Cloud & Platform

Supply Chain Security. Map the blast radius beyond your walls.

Your security stops at your perimeter. Your risk does not. A vendor breach, a poisoned update, or a single provider everyone depends on can take you down through a door you do not own. We map that graph and watch it.

Map your vendor graphSee the dependencies ›
Why the graph matters

A yearly questionnaire tells you a vendor was secure when they filled it in. It says nothing about the provider that vendor depends on, or the breach they had last week. Third party risk is a graph, and most teams only see the first hop.

The biggest incidents now arrive through someone else: a compromised software update, a breached managed provider, an outage at a cloud region that four of your vendors quietly share. Regulators under DORA and NIS2 expect you to know and document this exposure. We build the map, find the concentration, and watch it continuously.

The dependency graph

One breach, two hops away

We map who you rely on, who they rely on, and where those paths converge. The risk that hurts most is rarely a direct vendor. It is the fourth party several of them share.

You
Your businessCrown jewels
Third parties

Payments provider

Critical

CI/CD platform

High

Identity provider

Medium

Logistics partner

Medium
Fourth parties
Shared by 3 vendorsOne cloud region
Shared by 2 vendorsOne open-source library
Sole sourceOne data subprocessor

Concentration risk found. Three of your critical vendors run on the same cloud region. One regional outage takes all three down at once, and your questionnaire never asked.

Illustrative vendor graph for one organization, not a claimed result. Real maps depend on your vendor set and the data each one holds.

How we run it

From onboarding to off-boarding, watched throughout

Vendor risk is not a once-a-year form. We treat it as a continuous program across the whole relationship.

01

Discover & map

Build the graph of vendors, the data each holds, and the fourth parties behind them.

02

Assess & tier

Rank each vendor by the access and data they hold, so effort follows real exposure.

03

Monitor continuously

Watch for breaches, new exposures, and posture changes across the vendor set in real time.

04

Respond & off-board

Act when a vendor is hit, and cut access cleanly when a relationship ends.

Two layers, one program

The judgment and the telemetry, together

Questionnaires capture intent. Live signals capture reality. We run both and reconcile them, so a clean form backed by a fresh breach does not slip through.

Advisory layer

Governance and judgment

  • Vendor tiering by data access and business criticality
  • Due diligence and contract security review
  • Concentration and single-source risk analysis
  • DORA and NIS2 third party reporting
Technical layer

Live monitoring and signal

  • Continuous external posture scoring of every vendor
  • Breach and exposure alerting across the vendor set
  • Software supply chain checks, including SBOM review
  • Integration with your procurement and ticketing stack
Part of the loop

Where supply chain security sits in VIGILE

Map then maintain

Identify the dependencies, Enhance the program

IdentifySupply Chain SecurityEnhance

Supply chain work runs through the Identify and Enhance motions of VIGILE, mapping the dependency graph and then keeping it current as vendors change. It pairs with Third Party Cyber Risk for the governance side and feeds the iTDC when a vendor incident becomes your incident.

See Third Party Cyber Risk ›
FAQ

Top 10 questions, frequently asked

They are two layers of the same problem. Third Party Cyber Risk is the governance and advisory work: tiering vendors, reviewing contracts, and reporting to regulators. Supply Chain Security is the technical execution layer that maps the dependency graph and monitors every vendor's live posture. We run them together, so the judgment in the questionnaire is checked against what the signals actually show.

It is the risk from your vendors' vendors. A provider you trust may depend on a cloud region, a library, or a subprocessor you never see. When several of your vendors quietly share the same one, a single failure there hits you through multiple doors at once. Mapping fourth parties is how concentration risk becomes visible, and it is the part a standard questionnaire misses.

No. Questionnaires still capture useful intent and contractual commitments. We add the live layer around them: continuous external scoring, breach alerting, and the dependency map. When a vendor's answers and their real posture diverge, you see it, rather than trusting a form that was accurate the day it was signed.

Both place clear obligations on managing and documenting third party and ICT supplier risk, including concentration risk. The dependency map, vendor tiering, and continuous monitoring produce exactly the register and evidence those regimes expect, kept current rather than assembled in a rush before an audit.

We alert you with the context that matters: what data that vendor holds, what access they have, and which of your systems sit on the path. Where it becomes your incident, the signal feeds the iTDC and Incident Response steps in. The map means you are reacting with a clear picture rather than scrambling to work out your exposure mid-event.

A parts list for your software: every component and dependency, so when the next major vulnerability lands you can answer the only question that matters, are we exposed, in minutes instead of weeks.

Yes. Build integrity is half the practice: signed artifacts, protected pipelines, and provenance checks so what ships is what was built, by you.

New dependencies are checked on entry, existing ones are watched for new vulnerabilities and hijacks, and findings route to owners with context through the same triage discipline as everything else.

By repository and dependency footprint, starting with a fixed-scope software supply chain assessment.

Identify maps the components and build paths, Guard hardens them, Implement watches them continuously, and evidence reports through Enhance.

Supply Chain Security datasheetThe dependency graph, SBOMs and build integrity, vendor watch, and the are-we-exposed drill.
Download the datasheet

Related work

Service

Third Party Cyber Risk

The governance and advisory layer that pairs with the technical map.

Learn more ›Service

Cyber Resilience & Continuity Validation

Rehearse the supply chain compromise scenario before it happens.

Learn more ›Service

Continuous Threat Exposure Management

Extend exposure prioritization across the vendor attack surface.

Learn more ›

Know your exposure before your vendor's bad day becomes yours

Book a session with a Principal Engineer. We map your vendor graph, surface the concentration risk, and show you the dependencies worth watching.

Map your vendor graphBrowse all services ›