What this covers.
Most breaches now arrive through someone else's network. We design and operate vendor risk programs that scale with your procurement velocity: risk-tiered onboarding, evidence-based assessments, and continuous monitoring of the few vendors that materially affect your operations or compliance.
What we test.
Comprehensive coverage across the categories that matter — combined manual and tool-assisted testing.
Vendor Inventory
Consolidated vendor list with data flow, criticality, and access mapping.
Risk Tiering
Tier 1–4 model based on data sensitivity, business impact, and access depth.
Due Diligence
Questionnaires, evidence review (SOC 2, ISO 27001, pen test reports, BCP).
Technical Validation
External posture review and targeted technical checks for tier-1 vendors.
Continuous Monitoring
Breach alerts, certificate expiry, external attack-surface drift, sanctions hits.
Contract & Exit
Security and exit-clause review; right-to-audit, breach notification, sub-processor controls.
How we run it.
A repeatable, well-documented process so your team always knows what's coming next.
Discover and consolidate vendors; map data, access, and dependencies.
Risk-rank using a defensible tiering model tied to business impact.
Right-sized due diligence per tier — evidence > questionnaires.
Continuous signals on critical vendors; quarterly reviews on the rest.
Findings remediation, contract enforcement, exit readiness.
What you receive.
- Vendor inventory and tiering model
- Due-diligence questionnaire pack and review
- Per-vendor risk reports with remediation actions
- Continuous monitoring dashboard
- Contract and exit-clause review
- Annual program report for the board
Standards we map to.
Frequently asked.
Do you operate the program or just set it up?+
Both. We can build the program and hand it over, or run it as a managed service with monthly intake and reporting.
Do you integrate with our procurement / GRC tool?+
Yes — including OneTrust, ServiceNow, Archer, LogicGate, Vanta, Drata, Hyperproof, and SecurityScorecard.