FAQ - Answers to Your Questions

LocateRisk is a German cybersecurity company that combines automated IT risk assessments, external attack surface management (EASM), and vendor risk management (VRM) in a single platform. Our solution assesses and monitors external IT infrastructures, identifies security vulnerabilities, provides recommendations for action, and enables compliance testing of business partners—fully automated, non-invasive, and GDPR-compliant.

LocateRisk is provided by over 1,000 private and public organizations used in the DACH region – including SMEs, corporations, municipalities, associations, energy suppliers, healthcare organizations, insurance companies, financial companies, and IT service providers. Regulated sectors such as Critical Infrastructure, KRITIS-related companies and operators of essential services use LocateRisk to gain transparency about risks and efficiently support security standards such as NIS2 or ISO 27001.

Typical user groups are:

• IT managers & CISOs
• Executive management & management
• Purchasing & Data Protection
• IT service providers, MSPs, and consulting firms

LocateRisk combines several security-related functions in one platform.

1. External Attack Surface Management (EASM):
Continuous monitoring and assessment of your own externally visible IT infrastructure to identify undiscovered assets and vulnerabilities.
More information about External Attack Surface Management

2. Vendor Risk Management (VRM):
Automated security assessment of suppliers using scans and digital questionnaires. You receive a standardized, objective security score that makes the risks in your supply chain transparent. This saves up to 75% of the time compared to manual procedures.
More information about Vendor Risk Management

3. SecurePlus – Compliance Mapping:
SecurePlus enables automated comparison of identified vulnerabilities with regulatory requirements such as NIS2, ISO 27001, TISAX, GDPR, PCI DSS, or NIST. The package is complemented by an AI assistant for faster risk assessment and domain squatting detection to protect against phishing. This makes audit preparation much easier and helps companies identify and manage compliance risks at an early stage.
More information about SecurePlus

LocateRisk supports companies in implementing NIS2 by regularly Risks and vulnerabilities visible assigns them to the relevant NIS2 obligations and provides corresponding evidence. With EASM, VRM, and automated compliance mapping, the platform addresses key requirements such as risk analysis, vulnerability management, and supply chain auditing. fast, objective, and documentable.

LocateRisk combines external risk analyses, supplier evaluations, and compliance mapping in a single EU-hosted platform. The analysis is non-invasive, easy to understand, and specifically geared toward European security standards such as NIS2 or ISO 27001. This provides companies with faster, actionable results and evidence for audits—without complex implementation and with full GDPR compliance.

No, The scan is non-invasive and relies on proprietary developments rather than potentially invasive security scanners.

As a German company, we attach great importance to data sovereignty and compliance with the GDPR. The LocateRisk platform is hosted and primary data processing takes place exclusively within the EU—in ISO 27001-certified data centers (e.g., Hetzner, Scaleway). This ensures that we comply with strict European security and data protection standards.

No, LocateRisk does not aim to process personal data. The platform performs a purely external, non-invasive security analysis and evaluates only publicly available technical information about the company's infrastructure (e.g., configurations, certificates, open ports). There is no access to internal systems, customer databases, or confidential employee data.

The cost of a LocateRisk analysis depends on the scan interval and the number of employees in the organization being assessed. The IT inventory and management overview are free of charge.

The free initial scan provides:

• A free demo of the evaluation results.
• An insight into the Top 5 vulnerabilities.
• The management overview for forwarding to management or IT service providers.

This gives organizations a well-founded initial overview about their cybersecurity situation—quickly, objectively, and without installation.

The main domain of the organization to be audited is required, as well as optional additional domains (e.g., product landing pages). For the IT security assessment in the form of a management overview, verbal agreement is sufficient. For detailed analyses, benchmarks, or ongoing monitoring, documented consent is required.

LocateRisk's External Attack Surface Management (EASM) is an automated, non-invasive safety analysis the entire externally visible IT infrastructure of a company. The platform automatically detects digital assets, identifies vulnerabilities in nine categories, continuously monitors changes, and provides well-founded recommendations for action to reduce risk and attack surfaces—without any installation.

MySQL and Remote Desktop accessibility, missing SPF entries, security vulnerabilities due to missing patches, SSLv3, TLS1.0, tracking cookies without user consent, etc.

As a rule, the IT teams of the audited companies fix the vulnerabilities themselves. The fee-based products include a one-hour meeting. If further support is required, we are happy to recommend a suitable service provider from our partner network.

EASM scans can flexible and automated be performed – depending on security requirements: daily, weekly, monthly, or quarterly. In the first 4 weeks after launch, you also have access to any number of re-scans.

