A Bureau, not a platform.
Built to deliver a number you can defend.
Exposure Bureau is a US LLC consultancy that produces quantified digital-risk, market, and competitive metrics from public, indexed sources (and licensed partners on the roadmap). The product is a recurring combined report — weekly or monthly PDF + executive email digest — built around 12 indices and two headline scores (CXI and MPI) for security, risk, legal, cyber-insurance underwriting, M&A diligence, and strategy teams.
What we commit to before any individual index.
Decision-grade, not alert-grade
Most threat-intelligence platforms ship alert streams. Decision-makers — CISOs, underwriters, M&A diligence leads, CMOs — need numbers they can put in a board deck, a rating model, or a diligence memo. We ship one combined report: 12 comparable indices across exposure, market, and competitive layers, rolled into two headline scores — CXI and MPI — on a recurring cadence. That's the entire product surface.
Quantification over volume
We do not out-collect Recorded Future, Flashpoint, Intel 471, or KELA. We win on quantification: published formulas, peer-cohort benchmarks, audit-replayable methodology, signed evidence packages. Comparable across clients, defensible in front of a regulator.
Defensive posture only
Every collection source is enumerated. No invite-only forums. No vouched personas. No HUMINT. No participation in markets we observe. Public and low-cost sources today; licensed data partners (DarkOwl, SpyCloud, Constella, Flare) are on the roadmap, not yet contracted. The collection boundary is part of the math — see the published red lines on the homepage.
CISM-led methodology
The index methodology is led by a CISM-certified practitioner and versioned (v0.7 at time of writing). Every output carries the version it was computed under so an auditor with read access can independently replay any historical value.
How the operation is set up.
The compliance posture — DPA, security whitepaper, subprocessor list, retention policy — is published on /resources. The deletion path for GDPR Art. 17 / CCPA requests lives at /privacy/delete.
The clean negative space.
- ×We are not a law firm and do not provide legal advice. If a finding needs counsel, your counsel walks it from there.
- ×We are not a SOC. We do not investigate intrusions or do incident response. The recurring report informs your IR retainer; it does not replace it.
- ×We are not a generalist dark-web monitoring platform. One combined report — 12 indices and two composites, comparable across clients, on a recurring cadence — that is the product. Anything that drifts toward a SIEM-style alert stream is out of scope.
- ×We are not a takedown vendor. Our index outputs feed your existing takedown / registrar / DFIR stack. We rank the queue; we do not execute against it.
First cohort is open.
Six-month commitment, preferential terms, methodology input, quarterly roadmap review. Open to corporate security, risk, legal, underwriting, and corp-dev teams. Three to five logos.
Request a sample report →The math is published.
Before any conversation, the methodology page is the answer to most questions — formulas, source weighting, uncertainty bands, versioning, and red lines. The sample report shows what the recurring deliverable actually looks like.