Scrut innovations: November 2025 snapshot

Last updated on

December 8, 2025

min. read

In November, we rolled out updates that significantly enhance the efficiency and precision of your compliance program, making it easier to manage risk, simplify multi-entity management, and streamline vendor evaluation.

Here’s what’s new this month:

Advanced risk scoring models: Handle complex scoring models with MAX, MIN, and conditional logic.
Enhanced multi-entity audit support: Granular control over entity-specific trust views and access requests.
Streamlined vendor management: Simplified onboarding of prospective vendors and get Scrut pre-populated as a vendor.
Self-serve VAPT: Submit VAPT targets directly in Scrut
Frameworks coverage: New support for HITRUST CSF i1, HITRUST CSF e1, and TISAX v6.0.3.
New integrations: Expanded Access Review integrations and HRIS integration.

Handle complex risk scores without spreadsheets

Many risk teams already use nuanced scoring models, but traditional GRC tools only support simple arithmetic formulas. That makes it hard to model complex scoring in the product, so “real” scores often move to offline spreadsheets, adding manual work, inconsistent prioritization, and a risk register that doesn’t fully reflect how your organization measures risk.

To fix this, we’ve introduced Advanced Risk Scoring in our Risk Management solution. Now, risk and GRC teams can design scoring models that are as simple or as sophisticated as they need, using MAX, MIN, and IF–THEN logic directly in Scrut.

Use Max scoring when the highest factor should decide the score: Configure a Maximum method so the overall risk score is determined by the highest contributing factor, helping you avoid understating risk when any one factor is critical.
Use Min scoring when all factors must meet a bar: Configure a Minimum method so the overall score reflects the lowest contributing factor, making it easier to model risks where every underlying dimension needs to be strong before you downgrade severity.
Use Conditional Logic for rule-based scoring: Apply Conditional (IF/THEN) logic to encode your own scoring rules directly in Scrut, so specific combinations of inputs always result in consistent, predictable scores.

To explore how advanced risk scoring in Scrut works, read this blog.

Run clean, entity-specific audits without cross-entity noise

We are bringing in an update that fixes one of the biggest pain points for multi-entity customers: audits that finally reflect the right entity, without unrelated evidence or controls creeping in. For example, previously, a US ISO 27001 audit could still pull in controls and evidence from an Indian entity, leading to incorrect control status, noisy audit metrics, and cross-entity data leakage. Teams then had to manually filter findings and evidence just to get an accurate picture for one entity.

With enhanced multi-entity audit support, you can:

Keep audits strictly within entity boundaries: When you create an audit for a specific entity, only controls and artifacts belonging to that entity (plus org-wide items) are shown. Controls or evidence tagged to other entities no longer appear in the wrong audit.
Trust your audit metrics and reports: Control status and audit-readiness percentages are now calculated only from entity-scoped evidence. Audit reports show artifacts and controls relevant to the selected entity or org-wide scope, giving you accurate, entity-pure reporting.
Keep findings and requests aligned to scope: During the audit, findings and requests can only be created for the audit’s entity, so reviewers can’t accidentally raise issues against the wrong entity. This keeps the audit trail clean and aligned to the defined scope.

If you’re preparing for an upcoming audit, Scrut can help you get audit-ready across 60+ out-of-the-box frameworks, even in multi-entity environments. Book a demo to see how we can reduce the back-and-forth and help you reach the audit finish line with less hassle.

Make vendor onboarding more structured and transparent

Vendor onboarding includes evaluating multiple vendor prospects before approval. However, tracking this evaluation process can be challenging. Previously, there wasn't a clear way to distinguish between a vendor under review and an actively engaged vendor.

To solve this, we've introduced a Prospective Vendor status, which gives your team clear visibility into which vendors are active and which are still under evaluation.

