Not an event. Not a report. A methodology that runs continuously, with re-entry triggers when conditions change.
Before any external data is collected, we capture the operational knowledge that already exists inside your organisation but has never been written down. Which vendors would stop operations tomorrow? Who has system access nobody formally tracks? Where do contracts lack audit rights? This is the foundation everything else is built on.
Every stage feeds the next. Stage 5 monitoring re-triggers Stage 3 or Stage 4 when a signal crosses threshold: acquisition, breach, regulatory change, ownership shift. The cycle never fully closes.
We track the indicators that reveal what a vendor’s own answers would not, observable without requiring cooperation, and changing before problems surface.
Attack surface is observable before an incident. Gaps in how a vendor maintains their own security boundary are signals, not speculation.
Who ultimately controls a supplier. and through which jurisdictions. determines whether their compliance obligations and yours align.
A vendor entering financial distress is an operational risk regardless of how well they patch their systems.
Where a vendor operates, develops, and processes data shapes the risks they carry. risks that no questionnaire will surface.
Patterns in public record. enforcement actions, litigation, regulatory attention. indicate how a vendor operates under pressure.
How replaceable a vendor is, and how many of your critical processes they touch, determines the consequence of failure. not just its likelihood.
Regulations evolve. Countries enter restricted lists. Technology categories fall under new export controls or supervisory frameworks. We track how the regulatory landscape shifts and flag when a vendor’s jurisdiction, product, or sector moves into higher-risk territory.
When a single vendor. or a small cluster of vendors. underpins multiple critical processes simultaneously, the systemic exposure exceeds what any individual vendor assessment would reveal.
The risk inside a vendor’s own supply chain. who they depend on, where their critical components originate. is rarely visible from the outside. We map it where it matters most.