Why RiskXchange

"Single source of truth" is a lie.

Most TPRM platforms give you ratings or questionnaires — never both, joined into one posture. Four reasons RiskXchange is built around the combined signal — and four reasons the others can't catch up.

Reason 01 · The architecture

Two signals, joined. Not one cherry-picked.

Other TPRM platforms ship outside-in ratings or questionnaire scoring. We built the platform around both, reconciled into one posture — and named the two agents that do it.

ARIA reads everything the vendor sends. REX scans everything the vendor doesn't. When the two disagree, we surface the contradiction instead of picking the prettier number. That's the combined-signal moat.

  • Vendor's questionnaire claim cross-checked against their actual external posture
  • Trust-page assertions verified against breach intelligence and dark-web signal
  • Contract clauses mapped against fourth-party exposure REX has discovered
Inside-out
ARIA
Reads questionnaires, contracts, trust centres, certifications.
Outside-in
REX
Scans the surface, breach signal, fourth-party exposure.
Outcome
One score — earned, not asserted.
Reason 02 · The workforce

Named agents, not chatbots in a wrapper.

"AI" in TPRM has become a marketing checkbox — usually a chat interface bolted onto an unchanged platform. The Agency is the platform, not a feature on top of it.

Five lead agents. Twenty-seven specialists. Each trained for a single job. Structured handoffs between them. Three autonomy modes you control per customer. An audit trail of which agent did what and why.

  • NOVA, REX, ARIA, TARA, VANCE — each with a defined remit and clear boundaries
  • Manual / Assisted / Autonomous — your choice of how much they do without approval
  • Every output traceable: which agent, which evidence, which decision path
Most "AI TPRM"
A chat box on the dashboard.
  • One LLM doing everything, generic prompts
  • No structured handoffs, no agent boundaries
  • Outputs feel plausible, hard to audit
  • "AI features" bolted onto unchanged workflow
The Agency
32 named agents, one workforce.
  • Each agent trained for a specific job
  • Structured handoffs between leads, logged
  • Three autonomy modes — Manual / Assisted / Autonomous
  • Tamper-evident audit trail per output
Reason 03 · The architecture

Three layers. Not one without the others.

Pure-AI TPRM startups have agents but no platform underneath and no trust data behind them — no scoring engine, no monitored network, no integrations stack. Established platforms have the foundation but no agentic workforce on top.

We've spent a decade building all three. The 2020 platform — 360° assessments, attack surface management, the integration suite — became the system of record. The Trust Layer — 5M+ continuously monitored companies, plus the vendor-curated trust pages they publish back — is the shared trust backbone. The Agency, our 2024 workforce of 32 named AI agents, runs on top of both.

One product. One subscription. One place to log in. The Agency isn't a separate tool, an add-on or a second contract — it's how the platform runs. The agents come with your plan.

  • 5M+ companies continuously monitored — the Trust Layer's data moat REX inherits
  • Vendor-curated trust pages — shared posture flowing back into the same evidence framework
  • 157 Universal Controls — the structure ARIA evidences against
  • Native integrations to Jira, ServiceNow, Archer, OneTrust, SSO, GRC stack
  • SOC 2, ISO 27001, regional data residency — already built and audited
The workforce · The Agency
NOVA
NOVA
REX
REX
ARIA
ARIA
TARA
TARA
VANCE
VANCE
The system of record · The Platform
  • 360° risk assessments
  • Attack surface management
  • Continuous monitoring
  • 157 Universal Controls
  • Workflow & audit trail
  • Integration stack
The shared backbone · The Trust Layer
5M+
Companies continuously monitored — the Network
Trust Pages
Vendor-curated posture, published back to you
One product. One subscription. Always integrated.
Reason 04 · The relationship

Your vendor is a relationship, not a transaction.

Most platforms treat each questionnaire as a one-shot — a transaction with no memory. Your vendor experiences a different person every cycle, hears the same questions again, has no idea what was answered last time.

NOVA is persistent. The same agent runs the relationship across years — across email, WhatsApp and in-app chat. Your vendor sees one consistent face. You stop re-asking what they already told you.

  • Persistent identity across the whole relationship — onboarding through offboarding
  • Three channels — vendor picks the one they actually respond to
  • Detects when contacts leave, re-routes onboarding to a verified replacement
  • Customer can join any conversation NOVA is having — multi-party threads
NOVA avatar
NOVA
Same agent. Same vendor. Years.
Month 01
Onboards the vendor. Captures the record, fires firmographic enrichment, sends the first questionnaire.
Month 04
Detects the security contact has left. Routes the next request to a verified replacement automatically.
Year 02
Pre-fills the renewal questionnaire from prior evidence. Vendor answers a third of the questions, not all of them.
Year 03
Coordinates offboarding. Verifies data destruction. Logs evidence to the audit trail.

Most TPRM platforms vs. RiskXchange.

The differentiation in one table. Six rows. The same patterns repeat across every evaluation we've been part of.

What's different
Most platforms
RiskXchange
Outside-in score
Single rating, no internal evidence
REX scoring + ARIA evidence, reconciled
Vendor questionnaires
Manual chase, no external corroboration
NOVA chases, ARIA pre-fills 70%, REX validates
AI capability
Chatbot wrapped around an LLM
32 named agents, structured handoffs, audit trail
Vendor relationship
Treated per questionnaire, identity-less
Persistent NOVA across years, multi-channel
Regulatory output
Hand-assembled by an analyst
VANCE composes from live data, audit-ready
Continuous monitoring
Score change alerts only
Score + breach + business-risk + fourth-party

Cool Vendor 2024.

Gartner
Cool
Vendor
2024
Recognised by Gartner as a Cool Vendor in third-party risk management.
Selected for our agentic approach to TPRM and the depth of our outside-in intelligence — the combined-signal model that joins ARIA's evidence reading with REX's external scanning.

See it on your vendors.

Book a 30-minute call and we'll have NOVA, ARIA and REX produce a complete posture report on one of your live vendors inside 24 hours.