RiskXchange
Vendor Risk Management

Vendor risk, run by an AI workforce.

Three named agents collaborating across the vendor lifecycle. NOVA owns the relationship. ARIA reads the evidence. REX watches from the outside. Together they replace the spreadsheets, the chasing, and the gut-feel scoring.

The problem

Too many vendors. Too little time.

Vendor risk teams are running the largest, most regulated stage of procurement with the smallest headcount in security. The result: late questionnaires, stale scores, and material risk hiding in plain sight.

Hiring more analysts isn't the answer — there aren't enough to hire, and the regulatory load is climbing faster than your headcount could anyway. The Agency takes the work the team shouldn't be doing.

200+
Average vendors per risk team
1.5
People typically managing them
~70%
Of TPRM time spent on admin
The trio

Three agents. One vendor lifecycle.

Vendor risk needs three things at once: someone who can talk to the vendor, someone who can read what they send, and someone who can verify it from the outside. We named them.

NOVA
NOVA agent avatar
AI Vendor Relationship Manager

The only agent that talks to your vendors. Owns the relationship from intake through to offboarding, across email, WhatsApp, and in-app chat.

The team
  • Intake — captures the vendor record
  • Vendor Discovery — surfaces shadow vendors
  • Firmographics — enriches the vendor profile
  • Vendor Chaser — automated nudges across channels
  • Data Destruction — verifies offboarding evidence
What they do for vendor risk
  • Drafts the questionnaire request, sends it, chases the follow-up — without you copying and pasting
  • Detects when your vendor contact has left and reroutes onboarding automatically
  • Spots unmanaged vendors in your stack you didn't know you had
ARIA
ARIA agent avatar
Assessment & Risk Intelligence Agent

Reads your vendor's evidence so you don't have to. Documents, questionnaires, contracts, trust centres — all turned into structured posture against the 157 Universal Controls.

The team
  • Q Pre-Populator — auto-fills 70%+ from prior evidence
  • Q Analyser — scores completed responses
  • Response Validator — cross-checks claims against scan data
  • Document Classifier — routes uploads to the right control
  • Trust Centre Parser — ingests vendor trust portals
  • Contract Analyser — extracts risk-relevant clauses
  • SnapShot — on-demand one-page vendor summary
What they do for vendor risk
  • Pre-fills the next questionnaire from the SOC 2 a vendor uploaded last quarter
  • Catches vendors saying one thing in the questionnaire and another on their trust page
  • Surfaces contract clauses that cap vendor liability at 12 months' fees
REX
REX agent avatar
Risk & Breach Intelligence Agent

Watches your vendors from the outside. Continuous attack-surface mapping, breach detection, fourth-party discovery, and regulatory or financial signals — all without asking the vendor a single question.

The team
  • Digital Footprint Scanner — maps the vendor's external surface
  • Outside-In Scanner — daily security posture scoring
  • Continuous Monitoring — material-change and breach detection
  • BreachWatch — dark-web correlation against vendor identifiers
  • Fourth-Party Discovery — vendors of vendors, mapped
  • Vendor Business Risk Analyst — Companies House, sanctions, negative news
What they do for vendor risk
  • Tells you a vendor's posture dropped 40 points overnight — and why
  • Flags a credential dump on the dark web before the vendor disclosed
  • Maps the chain when your vendor's vendor has the actual breach
End to end

Five stages. One workflow.

The full vendor lifecycle, with the named agent responsible at each stage. Onboarding through reporting — no handoffs, no gaps.

01
Onboarding

Outreach, intake, evidence collection, follow-up.

NOVA
02
Assessment

Document intelligence + outside-in scan, joined.

ARIA + REX
03
Monitoring

Continuous scoring, breach detection, fourth-party.

REX
04
Remediation

Tiering, treatment plans, SLA-driven actions.

TARA
05
Reporting

DORA, NIS2, audit packs, board insights.

VANCE
The differentiator

"Single source of truth" is a lie.

Most TPRM platforms give you one signal — ratings or questionnaires. One half of the picture. We give you both, joined.

Most platforms

One signal. Cherry-picked.

A rating or a questionnaire. Whichever the vendor will let you see. The other half stays a story you have to take their word for.

  • Outside-in score with no internal evidence to corroborate it
  • Self-reported questionnaires with no external check on the answers
  • "Single source of truth" branding for half a picture
RiskXchange

Both signals. Joined.

ARIA reads the documents, REX scans from the outside. Their findings are reconciled into one combined view — gaps, contradictions, evidence, all in one place.

  • Outside-in scan + inside-out evidence, reconciled
  • Vendor claims cross-checked against external reality
  • One score — earned, not asserted

See it on your vendors.

Pick one of your live vendors. We'll have NOVA, ARIA and REX produce a complete posture report inside 24 hours. No procurement. No commitment.