LET'S TALK
← All work
SOC2 CC9.2Vendor RiskConcentration RiskDeep Prototype

ThirdPartyRisk — Vendor Risk Scoring

Scores 22 seeded vendors across 4 risk dimensions: security posture (attestation + breach history), financial health, concentration risk (% of workload on this vendor), and data sensitivity. Composite drives review cadence — critical = quarterly, low = annual.

ThirdPartyRisk — Vendor Risk Scoring preview
Open live →

What it is

The shape behind a vendor risk management program. For every vendor: a score across 4 dimensions weighted into one number, the number maps to a review cadence, the cadence drives the calendar.

What’s in it

  • 22 seeded vendors spanning the realistic SaaS company spend: AWS ($1.2M, critical concentration), Stripe ($380k, PCI L1 + 88% concentration), Salesforce ($198k), Snowflake ($420k), Auth0, SendGrid, Datadog, GitHub Enterprise, Cloudflare, 1Password (98% concentration on secrets), NetSuite, plus lower-tier vendors (janitorial, lease, contractors).
  • 4 risk dimensions with weighted composite:
    • Security posture (35%) — SOC2 / ISO27001 / HIPAA BAA attestations, breach history, security questionnaire results.
    • Financial health (20%) — runway, profitability, ownership stability. Smaller vendors with no public financials get higher risk.
    • Concentration risk (20%) — % of your stack/workload dependent on this single vendor. 1Password at 98%, AWS at 42%.
    • Data sensitivity (25%) — PII / PHI / PCI / source code exposed to vendor.
  • Risk levels — Critical (60+) / High (45-59) / Medium (30-44) / Low (<30). Each maps to review cadence.
  • Two seeded high-risk vendors worth surfacing: TinyAI Analytics Co (small vendor with no attestation, sensitive event-stream sample) and Mercury Cloud Backups (small vendor with encrypted-customer-DB backups, no SOC2). These are the patterns that miss review and then create breach surfaces.

Why this shape

Vendor risk management is the most outsourced compliance function (to OneTrust, Vanta, Drata, Whistic). The schema is universal — every program scores on the same 4 dimensions. ThirdPartyRisk prototypes that schema directly, on one screen.

How it ships

Single HTML file, ~22KB. Zero dependencies. The 22-vendor catalog, 4-dimension scoring, composite risk math, review-cadence mapping are 240 lines of vanilla JavaScript.

Open the tool →