Sign in Get a demo

Vendor risk classified across every external dimension.

Vendor questionnaires give you "yes, we have a security program" answers. Comprehensive Risk Assessments give you the actual external posture: which configurations are weak, which services are exposed, which CVEs are present, which certificates are expiring. Same risk-detection engine that runs internally, applied to every vendor in your portfolio.

Request a demo Get a free threat exposure report
WHAT THIS DOES

Every vendor's external risk profile, structured and severity-tagged.

Continuous Monitoring captures the raw observables. Comprehensive Risk Assessments classify each observable into a risk category (configuration weakness, service exposure, vulnerability, certificate hygiene, DNS hygiene), assign severity (Critical / High / Medium / Low / Info), attach evidence, and map to relevant compliance frameworks.

Each vendor's findings roll up into a structured assessment view: total findings by severity, breakdown by risk category, comparison against industry baseline, trend over time. Useful for procurement reviews, board reporting, and vendor-management conversations that need defensible data behind them.

HOW IT WORKS

Three classification dimensions, one assessment per vendor.

By risk category. By severity. By compliance framework. The same observable can carry all three classifications at once, supporting any reporting view your team needs.

By risk category.

Configuration weaknesses (TLS misconfiguration, missing security headers), service exposure (unintended open ports, default service banners), vulnerabilities (CVEs detected via fingerprinting, ranked by EPSS + CISA KEV signal), certificate hygiene (expirations, weak issuers), DNS hygiene (zone exposure, unused records).

By severity.

Critical (immediate action), High (action this sprint), Medium (action this quarter), Low (track), Info (informational only). Severity tracks real-world exploit signal where applicable, not just theoretical CVSS.

By compliance framework.

Findings map to OWASP Top 10 (2021), PCI DSS 4.0, PCI DSS 3.2, HIPAA, CWE, CAPEC, and WASC. Useful for vendor compliance reviews, regulatory audits, and procurement-stage risk approvals.

WHAT IT SURFACES

What each vendor's assessment view contains.

Total findings by severity

Counts of Critical, High, Medium, Low, and Info findings on the vendor's external surface.

Breakdown by risk category

Configuration, exposure, vulnerability, certificate, and DNS findings split out for category-specific review.

Industry baseline comparison

How this vendor compares to others in their sector on each risk dimension.

Trend over time

Whether the vendor's posture is improving, stable, or degrading across recent reporting windows.

Top findings list

Highest-severity items currently open on the vendor, ranked for procurement-review focus.

Compliance gap mapping

Findings mapped to your audit framework, supporting compliance reviews and remediation tracking.

PART OF TPRM

Assessments feed scoring and tracking.

Smart Third-Party Discovery surfaces vendors. Continuous Monitoring scans them. Comprehensive Risk Assessments structure the findings. Automated Risk Scoring rolls them into per-vendor and portfolio-level scores. Compliance Tracking maps everything to your compliance framework. The four sub-features are one workflow.

TPRM · CONTINUOUS MONITORING

Continuous Monitoring

Learn more TPRM · AUTOMATED RISK SCORING

Automated Risk Scoring

Learn more TPRM · COMPLIANCE TRACKING

Compliance Tracking

Learn more
← Back to TPRM

“Vendor questionnaires only tell us what the vendor is willing to claim. Continuous external assessments tell us the actual posture. The gap between the two has surprised both sides more than once.”

— Director of Procurement Risk, Defense Manufacturer
CONTINUE EXPLORING

Explore the full platform.

EASM · EXTERNAL ATTACK SURFACE MANAGEMENT

See your entire attack surface. Act on what matters.

Continuous discovery and monitoring of every internet-facing asset, including subsidiaries and acquired companies.

See module CTI · CYBER THREAT INTELLIGENCE

See what’s exposed. Act before it’s exploited.

Dark-web monitoring, breach corpora, infostealer logs, and threat-actor activity tied to your organization.

See module BRP · BRAND RISK PROTECTION

Keep an eye on the internet. Protect your brand.

Lookalike domains, fake apps, fraudulent listings, and brand abuse caught in hours, not weeks.

See module TPRM · THIRD-PARTY RISK MANAGEMENT

Every third party carries risk. See all of it.

Continuous external monitoring of every approved vendor with the same depth as your own surface.

See module DSI · DEEP SEARCH AND INSIGHTS

Explore the entire internet. See every layer.

400M domains, 2B subdomains, 200B DNS records, 30B SSL certificates. All queryable directly.

See module
ASSESS YOUR VENDORS

See structured assessments for your real vendor portfolio.

Book a demo. We'll run assessments against your top vendors and walk through the procurement-review use case.

Request a demo