Your third parties' real posture.

FortaRisks observes your suppliers' and partners' real posture continuously: attack surface, sector CTI signals, declared framework alignment. You see drift before the incident.

Request a Demo

Explore the Platform

The annual questionnaire doesn't tell you what's actually happening.

Your third parties answered your questionnaire in March. In September, their TLS certificate expired, a new port opened on their public API, one of their subdomains was hijacked. You learn about it in November, after the incident, in next year's report. FortaRisks changes that mechanic. We observe what your third parties actually expose, continuously, with no upfront cooperation required.

Three capabilities. One continuous third-party posture.

Discovery & onboarding

Automatic identification of the third party's Internet-facing assets (domains, subdomains, IPs, services).
EASM engine reuse: 100+ finding types applied to the third-party perimeter.
Automatic enrichment: industry sector, estimated size, geography, stacked technologies.
Third-party categorization: critical / important / standard, with adapted scoring rules.
Bulk onboarding: import 100+ third parties via CSV or REST API in one operation.

Continuous observation

Per-third-party attack surface: 5 scanning pillars (Asset Discovery, Email, System, Reputation, Disclosure), 100+ finding types, continuous monitoring.
Declared framework alignment: if a third party declares SOC 2 or ISO 27001, FortaRisks observes external signs of that alignment (TLS, headers, certificates, MTA-STS, BIMI). Drift detection vs declaration.
Read-only mode systematic. No writes on third-party assets. Adapted rate limiting.

Decomposable score + drift alerts

Per-third-party score: 0-100, grade A+ to F, identical to the EASM scoring system for visual consistency.
Explicit decomposition by dimension (Surface / CTI / Frameworks) with configurable weights.
30/60/90 day trajectory: visible sparkline, drill-down on triggering event.
Configurable drift alerts: new exposed port, expired certificate, critical CVE on an exposed service, mention in a leak, grade degradation ≥ 1 level.

From first third party added to first alert: 7 days.

No black box. Each third-party score is decomposable into its dimension contributions.

Three real-world scenarios. Three measurable outcomes.

Case 1

Finance (DORA, OSFI B-13)

A Canadian bank with 1,200 employees, 60 critical ICT suppliers (cloud, SaaS, managed services). DORA audit imminent. Before FortaRisks: DORA questionnaires sent in March, 60% return rate, variable quality, usable in September. With FortaRisks TPRM: 60 suppliers onboarded in 5 days. Initial score for 100% of third parties in under 7 days. Continuous detection of TLS degradation, newly exposed ports, critical CVEs on Internet-facing services. DORA report generated in 1 day, continuous evaluation evidence exportable.

Case 2

Healthcare (Loi 25, HDS, targeted ransomware)

A Quebec clinic group, 800 employees, 25 suppliers handling personal health information (PHI). Historic ransomware target. Before FortaRisks: no continuous visibility on supplier posture, reliance on their Loi 25 declaration. With FortaRisks TPRM: continuous observation of 25 critical suppliers. Automatic detection of a supplier whose subdomain was hijacked via subdomain takeover (unconfigured Webflow), 48 hours after the event. Action: access suspended in 24 hours, contractual negotiation activated.

Case 3

Manufacturing OT

A 1,500-employee manufacturer, 12 sites, 80 suppliers including 15 OT suppliers (automation, sensors, supervision). Before FortaRisks: zero visibility on the OT surface exposed by suppliers (accidentally exposed Modbus / S7 on the Internet). With FortaRisks TPRM: native OT/ICS scanner applied to the 15 OT suppliers. Detection of a sensor supplier's Siemens S7 accessible on the Internet via NAT misconfiguration. Notification to the supplier. Correction in 72 hours. No incident.

TPRM is not a silo. The other 4 pillars feed it.

Continuous TPRM only has value because the other 4 pillars exist. That's what distinguishes it from a standalone TPRM product (BitSight, SecurityScorecard) or a TPRM module added to a GRC (OneTrust). Each pillar feeds a different dimension of third-party observation.

EASM → TPRM

The 100+ EASM finding types are applied to each third party's perimeter. The native OT/ICS scanner is applied to industrial suppliers. The subdomain takeover detection engine on 83 services is applied to third-party exposed assets. No additional ingestion cost.

CTI → TPRM

The 50+ aggregated CTI sources and 1,500+ tracked actors are filtered by third-party industry sector. If BlackBasta targets the healthcare sector and one of your healthcare suppliers has an exposed critical CVE, you see it immediately, before the attack.

Posture → TPRM

The 1,342 SCF controls mapped across 16+ frameworks serve as a reference for alignment drift. If a third party declares SOC 2, FortaRisks observes external signs of that alignment (TLS, MTA-STS, security headers) and alerts on drift vs declaration.

AI Risk Engine → TPRM

The third-party score contributes to your organization's overall risk score. Cross-pillar prioritization takes your third parties into account: a critical CVE on one of your critical third parties is prioritized over a medium CVE on one of your unexposed direct assets.

See your first 10 third parties in less than 7 days.

Request a demo

FAQs

1/ What's the difference between continuous TPRM and an external rating like BitSight or SecurityScorecard?

An external rating like BitSight or SecurityScorecard is calculated using a closed proprietary methodology. You see a grade, not the decomposition. The evaluated third party often contests the score without being able to argue the method. FortaRisks exposes every finding contributing to the third party's score, by dimension (Surface, CTI, Frameworks). The evaluated third party can contest point by point. You can defend your commercial decision (suspension, negotiation, enhanced monitoring) with technical proof.

2/ Do you need third-party cooperation for the initial assessment?

No. Initial assessment relies only on what's observable from the Internet (attack surface, public CTI signals, external signs of framework alignment). No third-party cooperation required. If the third party then wishes to enrich the assessment with internal evidence (SOC 2 attestations, audit reports), it's possible via the evidence-sharing module, but not required.

3/ Does the OT/ICS scanner apply to third parties?

Yes. If you categorize a third party as "OT / industrial" at onboarding, the native OT/ICS scanner (Modbus, S7, BACnet, EtherNet/IP, IEC-104, DNP3, OPC UA, Niagara Fox — 15 industrial ports) is included in the continuous third-party surface scan. Read-only mode systematic, adapted rate limiting.

4/ What happens when a third party contests their score?

You can export the full score decomposition to PDF (per finding, per dimension, per weight). The third party receives a document detailing each contribution. If the third party demonstrates remediation (for example, closes an exposed port), the next scan automatically detects it and the score updates within 24h. No manual negotiation required.