Root Evidence Links Cyber Risk to Financial Loss with New Scanner

BOISE, ID – March 10, 2026 – Cybersecurity startup Root Evidence today launched the Enterprise Preview of a new tool that aims to fundamentally change how organizations prioritize cyber threats. The product, Evidence Scan, moves away from traditional vulnerability scoring to focus on a single, critical metric: the proven potential for financial loss.

The Boise-based company, founded by a team of industry veterans including Jeremiah Grossman and Robert Hansen, has been working with cyber insurance carriers to analyze claims data. Their research identified that less than one percent of all known vulnerabilities, or CVEs, are consistently responsible for the multi-million-dollar payouts that follow major breaches. Root Evidence has dubbed these critical few as FIREs, or Financial Risk Exposures. Now, with Evidence Scan, the intelligence once used exclusively by insurers to price policies and assess risk is being made directly available to enterprise security teams.

Beyond the Noise of Vulnerability Alerts

For years, security operations centers (SOCs) and vulnerability management teams have been inundated with a deluge of alerts from traditional scanning tools. These systems often flag thousands of vulnerabilities as "critical" or "high" based on technical severity scores like the Common Vulnerability Scoring System (CVSS). However, this scoring method often lacks the business context to determine which issues pose a genuine, immediate threat to an organization's financial health.

This creates a state of "alert fatigue," where teams struggle to prioritize an unmanageable backlog, often spending valuable resources fixing vulnerabilities that are unlikely to ever be exploited in a financially damaging attack. Root Evidence argues this model is broken.

“For years, vulnerability management has measured effort instead of impact,” said Jeremiah Grossman, CEO of Root Evidence, in the announcement. “Teams are drowning in thousands of ‘critical’ findings that rarely translate into real-world financial loss. Volume isn’t useful information, it’s noise. If fixing 10,000 vulnerabilities doesn’t meaningfully change your probability of a claim, then you’re optimizing for activity, not outcomes.”

Evidence Scan flips this model on its head. Instead of a massive list of potential issues, it delivers a highly focused report of exposures that meet three specific criteria: they are publicly facing and exploitable, they have been proven to cause financial loss based on historical insurance data, and they are validated with high-fidelity evidence. This "loss-first" approach promises to cut through the noise, allowing teams to concentrate their efforts on the small percentage of vulnerabilities that truly matter.

The Insurer's Lens on Enterprise Risk

The key differentiator for Evidence Scan is the source of its intelligence: the actuarial data of the cyber insurance industry. Insurers have a direct financial stake in accurately predicting which vulnerabilities will lead to costly claims. By codifying the patterns from years of breach payouts, Root Evidence has created a tool that allows a company to see its own attack surface through the same lens its insurer uses.

This development comes at a critical time for the cyber insurance market. Insurers face an evolving and increasingly expensive threat landscape, with ransomware continuing to drive significant losses. In response, carriers have tightened underwriting standards, demanding more rigorous proof of an organization's security posture and maturity. The process often involves lengthy questionnaires and a frustrating back-and-forth that still may not capture the full picture of risk.

A tool like Evidence Scan could help bridge this information gap. By providing a standardized, financially-grounded report on an organization's most critical exposures, it could streamline the underwriting process for both the insurer and the insured. For businesses, demonstrating that they have identified and remediated their known FIREs could lead to more favorable premiums and policy terms.

“For the first time, organizations can see themselves through the same actuarial lens their insurers use. That changes everything,” Grossman stated. This transparency helps align the goals of the CISO with those of the CFO and the board, translating technical vulnerabilities into the language of business risk and return on investment.

A New Player in a Crowded Field

Root Evidence enters a mature vulnerability management market dominated by established giants like Tenable, Qualys, and Rapid7. These platforms offer comprehensive scanning and have evolved to incorporate their own forms of risk-based prioritization, often using threat intelligence feeds, machine learning, and asset criticality ratings to help customers focus their efforts.

However, Evidence Scan’s unique value proposition is its direct, evidence-based link to actual financial loss. While competing "risk-based" systems predict which vulnerabilities could be dangerous, Root Evidence's platform focuses on the ones that have been dangerous, as validated by insurance claims. This subtle but crucial distinction moves the conversation from theoretical risk to historical fact.

This focus on FIREs is part of a larger industry trend toward Cyber Risk Quantification (CRQ), a discipline aimed at expressing cyber risk in monetary terms. Experts have long noted the limitations of technical scores like CVSS, which fail to account for business impact. CRQ frameworks provide a methodology for this, but practical, easy-to-use tools that automate the process have been slow to emerge. Evidence Scan appears to be a direct and pragmatic application of CRQ principles, designed for hands-on security teams rather than just risk analysts.

By focusing on the less than one percent of vulnerabilities that cause the vast majority of financial damage, the company aims to offer clarity rather than just more data. The goal is to empower security teams to measurably reduce financial risk, justify their actions to leadership, and ultimately make their organizations more resilient against the attacks that have the costliest consequences. Root Evidence is now inviting organizations to apply for its Enterprise Preview to experience this new approach firsthand.