NewsCyb3r Operations raises $5.4m to tackle third-party risk blind spots

Read article
Cyb3r Operations
Stage · Discover

Use case · Relationship Mapping

See your 4th, 5th, and Nth-tier dependencies.

Tier-1 looks fine. The risk lives one tier deeper. Cyb3r Operations maps tier-2 to tier-N from observable evidence, no supplier disclosure required, and scores concentration by service, geography, and regulator.

Discover your third-party ecosystem nowRead the story

From the field

When the regulator asked about our concentration in cloud, I couldn't have answered. Three tier-2 suppliers sat behind fourteen of our tier-1 vendors. Until I saw the map, the question didn't even make sense.

Chief Risk Officer · UK Financial Services

Where it sits in the platform

The moment

The board paper that needed an answer the firm didn't have.

The CRO had a week to draft the next quarter's risk paper. The audit committee had asked one question: where is our concentration risk? The team could list the tier-1 critical suppliers. Beyond that, the answer was "we would need to ask each supplier for their Nth-party list."

By the next morning, the Cyb3r Operations map was on her screen. Three tier-2 suppliers, a cloud platform, an authentication provider, and a foundation-model vendor, sat behind fourteen of her tier-1 critical vendors. One supplier failure could have cascaded across four regulated business services at once.

What was actually true

  • ·Tier-1 vendor list complete, tier-2+ a black box
  • ·Nth-party disclosures patchy, six to twelve months stale
  • ·Concentration risk invisible until an event surfaces it
  • ·Board asked about nth-tier; the map didn't exist

What changed

What Relationship Mapping put on the CRO's screen.

Tier-N visibility from observable evidence. Map tier-1 to tier-N from hosting infrastructure, integrations, and public Nth-party lists. Not from a survey nobody fills in.

Concentration scoring by service, geography, regulation. Surface where the business depends on too few suppliers, in too few places, under too few regulators.

Network-effect detection. Identify the tier-2 suppliers sitting behind multiple tier-1 vendors, the MOVEit and Snowflake pattern, before the next one hits.

Features that did the work

Relationship Mapping

Primary

Tier-1 to tier-N graph from observable evidence.

Discover

The supplier graph the mapping layer builds from.

Continuous Monitoring

Re-maps as the supplier footprint shifts.

More it does in the background

What-if modelling.

Pick a supplier, see the business services that go offline, the regulatory exposure, and the continuity-tolerance breach.

Continuous refresh.

The map is current as of your last business day, not last quarter's review cycle.

Independent of supplier disclosure.

Tier-2+ visibility holds even when tier-1 suppliers refuse to share their own Nth-party list.

How the map came together

From 23 tier-1 suppliers to a five-tier graph.

No supplier disclosure required. The concentration view ready for the audit committee in three days.

01

Input

Tier-1 vendor list, 23 critical suppliers across the regulated business services.

02

Mapping layer

Outside-in observation, Nth-party inference, business-service mapping.

03

Output

A five-tier graph with concentration scored by service, geography, and regulator. Three tier-2 nodes flagged as systemic.

Who this lands for

The roles that pull value from this use case.

Each persona reads it slightly differently. Click through to the role-specific page for the full picture.

For Chief Risk Officer

Walks into the audit committee with an answer to concentration risk.

Open the Chief Risk Officer page

For Vendor Management

Sees nth-tier risk in the platform the team already runs the portfolio in.

Open the Vendor Management page

For GRC

Maps DORA Article 28 and PRA SS1/21 against an actual graph, not a survey.

Open the GRC page

Questions buyers asked

Questions risk leaders ask in the first conversation.

Outside-in observation: hosting infrastructure, integrations, public Nth-party lists, breach intelligence. We don't depend on a tier-1 supplier handing over their Nth-party list.

Three dimensions: service (how many critical business services depend on this supplier), geography (how concentrated is the footprint), and regulatory (how many regulatory regimes apply at once).

GRC platforms map what the supplier tells you. Cyb3r Operations maps what the environment tells us, including tier-2+ relationships the tier-1 supplier hasn't disclosed.

First-class. We surface Nth-party dependencies the same way we surface tier-1, observed, not asked for.

The platform surfaces the intelligence: which business services depend on the supplier, where the regulatory exposure sits, and how concentration risk is distributed across your portfolio. You feed that into your own scenario-modelling tooling. The platform is the input, not the modeller.

Continuously refreshed. Mapping is not a once-a-quarter exercise.