Scrutineer.ai

Scrutineer · Vendor risk

Third party risk management that runs on continuous evidence

Third party risk management is where a lot of breaches actually start: a supplier, a contractor or a sub-processor with weak controls and access to your data. A real TPRM program has to assess every third party, score the risk and keep watching, not file a questionnaire and move on. Scrutineer does exactly that across your full third-party population.

Each third party gets an evidence-backed risk score covering its security posture, the data and systems it can reach, and its certifications, refreshed continuously as conditions change. Critical third parties get deeper scrutiny and tighter monitoring. When something degrades, you hear about it early. Your team owns the decisions; Scrutineer gives the program the structure and the evidence to back them.

or try it below ↓

Control-mapped findings · linked evidence · you decide what to remediate

The Scrutiny Desk

Illustrative sample · not an audit attestation

SOC 2 ISO 27001 HIPAA GDPR PCI DSS

Controls in evidence-linked report out

AI scrutinizes you decide

Why it works

What you get with third-party risk

Every third party assessed

Suppliers, contractors and sub-processors are all assessed and scored on the same standard, so no part of your third-party population is a blind spot.

Scored on real exposure

Risk scores reflect what a third party can actually reach: the data, the systems, the access, with evidence behind every factor.

Watched continuously

Scrutineer keeps monitoring third parties after onboarding, so a posture change or lapsed certification raises a flag before it becomes an incident.

What it handles

Controls in, an evidence-linked report out

Point Scrutineer at a framework or a vendor and it maps every control, pulls the evidence it can find, flags the gaps and scores the risk, returning a report with linked evidence and a prioritized remediation list. Scrutineer is decision support for readiness, an accredited auditor still issues the attestation.

  • Assesses suppliers, contractors and sub-processors
  • Scores each third party on real exposure
  • Tiers third parties by criticality
  • Continuously monitors posture and certifications
  • Flags degradations and lapses early
  • Keeps a defensible record for audits and regulators
THIRD-PARTY RISK readiness_report
READINESS · 82%
ACCESS CONTROL 91

evidence · MFA enforced and access reviews evidenced.

CHANGE MGMT 78

evidence · Mostly covered; one approval log left untested.

VENDOR RISK 64

evidence · Two subprocessors missing a current review.

ENCRYPTION 86

evidence · Data encrypted in transit and at rest, evidenced.

Mapped to controls · evidence-linked 3 GAPS

Why Scrutineer

One platform that maps controls and scores risk

Not a static questionnaire, not a pass-fail black box, and not a spreadsheet you maintain by hand. Live control mapping across SOC 2, ISO 27001, HIPAA, GDPR and PCI, automatic evidence and a prioritized gap list, returned as a report you can act on. The AI scrutinizes, you decide.

Mapped to real controls

Every framework is broken down into the controls it actually requires, each scored on a red to amber to green scale, so readiness stays transparent and consistent.

Evidence behind every finding

Each control links to the exact evidence that satisfies it, the policy, the config, the log line, so the finding is auditable and your readiness is defensible.

A prioritized gap list

Open gaps roll up into a ranked remediation list, so the highest-risk findings sit at the top and your team fixes what matters before the audit begins.

Good questions

Questions about third-party risk

Any external organization with access to your data, systems or operations: software vendors, infrastructure providers, contractors, agencies and sub-processors. Scrutineer assesses and scores them all on a consistent standard so your whole third-party surface is covered.
By exposure. Third parties that touch sensitive data or critical systems are tiered higher, get deeper assessment and are monitored more frequently, so your team focuses effort where a failure would hurt most.

Explore more

More ways to scrutinize compliance and risk with Scrutineer

Stop guessing about readiness. Scrutinize on real evidence.

Point Scrutineer at a framework or a vendor and it maps every control, gathers evidence and scores the risk, returning an evidence-linked report and a prioritized gap list. The AI scrutinizes, you decide.

See pricing

SOC 2, ISO 27001, HIPAA, GDPR & PCI · evidence-linked controls · readiness, not certification