing infrastructure. It does not account for the behaviour of individual employee accounts, over-permissioned OAuth integrations, or access that has outlived the vendor relationship. The HackerOne breach is a clear example: authorised access, not a failing score, was the breach vector.

How does FrontierZero complement BitSight?

BitSight monitors at the vendor organisation level using external signals. FrontierZero monitors at the access level inside your SaaS environment: which vendor accounts are active, what they are accessing, whether permissions are appropriate, and whether access should still exist at all. The two tools answer different questions and are designed to work alongside each other.

What is third-party SaaS access monitoring?

Third-party SaaS access monitoring is the practice of tracking what connected vendor accounts and integrations are doing inside your SaaS environment in real time. It covers OAuth tokens, delegated admin accounts, connected apps, and the behaviour of individual vendor users, including whether their access is still active after a project ends.

How do I find out which vendor connections are active in my environment?

Most security teams do not have a complete picture. OAuth integrations are often granted by individual employees without IT involvement, and delegated admin accounts are rarely audited after provisioning. FrontierZero's External Connections Report gives you a full inventory in minutes, at no cost.