Underwrite software supply chain risk with code-level precision.
Built On
48,185 CVEs analyzed in 2025 · Daily forensic scans · SBOM evidence trail
of breaches now involve a third party, double the prior year (2025 Verizon DBIR)
U.S. cyber loss ratio in 2024, up more than seven points year over year (AM Best)
new CVEs published in 2025, the highest annual total ever recorded (NVD)
of confirmed breaches now involve ransomware, up from 32% (2025 Verizon DBIR)
Cyber policies are priced on questionnaires. Losses happen in code.
Cyber carriers are exposed to a class of risk that traditional underwriting inputs were never designed to see. The signals that actually predict loss live deep inside an insured's software supply chain, and they change every day.
Questionnaires expire on submission
A SOC2 report, a self attestation, or an ISO 27001 certificate describes a single moment in time. Most high-visibility breaches in the last three years happened to insureds who held all three. Underwriters need a continuous signal, not an annual snapshot.
Aggregation risk is invisible
When a single open source library has a critical vulnerability, hundreds of insureds across the book may be exposed at the same moment. Without an SBOM lens across the portfolio, carriers cannot see correlated exposure until claims start arriving.
Claims defense lacks evidence
When a breach claim arrives, carriers need forensic certainty about what software was running, what dependencies were in place, and when warning signs appeared. That evidence usually does not exist. TripleKey produces it daily as a routine output.
Four moments where code-level visibility changes the economics.
From quote to claim, TripleKey gives every team in a cyber carrier the same live evidence base, replacing point in time attestations with a continuous data feed.
Underwriting and quoting
Replace weeks of back and forth questionnaires with a Tech Risk Score derived from the actual code an insured ships, plus the dependency posture behind it.
- Bind faster on better risks with a 0 to 100 score grounded in scan data
- Tier premiums and deductibles using observable software hygiene signals
- Add SBOM and dependency monitoring as a covered service or warranty condition
Portfolio aggregation monitoring
See correlated exposure the moment a critical CVE is disclosed in a widely used dependency. Quantify how many insureds are running it before the news cycle does.
- Cross book SBOM intelligence on every active policy
- Aggregation alerts the same day a critical CVE is disclosed
- Reinsurance and treaty modeling backed by live dependency data
Loss prevention and renewal
Catch posture decay between renewals. When an insured's risk score drops below a threshold, trigger a touch from your risk engineering team before a small problem becomes a covered loss.
- Configurable score thresholds tied to renewal terms
- Risk engineering reports written for non technical stakeholders
- Pre renewal evidence package to support tougher conversations
Claims investigation and defense
When a breach notice comes in, a daily forensic record of code and dependency state already exists. Use it to scope causation, defend coverage decisions, and pursue subrogation.
- Time stamped SBOM and CVE history for every insured
- Contributor and code provenance trail for IP and origin questions
- Evidence pack delivered to defense counsel in days, not months
From policy bound to live signal in under a week.
TripleKey was designed to be a routine input to underwriting and risk engineering, not a heavy implementation. The insured grants a read only token. Everything else runs in the background.
Insured opts in
Either at quote, at bind, or as a covered service in the policy. No charge to the insured for participation.
Read only connection
Read only access is granted. No pipeline changes. No agent installation. No engineering lift.
Daily forensic scan
TripleScan runs every 24 hours. Tech Risk Score, SBOM, CVE alerts, and license issues land in the carrier portal.
Carrier acts on signal
Underwriting uses the score. Portfolio teams watch aggregation. Risk engineering catches drift. Claims has evidence.
Live signals, formatted for the people who actually price and pay risk.
Every TripleScan plots your client against thousands of peers in the same industry. When a healthcare SaaS prospect scores 73 against a sector median of 58, your producer walks into the carrier conversation with leverage. When a manufacturer is 12 points below peer median, you know exactly what to remediate before submission.
Underwriting inputs that match the speed of software risk.
Cyber carriers are still pricing on inputs designed for an era before continuous deployment. TripleKey was built for how software actually ships today.
| Capability | Self attested questionnaires | Annual SOC 2 / ISO 27001 |
 TripleKey
|
|---|---|---|---|
| Refresh rate | Annual | Annual | Daily |
| Code level evidence | Not included | Sampled, point in time | Full SBOM, every insured |
| Aggregation visibility across book | Not possible | Not possible | Cross portfolio queries |
| Drift detection between renewals | None | None | Score deltas, daily |
| Forensic record for claims | Insured produces, if at all | Out of date by months | Time stamped, immutable |
| Lift on the insured | Weeks of questionnaires | Months of audit prep | A read only token |
"For years we underwrote software supply chain risk on attestations and self reported answers, and we knew the signal was thin. Pulling code level data into the bind decision and then watching it move daily across the book is the kind of evidence cyber underwriting has been waiting for.
Cyber underwriting leadership
Specialty Lines Carrier
Plugs into how underwriting, portfolio, and claims teams already work.
Carrier dashboard
Score, SBOM, alerts, and trend charts. Multi user access for underwriting, risk engineering, and claims.
Per insured PDF
One page summary written for an underwriter. Score, top exposures, renewal recommendations. Drop straight into the file.
Portfolio Risk Reporting
The same day a critical CVE is disclosed, see how many insureds, which limits, and which lines of business are exposed.
Insured facing report
A non technical, executive ready report your risk engineers can send to the insured to drive remediation between renewals.
Forensic SBOM history
Time stamped record of every dependency, every score change, every alert. Delivered to defense counsel as a single bundle.
