Penthropic TPRM
Most third-party risk tools take the vendor's word for it. Penthropic reads what they actually uploaded, checks every answer against their evidence, watches for drift after the deal closes, and shows you the breach path before it happens.
A vendor will tell you exactly what you want to hear on a questionnaire. Their own SOC 2 report tells a different story. Penthropic reads both, and surfaces the gap before you sign.
"Multi-factor authentication for privileged accounts was deployed mid-period; the auditor noted full enforcement is expected Q3 2026."
No more PDF-eyeballing, no more "yes" answers no one checks, no more vendor-drift surprises six months later. Penthropic adds the layer that actually verifies, before, during, and after the relationship.
AI reads every SOC 2, ISO certificate, policy and DPA the vendor uploaded. Compares each control claim in the questionnaire to what the evidence actually says.
Re-runs the questionnaire on cadence and auto-raises a finding the moment a high-weight control regresses. The Tier 1 vendor that turned off MFA last quarter? You hear about it the same day.
Attack-chain composer takes the vendor's open findings and renders a five-step, MITRE-aligned breach path. The narrative your board actually wants, not another list of CVEs.
Most TPRM platforms take weeks to stand up, need a pro-services engagement to configure, and still leave your reviewers eyeballing PDF evidence by hand. Penthropic ships opinionated, live same day, and reads the evidence for you.
| Typical TPRM | Penthropic TPRM | |
|---|---|---|
| Time to first vendor live | Weeks of pro-services | ✓ Same day, no consultant |
| Day-to-day UX | Heavy, multi-portal, dated | ✓ One fast UI, keyboard-first |
| Editing questions, templates & rules | Consultant ticket, days to land | ✓ Edit in-app, live immediately |
| Send questionnaire, receive answers | ✓ | ✓ |
| Evidence vault + expiry tracking | ✓ | ✓ |
| Tier-aware questionnaires (Tier 1 / 2 / 3) | Manual, often single template | ✓ 181Q / 32Q / 16Q auto-routed |
| AI cross-checks answers against the vendor's own evidence | takes the answer as truth | ✓ Penthropic-unique |
| Drift detection on resubmit | point-in-time only | ✓ Auto-raises on regression |
| Attack-chain narrative per vendor | risk register only | ✓ MITRE-aligned, board-ready |
| Multi-perspective AI review (InfoSec / Privacy / Legal / Procurement) | Single-lens or none | ✓ Four specialists + synthesiser |
| Regulatory rollup on every finding (DORA, NIS2, GDPR, FCA) | Pay-extra add-on | ✓ Out of the box |
| Business Owner portal (separate UX, soft training gate) | Same UI for everyone | ✓ Purpose-built |
| Senior-leader approval via public link (no login) | Login required | ✓ Signed link, mobile-friendly |
| Concentration map, where your vendors share infrastructure | Manual analysis | ✓ Provider, region, country, type |
They care whether you can answer the question: "how do you know what your vendors are doing?". Penthropic gives you a defensible answer for every regulator you face.
FCA SYSC 8.1 outsourcing oversight, PRA SS2/21 operational resilience, and EU DORA (Regulation 2022/2554) on ICT third-party risk. Every finding tagged to the article that applies, Penthropic produces the audit trail the regulator asks for.
NIS2 Art.21 covers third-party risk management as a mandatory control. Penthropic auto-tags every finding to the NIS2 paragraph that bites and produces the evidence pack your supervisory authority will ask for.
Article 28 processor obligations, Article 32 security of processing, Article 33 breach notification. Penthropic flags every gap and routes the right risk to your DPO.
Every finding controls-mapped to ISO 27001:2022 Annex A and the relevant SOC 2 Trust Service Criteria, ready to drop into your control evidence library.
Our automated scorecard combines passive asset discovery with continuous threat-intelligence checks. Every signal is observable, every finding is actionable.
We map each vendor's external attack surface using Certificate Transparency logs (crt.sh), the Wayback CDX API, subdomain enumeration via Cloudflare DoH, and SecurityTrails passive DNS. We then resolve IPs, detect cloud provider ranges (AWS, GCP, Azure, Cloudflare, Fastly), and fingerprint the tech stack from HTTP response headers.
After mapping assets we run lightweight checks: MTA-STS and DMARC policy enforcement, SPF alignment, legacy TLS version detection, DNSSEC presence, subdomain takeover (dangling CNAME), leaked credentials from breach databases, and ransomware leak-site mention matching. Each check maps to a severity score from 1 (low) to 8 (critical).
No active port scanning, no exploit probing, no destructive tests. We perform read-only passive reconnaissance — we observe what is already publicly visible on the internet. We do not access dark web marketplaces, purchase stolen credentials, or enumerate internal systems. All checks carry a Penthropic-Scorecard User-Agent so you can identify our traffic.
Each finding is assigned a severity from 1 (Low) to 8 (Critical). The scorecard score is 100 − ∑(active finding weights), clamped to 0–100, then converted to a letter grade: A (90+), B (75–89), C (60–74), D (40–59), F (<40). Severity bumps apply when a scan finding directly contradicts a security claim your vendor submitted in their questionnaire.
Every finding can be disputed. Vendors log in to the vendor portal and submit a written explanation or evidence for review. Accepted disputes are marked resolved and removed from the active score; rejected disputes are logged with reasoning. Vendors can also request a rescan after remediating an issue.
Asset graphs are rebuilt weekly (Sunday, 03:00 UTC). Threat-intelligence signals refresh nightly. Score snapshots are written after each sweep so trend data is always current. Questions about a specific finding? Contact us at security@penthropic.ai or visit penthropic.ai.
Penthropic TPRM reads the SOC 2, cross-checks every "yes" against the evidence, watches for drift after the deal closes, and renders the breach path your board can actually understand. Built by cyber practitioners who got tired of TPRM tools that just shuffle PDFs around.
DORA · NIS2 · GDPR · FCA mapped out of the box. London-based founding team. One business-day response.