What's new in Vendor Management:

Designate prospective vendors: When adding a vendor (manually, via an intake form, or from an integration) , you can now select the Vendor Status as Prospective (under review for potential engagement) or Active (currently engaged and providing services). Prospective vendors get a distinct icon so you can see at a glance who is still under evaluation.
Track workflows for prospective vendors: You can perform necessary evaluation workflows for prospective vendors, such as sending out questionnaires, collecting documents, and tracking mitigation tasks, similar to an active vendor.
Seamless status change: Easily convert a Prospective Vendor to an Active Vendor (and vice versa) once the evaluation is complete.
Start with Scrut pre-populated as a vendor: Every new account now comes with Scrut Automation already added as a vendor, including key attributes like category, tier, inherent risk, and links to Trust Vault documentation. This entry is fully editable and behaves like any other vendor.

Want more control over vendor risk? Scrut helps you manage third-party risk end-to-end and keep your vendor ecosystem continuously compliant. Book a demo to see it in action.

Kick off VAPT projects faster, right inside Scrut

Until now, starting a Vulnerability Assessment and Penetration Testing (VAPT) project meant juggling emails, clarifying what to share, waiting for your CSM to coordinate, and tracking details across scattered threads. This slowed down the project kickoff and increased the chances of missing or inconsistent information.

Now, if you use our VAPT service, you can submit everything directly inside Scrut, which is fast, structured, and completely traceable.

With the new VAPT onboarding workflow, you can:

Submit VAPT target details directly in the platform: web apps, mobile apps, APIs, networks, and source code, as targets from a single “Manage VAPT” section under Settings (visible for customers using Scrut’s VAPT service).
Use guided, purpose-built forms for each target type: Capture exactly the details the VAPT team needs with structured forms tailored to each kind of target, so there’s less back-and-forth on what to share.
One place to manage all VAPT information: You now have a single, organised space to view, update, and track all VAPT targets, no more relying on scattered emails.

This self-serve process means faster VAPT kickoff, no back-and-forth clarification, better visibility and collaboration with your team, and significantly less coordination overhead.

New frameworks supported in Scrut

We’ve expanded our framework coverage so you can manage more industry and customer requirements in one place. Here’s what's new:

HITRUST CSF i1: Supports the moderate assurance level report, validating that essential security controls are actively implemented. It manages the full i1 scope and allows for control alignment and inheritance from existing frameworks, offering an efficient alternative to the r2 assessment.
HITRUST CSF e1: Provides a minimum assurance level focused on foundational controls, offering a less resource-intensive option for demonstrating basic cybersecurity hygiene and meeting common vendor qualification requirements.
TISAX v6.0.3: Supports the current iteration of the TISAX standard, which is mandatory for organizations in the automotive supply chain. It allows you to easily scope and manage the specific modules (e.g., Prototype Protection, Data Protection) required by your automotive partners.

Explore the Scrut Frameworks Library for our 60+ out-of-the-box frameworks, talk to us about setting up a custom one for your program.

New and updated integrations

We’ve added key integrations to deepen access review capabilities and broaden HRIS coverage, ensuring your continuous compliance workflows are robust and comprehensive.

Access reviews:

Phished: Monitor user access and roles within the Phished platform.
Bitbucket: Gain centralized visibility into user permissions and roles across Bitbucket.
Kolide: Track and verify user access within your Kolide environment.
Linear: Review and manage user roles and access rights in Linear.
MongoDB: Centralize oversight of user access and permissions for MongoDB.
Fivetran: Easily monitor and review user access in Fivetran.
Freshdesk: Maintain a clear record of user roles and permissions within Freshdesk.

HRIS:

Paycom HR: Automatically sync employee data and changes from Paycom HR to keep your user and access records accurate.

To explore the entire suite of integrations supported by Scrut, explore it here.

‍

Liked the post? Share on:

Megha Thakkar

Technical Content Writer at

Scrut Automation

Megha Thakkar is a Certified Information Systems Auditor (CISA) and technical content writer who loves turning complex cybersecurity and compliance topics into stories people actually want to read. With a background as an Associate CPA (Australia) and CA Intermediate (India), she blends her love for finance and technology to bring clarity to every piece she writes. She’s known for her sharp eye for editing and content management, making sure every word earns its place.

Authored by

Table of contents