Catch vendors the moment reported posture stops matching reality.
Vendor Dual-Signal Risk Intelligence runs three layers — business criticality, assessed posture from questionnaires, and live external exposure — and fires Posture Divergence Detection when the gap exceeds threshold.
Vendor risk that knows when answers stop matching.
Three-layer scoring
Every vendor scored across business criticality, assessed posture (questionnaire-based), and live external exposure (continuous monitoring). One unified score, three layers of context.
- Business criticality at onboarding
- Assessed posture from questionnaire responses
- Live external exposure from continuous monitoring
Posture Divergence Detection
When assessed posture and live exposure diverge beyond threshold, the parent risk record updates and a remediation task is generated — automatically. Severity tiered Minor / Moderate / Severe.
- Severity tiered Minor / Moderate / Severe
- Auto-updates parent risk record
- Auto-generates remediation tasks
Full vendor lifecycle
Onboarding, classification, assessment, monitoring, remediation, and offboarding — on the same data model as your internal controls. Vendor drift events update internal risk records.
- Onboarding to offboarding lifecycle
- Counter-back capped at 5 rounds
- Per-vendor RAG namespace isolation
Vendor Intelligence
Auto-enriched vendor profiles — funding stage, ownership, headcount, tech stack, news events, and security incidents. Stop chasing basic context across spreadsheets and procurement decks.
- Auto-enriched profiles from 12+ sources
- Funding, ownership, and parent company tracked
- Security incident + breach feed per vendor
Subcontractor Insights
Map your fourth-party dependencies. See which sub-processors your critical vendors rely on, where concentration risk really lives, and which fourth parties trigger cascading risk if disrupted.
- Fourth-party concentration analysis
- Sub-processor disclosure tracking (GDPR)
- Cascading risk visualization
Vendor questionnaire engine
Send security questionnaires vendors actually complete. Configurable templates (SIG, CAIQ, custom), AI-assisted vendor responses, automatic scoring against your criteria, and counter-back capped at five rounds.
- SIG, CAIQ, and custom templates
- AI-assisted vendor response (when they opt in)
- Auto-scored against your criteria
Three steps from setup to value.
Onboard vendors
Add vendors manually or via CSV. Set business criticality, assign owners, and route inherent risk for review. Tier assignment auto-suggested by category and data sensitivity.
Assess + monitor
Send security assessments via a portal vendors actually use. Continuous external monitoring runs in parallel — no extra setup. Effy drafts findings as evidence comes in.
Catch divergence + remediate
When assessed posture and live exposure diverge beyond threshold, you get a tiered alert, the parent risk updates, and a remediation task is generated for the vendor.
"Posture Divergence Detection caught a Tier 1 vendor whose attack surface degraded six weeks before our next reassessment cycle would have surfaced it. That alone paid for the platform."
When the questionnaire and live exposure disagree, you find out first.
Three-layer scoring on every vendor — Business Criticality, Assessed Posture, and Live External Exposure. When the gap exceeds threshold, divergence fires automatically: the parent risk record updates, a remediation task is generated, and your owners get notified before the next reassessment cycle.
No competitor markets this today. Drata's Agentic TPRM evaluates vendor evidence against criteria but doesn't reconcile against live signals. Black Kite and Bitsight measure external posture but not assessed posture. We sit at the intersection.
Reported posture is strong (87) but live exposure degraded to 42. Reassessment fired automatically.