Built for UK public sector, CNI and nuclear. Built sovereign. Built deep. Built to defend you from the breach you didn't see coming.
You can spend £10m on perimeter security and still get owned through a vendor with a £49 SaaS account.
Every one of these started with a trusted third party.
~18,000 organisations compromised, including US federal agencies. Industry-wide remediation estimated north of $100bn.
1,500+ downstream businesses encrypted in a single weekend. Schools, dentists, supermarkets — collateral damage.
2,700+ organisations breached, 90m+ records exposed — BBC, BA, Boots, Ofcom, US DoE and multiple US states.
Support session tokens stolen → 1Password, Cloudflare, BeyondTrust pivoted. Identity infrastructure weaponised.
$872m Q1 hit to UnitedHealth. Pharmacy and claims offline for weeks. Data on roughly 1 in 3 Americans exposed.
King's and Guy's & St Thomas' cancelled 10,000+ appointments. National blood appeal triggered. Patient harm reported.
None of these were exotic zero-days. All were preventable with proper supplier assurance.
Most public-sector teams aren't under-funded — they're under-staffed by an order of magnitude. A real, anonymised UK central-government department, 2026.
Two-axis criticality routes Tier-3/4 suppliers to a 30-minute self-attestation. Analyst time freed for the suppliers that matter.
Suppliers complete questionnaires themselves. No chase-ups, no emailed PDFs, no spreadsheet version control.
Multi-provider AI reads policies, certs and pen-test reports and extracts answers. Analysts review and sign off — they don't retype.
Built for HMG, CNI and regulated industries — not a US Fortune-500 tool with a UK skin.
205 questions, 21 domains, conditional logic, evidence tracking, follow-up branching.
Multi-provider — Anthropic, Azure OpenAI (UK), Groq, Google. Reads policies, certs, audit reports.
Suppliers complete, upload evidence and track progress. The end of email tag.
Auto-tier suppliers with two-axis scoring. Deep diligence where it actually matters.
Which suppliers are exposed to which threat actors and CVEs — mapped to MITRE ATT&CK.
Every gap becomes a tracked risk with owner, due date and treatment. Closure with audit trail.
BitSight-equivalent passive scanning — domain hygiene, certs, leaked creds, dark-web exposure.
Azure UK-South/West. Customer-tenant for OFFICIAL-SENSITIVE. Source escrow available.
We didn't ship a 50-question form and call it good. We engineered the depth UK regulators expect — then tailored it so every supplier only sees what applies.
Profile · criticality · applicability rules tailor every questionnaire — Tier-3/4 suppliers see ~30 questions; only Tier-1 / critical suppliers see the full depth.
Most TPRM tools ship a generic form. Ours maps to every framework you'll ever be audited against.
NCSC, NIST SP 800-161r1, ISO/IEC 27036-2 and DORA all describe a full third-party lifecycle. Most TPRM tools cover a third of it. We cover all six phases.
Same standards. 3.2× the coverage.
OneTrust, ServiceNow, BitSight, Risk Ledger, Vanta — benchmarked honestly.
| Capability | Generic US TPRM | E2E Risk Supplier Assurance |
|---|---|---|
| UK CAF / NIS / GovAssure | Bolt-on content pack, partial | Native, audit-ready |
| Question depth | ~50 generic questions | SAQ v30 — 205 Q, 21 domains |
| AI evidence extraction | Single proprietary model | Multi-provider, incl. Azure OpenAI UK |
| Data residency | US SaaS, US data | UK-South / UK-West, customer-tenant |
| OFFICIAL-SENSITIVE | Not designed for it | Air-gap-ready, customer-managed keys |
| Outside-in scoring | Separate, expensive add-on | Built-in threat-centre scanner |
| Pricing | $50–250k, supplier-count tiers | Modular, public-sector-friendly, G-Cloud |
The only TPRM platform on the UK market with a credible path from SaaS to fully-classified.
Risk Ledger · SIG · Vanta · OneTrust · BitSight are SaaS-only. None deploy on-prem. None go classified.
Built for the regulators you actually answer to — framework mapping & assurance evidence, not a certification claim.
Get supplier assurance you can prove, defend, and explain to a regulator at 6am on a Saturday.
We map your current supplier portfolio against tiers in one session.
Hands-on access to SAQ v30, AI extraction and the supplier portal.
Procurement-ready. We sit on the right frameworks and route accordingly.