Supplier Shield is where vendor risk becomes operational. Scan supplier security posture with OSINT, score risk across three dimensions, run AI-evaluated assessment campaigns, and give suppliers a portal to respond, with an immutable audit trail behind every change.
Get AccessInteractive demo
Capabilities
Maintain a searchable register of every supplier. Create records with legal name, classification (Critical, Important, Standard), service description, primary contact, and review frequency. Onboard existing vendor lists in minutes via CSV import with field mapping.
Each supplier is scored automatically: Dependency (x0.4), Penetration (x0.3), and Exposure (x0.3). The composite 1-5 score is colour-coded (green, yellow, red) so procurement, risk, and compliance align on tiering without spreadsheets. Scores refresh annually or when scope changes.
Acuna scans every supplier's online presence across DNS configuration, TLS certificates, web security headers, data breach exposure, and reputation. Each supplier receives a composite A-F grade visible in the list and detail views. Scans run automatically when you save a supplier with a domain, or trigger manually from the Risk Exposure tab. Drill down into individual findings with severity levels and evidence.
Launch the same questionnaire to multiple suppliers at once. Select suppliers with full filtering, choose a template, preview the email, and launch. Set a planned start date to schedule campaigns for automatic future launch. The campaign dashboard tracks progress with status badges, completion percentages, and rating summaries. Choose which contact receives the email for each supplier before launching.
When reviewing assessment responses, click Ask Aiko to evaluate to have AI analyse all questions, including uploaded evidence documents, images, and PDFs. Aiko provides evaluation suggestions with confidence scores you can review and adjust before finalising. Real-time progress is shown as Aiko works through each question, and you can cancel at any time.
Suppliers complete questionnaires and upload documents through a dedicated portal. No Acuna account needed. Submissions flow directly into the IRP with a defensible trail. Evidence stays out of inboxes, and auditors get a documented response chain they can follow. Portal links are preserved when returning assessments for corrections.
Each supplier opens into a unified detail panel, identical whether accessed from Supplier Shield or Implement, Third Parties. Shows core information, OSINT scan results, risk dimension controls, workspace contacts, all related objects (processes, risks, controls, KPIs) grouped by type with health badges, assessment data, and the immutable activity log.
Store unlimited contacts per vendor with role designations: Primary, Technical, Billing, and Support. Contacts feed into assessment notification distribution lists. Choose which contact receives campaign emails before launching. Archive outdated contacts instead of deleting to preserve the audit trail.
Suppliers show all related objects (processes, risks, controls, KPIs) grouped by type with health and status badges. The interactive process map displays supplier nodes with colour-coded tier badges, fullscreen toggle, and dark mode support. Critical processes are flagged for priority monitoring.
Critical suppliers can require approval for risk score adjustments. Configure approval workflows in Admin, Workflow Designer so changes on high-tier vendors route through designated approvers before taking effect, giving you a governed process for risk reclassification.
Each supplier has a next review date based on review frequency and last assessment. Overdue suppliers are highlighted in the register and in control risk assessments that depend on them. Filter for suppliers due for re-assessment and launch a new campaign directly. Historical assessment responses are retained for trend analysis and audit compliance. Establish a calendar-driven rhythm so critical vendors are evaluated at least annually.
How it works
Create records one-by-one or bulk-import via CSV. Set classification (Critical, Important, Standard), service description, primary contact, and review frequency.
Acuna automatically scans each supplier's domain across DNS, TLS, web headers, breach exposure, and reputation. A composite A-F grade appears in the supplier list and detail view. Drill into individual findings for severity and evidence.
Rate each supplier on Dependency, Penetration, and Exposure. Acuna calculates the weighted composite and assigns a colour-coded tier. Configure approval workflows for critical-tier score changes.
Select a questionnaire template, choose suppliers, set deadlines (or schedule for a future date) and launch. Acuna distributes automatically, tracks response status, and lets you resend reminders to non-responders.
Vendors complete questionnaires via the external portal. When responses come back, click Ask Aiko to evaluate for AI-powered analysis of answers and uploaded evidence (including PDFs and images), with confidence scores you review before finalising.
Track assessment freshness with next review dates. Overdue suppliers are flagged in the register and in linked control risk assessments. Launch follow-up campaigns directly. Retain all historical responses for trend analysis.
Risk scoring
How critical is this supplier to business continuity? Core services score high; commodity or easily replaceable suppliers score low.
How deeply integrated is the supplier into your IT, data, or processes? Deep system access scores high; isolated services score low.
What is the potential impact of a supplier breach, outage, or failure? Financial, operational, and reputational impact drives the score.
Composite score = (Dependency x 0.4) + (Penetration x 0.3) + (Exposure x 0.3).
OSINT Scanner
Acuna automatically scans your suppliers' online presence and assigns a composite A-F grade. Scans trigger when you save a supplier with a domain, or on demand from the Risk Exposure tab.
Checks SPF, DKIM, DMARC, DNSSEC, and MX records to assess email authentication and domain security posture.
Validates certificate chain, expiry dates, protocol versions, and cipher strength to flag weak or expired encryption.
Scans for HSTS, Content-Security-Policy, X-Frame-Options, and other HTTP security headers that protect against common web attacks.