LocateRisk assesses vulnerabilities based on the CVSS score and supplements this with the EPSS value, which estimates the probability of a real attack. This provides IT teams with a prioritized overview based not only on technical criticality, but also on the actual probability of exploitation.

The integrated task management ensures that identified vulnerabilities can be quickly delegated to the right people. Systems can be grouped, filtered, and released in a targeted manner without sharing unnecessary information. This keeps the security process structured and easy to follow.

LocateRisk automatically compares each new scan with previous results. The platform immediately detects when new systems appear, old ones disappear, or configurations and risks change. Depending on the settings, those responsible can be automatically notified in the event of critical deviations.

Yes. LocateRisk can merge external EASM data with internal vulnerability scans. Compatible with data exports from:

• Nessus / Greenbone / OpenVAS
• Qualys
• PingCastle (Active Directory)
• Pentest reports via CSV import

External and internal analyses appear clearly arranged in a shared interface – including separate score for internal results.

LocateRisk offers various reporting options:

• Management report (comprehensible summary)
• Detailed report for IT teams (including vulnerability details)
• Action plan / task list (Excel)
• CSV exports of all data
• PDF reports per filter/category
• API connection for SIEM, SOAR, SOC, or ticketing systems (e.g., ServiceNow, Splunk, Sentinel)

SecurePlus is an add-on package for LocateRisk that supplements IT security analyses with automated compliance mapping, an AI-supported wizard, and domain squatting detection. It makes it easier to verify security standards, increases response speed in the event of vulnerabilities, and significantly reduces audit efforts.

SecurePlus continuously compares identified vulnerabilities with relevant regulatory requirements. Supported standards include NIS2, ISO 27001, TISAX, GDPR, PCI DSS, NIST, CIS Controls, MITRE ATT&CK, OWASP, BSI IT-Grundschutz, and DIN SPEC 27076.

The AI Helper provides helpful explanations of vulnerabilities and systems directly in the analysis. It explains technical background information, assists with risk assessment, and provides specific, practical recommendations for remediation. This accelerates decision-making and supports teams in prioritizing and acting efficiently. The underlying data is processed exclusively in anonymized form in the Microsoft Azure OpenAI Service in Sweden.

SecurePlus monitors newly registered or similar-sounding domains that could indicate potential misuse—such as typo domains or variants that resemble your brand or company domain. As soon as such domains appear or even receive certificates, they are automatically reported. This allows phishing risks to be identified at an early stage.

SecurePlus greatly simplifies audit processes, as compliance deviations are automatically documented and provided with traceable explanations. Companies receive clear evidence for external audits and certifications and are optimally prepared for audits thanks to continuous monitoring. This significantly reduces the manual effort required for IT, compliance, and internal auditing.

LocateRisk's Vendor Risk Management (VRM) enables companies to assess the IT security status of their suppliers, service providers, and partners efficiently, objectively, and scalably. The platform combines technical vulnerability scans with digital compliance questionnaires and provides all results in a clear, centralized dashboard.

Each supplier can be evaluated both technically and organizationally. The technical assessment is carried out using an automated vulnerability scan of the external IT environment, while digital questionnaires check compliance with requirements (e.g., NIS2, ISO 27001, GDPR). Both results are incorporated into risk and compliance scores. This provides a complete picture of the security of each business partner – transparent, comparable, and updatable at any time.

Suppliers are invited via the LocateRisk platform and receive an email with a registration link. After registering, they enter their company data and decide which scan results they want to share. If a questionnaire is assigned, it automatically appears in the supplier account and can be completed directly. The results are only visible to the manufacturer once the setup is complete.

VRM significantly reduces the amount of time spent on checks thanks to automated workflows, integrated questionnaires, standardized key figures, and centralized management of all supplier data. According to customer feedback, the time required is reduced by up to 75 % reduce.

LocateRisk is currently preparing for ISO 27001 certification. Our existing information security management system (ISMS) is already aligned with the requirements of ISO 27001.

Yes. LocateRisk is a German company and consistently aligns its processes with the requirements of the GDPR. All systems are hosted within the EU and processing is based on non-invasive, publicly available information or explicit consent.

The vulnerability analyses only access publicly available technical information such as certificates, HTTP headers, DNS entries, or configuration features. no personal data scanned.

LocateRisk leads exclusively non-invasive analyses based on publicly available information. No protective mechanisms are circumvented, no systems are compromised, and no deep access is performed. For supplier or third-party scans, documented consent is required, which is obtained and logged transparently in the VRM process. This procedure is in accordance with the current legal situation under Section 202c of the German Criminal Code (StGB).