Why We Built the Risky Tech Ranking

Technology vendors releasing insecure products has become all too common in the IT industry. This practice appears to be tolerated because security patches can be applied to fix known vulnerabilities.

However, under-resourced businesses often struggle to apply crucial patches in a timely fashion. With every new patch, IT teams must dedicate valuable resources to ensure the update won't disrupt core business systems — and this effort is multiplied by the thousands of vulnerabilities that are published each month. 

Even defenders who keep up with the relentless patch management cycle can be compromised by zero-day vulnerabilities. This helps to explain why software vulnerabilities are a leading cause of ransomware incidents.

Based on Coalition’s* view of the risk landscape, the lack of accountability from select technology providers magnifies this problem. We can tell when vendors release products to market without adequate testing, leaving businesses unknowingly exposed to vulnerabilities. And even after flaws are discovered, vendors can still delay issuing patches or downplay the severity of the issue, potentially leaving businesses to bear the brunt of a cyber attack.

Coalition’s commitment to protecting the unprotected is what inspired the Risky Tech Ranking, a list of technology providers whose products were vulnerable to exploitation by threat actors. The ranking is designed not only to serve as an educational tool for businesses when making purchasing decisions, but also to push vendors to make their popular technologies more secure. 

Coalition’s unique view of cyber risk

As a cyber insurance provider, Coalition** frequently encounters technology products and services that fail to adequately safeguard businesses. We also have an unparalleled view of the cyber threat landscape through our Active Data Graph, a purpose-built data collection and analysis engine that allows us to unearth the newest and most pressing cyber threats and determine which threats are most likely to result in losses.

The Risky Tech Ranking is designed not only to serve as an educational tool for businesses when making purchasing decisions, but also to push vendors to make their popular technologies more secure. 

We’ve already used these insights to create the Coalition Exploit Scoring System (Coalition ESS), a generative AI-based risk scoring system that helps risk managers and security professionals cut through the noise surrounding new vulnerabilities.

Now, we’re applying Coalition ESS to the Risky Tech Ranking to help businesses make better-informed decisions about the technologies they adopt.

How the Risky Tech Ranking works

The Risky Tech Ranking applies publicly available data to a methodology formulated by Coalition. You can read our full methodology, but here’s how it generally works:

• We determine the number of vulnerabilities impacting a vendor’s products

• We weight vulnerabilities using Coalition ESS

• We assign a Vendor Score to each vendor, calculated by multiplying the number of vulnerabilities impacting a vendor's products by the average Coalition ESS score

Simply counting published vulnerabilities per vendor would be misleading, as not all vulnerabilities are alike:

• A vulnerability discovered via a bug bounty program creates less risk than one discovered being exploited as a zero day in the wild.

• A vulnerability that allows a remote attacker to gain full control over the device presents more risk than a vulnerability that can only be exploited by plugging a USB stick into the device.

• A vulnerability affecting a smart fridge used by 100 customers is less risky than a vulnerability in the world’s most popular web server.

Coalition ESS accounts for these factors by assigning a higher weighting to vulnerabilities that are more likely to be exploited. The end result is a list of the top 100 vendors whose products were vulnerable to exploitation by threat actors. See the full list for Q1 2025.

The Risky Tech  Ranking is updated on a quarterly basis throughout the calendar year and tracks changes over time to both average Vendor Score and contributing vulnerabilities.

Transparency around the risks associated with specific vendors and their technologies empowers businesses to make better-informed choices about the tools and services they adopt.

Our goals for the Risky Tech Ranking

When products are impacted by vulnerabilities, threat actors can exploit these weaknesses to launch damaging ransomware attacks or gain access to sensitive data.

For small and midsize businesses (SMBs), the stakes are even higher. With fewer resources and limited cybersecurity expertise, they often assume that their technology providers are delivering sound products that can be trusted. Transparency around the risks associated with specific vendors and their technologies empowers businesses to make better-informed choices.

Coalition remains committed to the goal of mitigating cybersecurity threats. By building the Risky Tech Ranking, we’re providing businesses with greater peace of mind and contributing to a safer digital environment for everyone.

*Coalition Inc is a Delaware corporation with a principal place of business and registered address of 44 Montgomery Street, Suite 4210, San Francisco, CA 94104. 

**Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc. (“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. CIS is a wholly owned subsidiary of Coalition, Inc. 

The Risky Tech Ranking is based on publicly available data and is intended for general, informational purposes only, and not as legal, professional, or consulting advice; use of the Risky Tech Ranking is solely at your own risk. The Risky Tech Ranking is a list of unaffiliated third-party technology providers ranked by a methodology based on Coalition’s Exploit Scoring System (Coalition ESS), which is powered by generative AI, machine learning, and an underlying algorithm that provides assessment of all publicly disclosed vulnerabilities and evaluates a technology vendor's risk based on the exploitability of reported vulnerabilities over a set time period. Coalition disclaims all warranties, express or implied. Risky Tech Ranking results may vary or fluctuate based on factors outside of Coalition's control. See Coalition’s Terms of Use and Privacy Policy for additional information.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.