Checks if the supplier domain or associated email addresses appear in known data breach databases, with severity classification and exposure timeline.
Aggregates reputation signals across threat intelligence sources, blocklists, and web trust indicators to assess overall supplier trustworthiness.
Click any dimension in the supplier detail to drill down into individual findings with severity levels and supporting evidence.
Individual Risk Profile
The IRP consolidates everything about a supplier (identity, OSINT security grade, risk posture, contacts, related objects, assessment history with AI evaluation, and a complete activity log) into a single unified detail panel.
A chronological, tamper-proof trail tracking every action on the supplier record. All entries include the actual user name of who made the change, enabling full accountability.
Complementary registers
Both views serve your TPRM programme. Use them together for full coverage.
Who uses it
For security leaders who need third-party risk visible next to controls, frameworks, and the risk register instead of in a disconnected spreadsheet.
For TPRM owners who need repeatable campaign workflows (from questionnaire distribution through AI-evaluated responses) without chasing email threads.
For compliance teams that need to demonstrate a structured TPRM programme with scored suppliers, documented assessments, and a clear audit trail.
FAQ
Acuna calculates a composite score from three weighted dimensions: Dependency (x0.4) measures how critical the supplier is to business continuity, Penetration (x0.3) measures how deeply integrated the supplier is into your IT, data, or processes, and Exposure (x0.3) measures the potential impact of a supplier breach or failure. The result is a colour-coded 1-5 score: green (1-2), yellow (2.5-3.5), red (4-5). Scores are reviewed annually or when supplier scope changes materially.
You create a campaign by selecting a questionnaire template and choosing which suppliers to include. Set a response deadline and reminder schedule, then launch. Acuna sends questionnaires to supplier contacts automatically, tracks response rates, and lets you resend reminders to non-responders. Campaigns consolidate third-party evaluation into a repeatable rhythm aligned with your audit calendar.
Each supplier's detail panel shows the full IRP: core information (name, classification, risk score, review frequency), workspace contacts (primary, technical, billing, support), linked business processes with impact flags, assessment data with response status, and an immutable activity log. The activity log tracks every field update, contact change, assessment action, and process linkage with the actual user name and timestamp.
Yes. Suppliers use a dedicated portal to complete questionnaires and upload documents. They receive a link, respond externally, and their submissions flow back into the IRP with a defensible submission trail. No separate login or licence is needed for the supplier.
Yes. Critical suppliers can require approval for risk score adjustments. Configure approval workflows in Admin, Workflow Designer so score changes on high-tier vendors route through designated approvers before taking effect.
There is no limit. Each supplier record supports multiple contact records with role assignments (Primary, Technical, Billing, or Support). Contacts feed into assessment notification distribution lists, and archiving outdated contacts preserves the audit trail instead of deleting history.
Each questionnaire response moves through Not Sent, In Progress, Submitted, Complete. Campaign dashboards show response rates per status so you can identify non-responders at a glance and resend reminders without leaving the view.
The scanner checks five dimensions: DNS configuration (SPF, DKIM, DMARC, DNSSEC, MX), TLS certificates (chain validity, expiry, protocol, cipher), web security headers (HSTS, CSP, X-Frame-Options and others), data breach exposure (domain and email addresses in known breach databases), and reputation (threat intelligence sources, blocklists, web trust signals). Results produce a composite A-F grade with drill-down into individual findings.
Scans run automatically when you save a supplier record with a website domain. You can also trigger a manual re-scan at any time from the Risk Exposure tab in the supplier detail panel. Scan results are stored historically so you can track improvements or regressions over time.
When reviewing supplier assessment responses, click Ask Aiko to evaluate to have Acuna's AI analyse all questions, including uploaded evidence documents, images, and PDFs. Aiko provides evaluation suggestions with confidence scores that you can review and adjust before finalising. Real-time progress is shown as Aiko works through each question, and you can cancel at any time.
Yes. When creating a campaign, you can set a planned start date. The campaign shows a Scheduled badge in the list. When the date arrives, the system automatically launches it and sends emails to all supplier contacts. Campaigns without suppliers assigned are skipped until suppliers are added.
Related answers
Supplier Shield is Acuna's third-party risk management (TPRM) module. It provides a centralised supplier register with automated risk scoring across three weighted dimensions — dependency (×0.4), penetration (×0.3), and exposure (×0.3) — producing a colour-coded 1–5 score. Features include assessment campaigns with questionnaire distribution and deadline tracking, individual risk profiles with immutable activity logs, a supplier portal for external responses, and lifecycle management with expiry monitoring and CSV bulk import.
Supplier Shield includes an automated OSINT scanner that evaluates six security dimensions of a supplier's public internet footprint: DNS configuration (SPF, DKIM, DMARC), TLS certificate validity and protocol strength, web security headers (HSTS, CSP, X-Frame-Options), known data breach exposure, domain reputation, and open port exposure. Each dimension receives an A–F letter grade. The composite OSINT score feeds into the supplier's overall risk profile alongside the manual dependency/penetration/exposure scoring. Scans can be triggered on demand or scheduled automatically at configurable intervals.
Get access and our team will walk you through Supplier Shield and the full Acuna platform.
Get Access