Today we are shipping Safeguard TPRM, a new module that brings the same evidence-based, automated approach we use for internal software supply chain security to the problem of third-party vendor risk management.
If you have ever spent three weeks chasing a vendor for a completed security questionnaire, only to receive answers that tell you nothing useful about their actual security posture, this module is for you.
Why We Built This
Third-party risk management is one of the most universally painful processes in cybersecurity. The concept is sound — before you trust a vendor's software in your environment, you should understand the risk it introduces. The execution, however, has not kept up with the reality of modern software supply chains.
The average enterprise evaluates vendors using the same basic approach that was used a decade ago: send a spreadsheet of questions, wait for self-reported answers, score the responses, and file the results. This process is slow (typical turnaround is 4-8 weeks), unreliable (self-reported data is inherently optimistic), and stale the moment it is completed (annual reviews create 364 days of uncertainty).
Meanwhile, the actual risk surface has changed dramatically. Modern applications depend on dozens of third-party services and hundreds of open-source components. A vendor's self-reported claim about their patch management policy tells you far less about your risk than an actual analysis of what components they ship and whether those components have known vulnerabilities.
We built Safeguard TPRM because we already had the infrastructure to do this better. Our SBOM engine, vulnerability correlation database, and policy evaluation framework were all in place. Extending them to cover third-party vendor assessment was a natural evolution.
What Safeguard TPRM Does
SBOM-Based Vendor Assessment
The core of Safeguard TPRM is the ability to ingest and analyze vendor SBOMs. When a vendor provides an SBOM for their product — either directly through our vendor portal or via API upload — Safeguard automatically:
- Identifies all components including transitive dependencies
- Cross-references vulnerability databases (NVD, OSV, GitHub Advisory Database) for known CVEs
- Evaluates component health using the same scoring model from our Open Source Manager
- Checks license compliance against your organizational policy
- Calculates an overall vendor risk score based on the composition of their software
This gives you an objective, evidence-based assessment of what is actually in the vendor's software, rather than what the vendor claims about their security practices.
Vendor Portal
We built a self-service portal where vendors can upload SBOMs, respond to supplementary questions, and see their own risk scores. The portal is designed to make vendor participation as frictionless as possible:
- Vendors receive an invitation link — no account creation required
- SBOM upload supports CycloneDX and SPDX formats, with validation feedback
- Supplementary questions are generated dynamically based on SBOM analysis findings, so vendors only answer questions that the automated analysis cannot resolve
- Vendors can see their own score and the specific findings, which gives them a roadmap for improvement
The dynamic questionnaire is one of the features we are most excited about. Instead of sending 200 generic questions, the system analyzes the SBOM first and generates targeted questions only for areas that need clarification. A vendor with an excellent SBOM and no critical findings might receive five questions. A vendor with significant gaps might receive thirty. Either way, every question is tied to a specific finding and serves a clear purpose.
Continuous Monitoring
Once a vendor is onboarded, Safeguard TPRM monitors their risk profile continuously. When a new vulnerability is disclosed that affects a component in a vendor's SBOM, the system:
- Recalculates the vendor's risk score
- Notifies the appropriate team based on the vendor's tier
- Creates a tracking item for remediation
- Monitors for a vendor-supplied update that resolves the issue
This turns vendor risk management from an annual snapshot into a continuous process. You know about new vendor risks within hours of disclosure, not months.
Risk Scoring and Tiering
Vendor risk scores in Safeguard TPRM are calculated from multiple weighted factors:
- Vulnerability exposure — number and severity of known CVEs in the vendor's software
- Component health — aggregate health score of all dependencies
- Patch currency — how current the vendor's dependencies are relative to available updates
- License risk — presence of restrictive or incompatible licenses
- SBOM quality — completeness and accuracy of the vendor's SBOM
Vendors are automatically tiered based on their risk score and the criticality of their role in your environment. Tier assignments drive monitoring intensity, notification routing, and remediation SLAs.
Integration With Policy Gates
For organizations that use Safeguard's policy gates in their CI/CD pipelines, TPRM adds a new gate type: vendor risk. You can configure your pipeline to block deployments that include dependencies from vendors whose risk score falls below your threshold. This creates a direct link between vendor risk assessment and deployment decisions — no manual review step required.
Architecture Decisions
A few design choices are worth explaining:
We chose SBOM-first, not questionnaire-first. The SBOM is the primary input, not a supplement. Questionnaires are secondary and targeted. This inverts the traditional model and produces more reliable results with less vendor burden.
We made the vendor portal optional. Some organizations will want vendors to self-serve through the portal. Others will want to ingest SBOMs through their procurement workflow. Either approach works. The module does not force a specific vendor engagement model.
We separated risk scoring from policy enforcement. Risk scores are informational — they tell you the current state. Policy gates are operational — they enforce decisions. This separation lets teams use risk scores for prioritization and reporting without coupling every score change to an automated action.
We built the monitoring pipeline to be incremental. When a new CVE is published, the system does not re-analyze every vendor from scratch. It maintains a component index and can identify affected vendors within seconds of a new disclosure. This matters when you are monitoring hundreds of vendors against thousands of CVEs.
Early Adopter Feedback
We have been running Safeguard TPRM with a group of early adopter customers for the past two months. A few patterns have emerged:
Vendor SBOM quality varies enormously. Some vendors provide complete, well-structured SBOMs that pass validation on first upload. Others provide SBOMs with missing fields, inaccurate dependency trees, or outdated component versions. The validation feedback in the vendor portal has been valuable — several vendors told us that the specific, actionable feedback helped them improve their SBOM generation process.
The dynamic questionnaire reduces vendor friction significantly. One early adopter told us their average vendor response time dropped from 31 days to 4 days after switching from their generic questionnaire to Safeguard TPRM's targeted approach. Vendors are more willing to engage when the questions are specific and clearly tied to findings.
Continuous monitoring catches issues that annual assessments miss. Within the first month, three early adopters received vendor risk alerts for newly disclosed vulnerabilities in vendor components that would not have been detected until their next scheduled assessment.
Pricing and Availability
Safeguard TPRM is available today as an add-on module for all Safeguard Enterprise plans. It includes the vendor portal, SBOM-based assessment, continuous monitoring, and policy gate integration. Pricing is based on the number of monitored vendors.
Existing customers can enable the module from the Safeguard dashboard. New customers can request a demo at safeguard.sh/tprm.
How Safeguard.sh Helps
Safeguard TPRM extends our platform's core capabilities — SBOM analysis, vulnerability correlation, and policy enforcement — to the third-party vendor risk domain. Instead of relying on self-reported questionnaires and annual assessments, organizations can evaluate vendor software composition directly, monitor vendor risk continuously, and enforce vendor risk thresholds in their deployment pipelines. Combined with the rest of the Safeguard platform, TPRM provides a unified view of software supply chain risk across both internal and third-party code.