Concepts

Third-party risk management

Vendor inventory, structured assessments, integration points, data flows, and blast-radius. A TPRM program you can run from one screen.

The vendor

A vendor is any third party your tenant depends on. Each vendor carries a category, a criticality rating, a list of data elements it handles, and the internal contacts who own the relationship. Vendors are created manually or imported from your spend system.

Assessments

A vendor assessment is a structured, step-based questionnaire. Steps are versioned; each step has an AI-assisted evaluation that reads the vendor’s answers against the tenant’s requirements. Approval is explicit (POST /api/assessments/<id>/approve) and audit-logged.

  • GET /api/assessments/<id> — the assessment state.
  • PATCH /api/assessments/<id>/step — advance a step.
  • POST /api/assessments/<id>/approve — approve or reject.

Findings, decisions, alerts

  • Findings (/api/vendor-findings/<vendorId>) — observations from assessments or continuous monitoring.
  • Decisions (/api/vendor-decisions/<vendorId>) — the tenant’s response to findings (accept, remediate, exit).
  • Alerts (/api/vendor-alerts/<vendorId>) — events that require attention (e.g. vendor breach disclosure, certification expiry).

Integration points & data elements

Each vendor integration is described by an integration point: what flows, in which direction, and with what auth. Every integration point ties to a set of data elements. This graph is what blast-radius queries traverse.

Blast radius

  • GET /api/blast-radius/vendor/<vendorId> — if this vendor were compromised, which data elements and downstream systems are exposed?
  • GET /api/blast-radius/data/<dataElementId> — which vendors can touch this data element?

Blast-radius results feed directly into the CRSE loss model (see CRSE).

Integration drift

GET /api/integration-drift/<vendorId> compares the vendor’s attested integrations against the ones Draxis detected in your environment (via connectors, SSO logs, spend). Drift signals either shadow IT or an outdated assessment.

Playbooks

For each integration Draxis can generate a runbook covering revocation steps, data-recovery paths, and incident-response contacts (POST /api/playbooks/generate/<integrationId>). Playbooks are versioned and live alongside the vendor record.