Supply Chain Risk Manager

Know your suppliers before
they become your breach.

Risk Purview fuses what your suppliers say in their security questionnaire with what their infrastructure actually reveals — so you get an intelligence-driven, portfolio-wide view of third-party risk instead of a stack of self-attested PDFs.

Enquire about a demo View data privacy →
What it does

Three capabilities, one portfolio view

Send, verify, track. Supply Chain Risk Manager blends questionnaire evidence, external intelligence and ongoing monitoring into a single Risk Purview score per supplier.

Questionnaire distribution

Send a branded, tokenised security questionnaire to every supplier — no login required, sanitised free-text comment fields, expiry-gated links.

  • 8 security domains, server-side scoring
  • Expiring secure links (7 / 30 / 90 days)
  • Supplier comments captured per question
  • Email delivery via trusted transport

Risk Purview

On-demand external verification of every supplier's attack surface, breach exposure, corporate footprint and domain hygiene — cross-checked against their own answers.

  • Attack-surface & exposed-port discovery
  • Credential breach intelligence
  • TLS certificate grading & expiry tracking
  • SPF / DMARC / DKIM domain hardening
  • Contradiction surfacing (says vs. shows)

Portfolio intelligence

Every supplier is re-scanned monthly and tracked over time. Phronesis, our AI risk advisor, summarises the shape of your whole portfolio in plain English.

  • Monthly automatic re-scan of every supplier
  • Trend sparklines & drift detection
  • Alert banner on regressions & new breaches
  • Phronesis AI narrative & remediation guidance
Independent verification signals

Evidence from beyond the questionnaire

Risk Purview draws on multiple industry-standard intelligence feeds to corroborate supplier claims and detect what a self-assessment can't show.

DNS intelligence
Attack surface discovery
Active CVE scanning Tier 2
Certificate transparency
Credential breach intelligence
Exposed password monitoring
Corporate register
TLS / SSL health
Domain hardening (SPF/DMARC/DKIM)

Signals are fused into a composite Risk Purview score (0–100) and checked against each supplier's questionnaire answers to surface contradictions between what they say and what their infrastructure reveals. Tier 2 subscribers additionally receive active CVE and misconfiguration scanning across the supplier's subdomains and exposed services.

Monthly drift detection

We tell you when something regresses

Every supplier in your portfolio is re-scanned automatically on the first of every month. If anything changes for the worse, you’ll see one of six alert types on the card — nothing else to check, nothing else to schedule.

New signal

New risk signal detected

A fresh weakness has appeared on the supplier's attack surface that wasn't present in the previous scan.

Severity escalation

Existing issue got worse

An issue we already knew about has jumped to a higher severity rank — typically from medium to high or critical.

Contradiction

New says-vs-shows contradiction

The supplier’s external evidence now contradicts something they claimed in their questionnaire answers.

Score drop

Risk Purview score dropped

The supplier's composite 0–100 score has fallen by 10 points or more since the last scan.

New breach

New credential breach reported

Credential breach intelligence has flagged new exposures for the supplier's domain since the previous scan.

Cert expiring

TLS certificate expiring soon

The supplier’s TLS certificate is due to expire in fewer than 30 days — renewal hasn’t been observed yet.

A look inside the portfolio

Every supplier, at a glance

The portfolio renders one card per supplier with questionnaire risk, Risk Purview score, unacknowledged alerts, and a rolling sparkline of the last 12 scans.

Acme Cloud Services Ltd
security@acmecloud.example
🟡 Medium risk Risk Purview · 62  2 new alerts
62
Purview
▼ 18 pts over 10 scans · worsening trend
Illustrative preview. Real supplier data appears only in the subscriber portfolio.
Related specialist assessments

Practitioner-grade deep dives

When supplier risk surfaces something that needs a closer look — an acquisition target, or your own SOC — SCH ships two practitioner-grade assessments alongside the core self-assessment bundle. Comparable to a Big 4 engagement, at a fraction of the price.

PE Cyber Due Diligence

IASME-aligned cyber due diligence for private equity deal teams — 70 questions across 14 themes, delivered in hours rather than weeks.

  • IASME tier rating & RAG deal-risk verdict
  • 14-axis radar + 100-day remediation plan
  • Phronesis deal-analysis narrative
  • Board-ready PDF export
Enquire about PE DD →

SOC Maturity & AI Readiness

Practitioner-led capability review for security leaders — 70 questions across 7 domains, with evidence capture and sector benchmarking.

  • 7-domain maturity scoring with evidence capture
  • AI readiness signals for SOC automation
  • Sector benchmarking vs peer SOCs
  • Phronesis practitioner analysis per domain
Enquire about SOC →
Common questions

Frequently asked

What exactly is Risk Purview?
Risk Purview is our external-verification layer. It probes each supplier’s domain against multiple intelligence feeds — attack-surface discovery, credential breach intelligence, certificate transparency, TLS grading, DNS hardening, and corporate register data — then fuses the findings into a single composite score (0–100) and cross-checks them against the answers the supplier gave in their questionnaire. Tier 2 subscribers additionally receive an active CVE and misconfiguration scan across the supplier’s subdomains and exposed services, surfacing exploitable vulnerabilities that passive feeds cannot detect. The output is a single picture of what the supplier says and what their infrastructure actually reveals.
How are Risk Purview scores calculated?
Each intelligence signal contributes weighted points into a composite 0–100 score, which is then classified as strong, moderate, weak or critical. Signals include exposed services, known vulnerabilities, breach exposures, certificate health, email-authentication posture, and corporate footprint. Contradictions between questionnaire answers and external evidence are surfaced separately so you can see at a glance where supplier claims don’t match reality.
How often are suppliers re-scanned?
Automatically on the first of every month. You can also trigger an on-demand scan from a supplier’s card at any time (subject to a short cooldown to respect upstream rate limits). The monthly sweep diffs every scan against the previous one and emits alerts only when something has actually changed.
Is any supplier data shared with third parties?
No. Your supplier list and questionnaire responses never leave your tenancy. Risk Purview queries upstream intelligence feeds using only the supplier’s public domain name; no personal or confidential data is transmitted. See our data privacy page for full details on what is stored, where, and for how long.
Can suppliers see each other’s responses?
No. Each questionnaire is issued under a unique, expiring token. Suppliers only see the questions you’ve sent them — they can’t discover other suppliers, other responses, or anything about your portfolio. Responses are only ever visible to you (the account owner) in the subscriber dashboard.
What happens if a supplier’s domain is private or parked?
Risk Purview will still run, but some signals — notably attack-surface discovery and TLS grading — may return no findings. The questionnaire-based risk score remains fully functional, and Phronesis will note the limited external visibility in its narrative analysis so you can factor it into your risk judgement.

Ready to see it running against your own suppliers?

Every plan includes questionnaire distribution, monthly Risk Purview re-scans, and Phronesis AI portfolio analysis. Choose the tier that fits your supply chain.

Tier 1
Up to 50 suppliers · passive Risk Purview
Tier 2
Up to 200 suppliers · active CVE scanning · custom questions
Enquire about a demo View data privacy →