Third-Party Risk Management
Vendor security assessments, questionnaire automation, risk scoring
View the interactive project page →
Third-Party Risk Management
Part of the worlds-biggest-software-project initiative.
An AI-native platform for continuous vendor security assessment, questionnaire automation, and risk scoring that replaces slow, spreadsheet-driven third-party risk processes with intelligence-driven monitoring.
Third-Party Risk Management (TPRM) software helps organisations evaluate, monitor, and manage the security, compliance, and operational risks introduced by vendors, suppliers, and external partners. This project targets security teams, GRC professionals, and procurement leaders who need to move beyond annual point-in-time questionnaires toward continuous, automated vendor risk visibility — without enterprise-tier pricing.
Why Third-Party Risk Management?
- Questionnaire fatigue is an industry-wide problem. Vendors interact with dozens of customers' TPRM platforms and fill out near-identical questionnaires repeatedly. No incumbent offers a vendor-maintained, reusable security profile that works across customers at the protocol level.
- Enterprise pricing locks out mid-market buyers. BitSight, SecurityScorecard, and OneTrust target large enterprises; mid-market organisations lack an accessible platform combining scoring, questionnaire management, and compliance mapping.
- Outside-in scoring has blind spots. SecurityScorecard and BitSight rely on passively observed external signals that miss internal misconfigurations, insider threats, and risks at small or private companies with limited internet-facing infrastructure.
- Questionnaire and scoring are siloed. Most platforms excel at either questionnaire management or continuous scoring, but not both. UpGuard's evidence validation (cross-referencing vendor claims against live data) is the exception, not the norm.
- Regulatory pressure is accelerating. DORA enforcement (2025), NIS2, and updated SEC disclosure rules have elevated supply chain risk to a board-level concern, yet pre-built regulatory compliance workflows remain fragmented across vendors.
Key Features
Vendor Inventory and Tiering
- Structured register of all third parties with criticality tiering (tier 1, 2, 3) and data-access classification
- Tiering determines assessment depth: full questionnaire and audit for tier-one vendors, automated scoring only for tier-three
- Vendor comparison with side-by-side risk profiles for procurement evaluation
Questionnaire Automation
- Built-in support for standard frameworks: SIG, CAIQ, NIST SP 800-171
- Automated distribution, chasing, follow-up reminders, and response tracking dashboard
- AI-assisted response analysis that flags inconsistencies between vendor claims and observed external data
- Automated questionnaire pre-filling using vendor's publicly available security documentation
Continuous Risk Scoring and Monitoring
- External risk scoring derived from open ports, SSL/TLS health, DNS configuration, dark web exposure, patch cadence, and breach history
- Real-time alerts when a vendor's score changes materially between assessment cycles
- Predictive risk flagging using ML models trained on historical incident data, financial stress indicators, and technology stack vulnerability trends
Compliance and Audit
- Pre-built compliance mappings for ISO 27001, SOC 2, GDPR, DORA, NIS2, HIPAA, and FFIEC
- Complete audit trail of all assessments, decisions, and remediation actions for regulatory examination
- Executive summary and board-level reporting with risk aggregation and trend charts
Remediation and Vendor Portal
- Collaborative vendor portal for evidence upload, finding response, and remediation tracking
- Integration with ticketing systems (Jira, ServiceNow) for remediation task routing
- Risk waivers with formal exception management and approval trails
- Vendor security profile sharing system allowing vendors to reuse assessments across multiple customer requests
AI-Native Advantage
AI capabilities differentiate this platform from incumbent tools in four areas: predictive risk flagging that identifies vendors approaching elevated risk before a security event occurs (based on financial stress, leadership changes, and vulnerability trends); natural-language risk narratives that explain multi-factor risk assessments in plain English; automated questionnaire pre-filling from publicly available vendor documentation to reduce response burden; and LLM-powered contract clause extraction that identifies inadequate security provisions in vendor MSAs and DPAs. These capabilities move TPRM from reactive assessment to proactive, explainable risk intelligence.
Tech Stack & Deployment
The platform should support self-hosted and cloud deployment modes to accommodate organisations with data residency requirements. Questionnaire framework support is built on publicly available standards (SIG, CAIQ, NIST SP 800-171) with no patent barriers. External risk scoring can integrate with existing data providers (SecurityScorecard, UpGuard APIs) initially, with the option to build proprietary data collection infrastructure over time. Integration points include REST APIs for programmatic access, native connectors for ServiceNow, Jira, and SIEM platforms (Splunk, Microsoft Sentinel), and notification channels via Slack and Microsoft Teams.
Market Context
TPRM sits at the intersection of cybersecurity and governance, risk, and compliance (GRC), a market Gartner covers under "IT Vendor Risk Management Solutions." Growing regulatory pressure from DORA, NIS2, and SEC disclosure rules has made supply chain risk a board-level priority. Incumbent pricing is enterprise-oriented — BitSight and SecurityScorecard target large financial services and government buyers — leaving a gap for a mid-market platform that combines scoring, questionnaire management, and compliance mapping at accessible pricing. The primary cost barrier to entry is building or licensing the external threat intelligence data collection network that underpins continuous risk scoring.
Project Status
This project is in the research and specification phase. Contributions, feedback, and domain expertise are welcome.
Contributing
We welcome contributions from developers, domain experts, and potential users. See CONTRIBUTING.md for guidelines.
Important: All contributions must be your own original work or clearly attributed open-source material with a compatible licence. Copyright infringement and licence violations will not be tolerated and will result in immediate removal of the offending contribution. If you are unsure whether a piece of code, text, or other material is safe to contribute, open an issue and ask before submitting.
Licence
Licence to be determined. See discussion for context.