Skip to main content
RBI, SEBI, NPCI, DPDP — Aligned to every major Indian regulatory third-party mandate

Compliance-Focused Vendor Risk Assessment: Audit, Monitor, and Govern Third-Party Risk

Your vendors tell you they are secure. ShadowMap shows you what is actually exposed. Security Brigade bridges the gap between questionnaire answers and observable reality with structured, regulator-aligned vendor risk assessments.

Request a Scoping Call Our Methodology
6,700+
Assessments
700+
Clients
150+
Specialists
20 yrs
In Cybersecurity

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Assess

Security Brigade evaluates your critical vendors against the regulatory framework that applies to you — RBI outsourcing directions, SEBI CSCRF, NPCI third-party requirements, DPDP processor obligations, or your own board-level risk criteria. ShadowMap simultaneously scans each vendor's external attack surface for exposed services, leaked credentials, and shadow assets.

STEP 02

Remediate

Every vendor gap is documented with risk rating, evidence, and actionable remediation guidance. Lemon tracks each finding through a structured workflow — open, in-progress, closed, revalidated — so nothing stays unresolved in a spreadsheet. Vendors can be onboarded into ShadowMap for real-time visibility into remediation progress.

STEP 03

Govern

You receive a regulator-ready vendor risk assessment report, a master gap matrix across all vendors, and a board-level summary of critical third-party risks. For ongoing governance, ShadowMap continuously monitors vendor attack surfaces, credential leaks, and compliance drift — turning a point-in-time audit into an always-on program.

What Is a Compliance-Focused Vendor Risk Assessment?

A compliance-focused vendor risk assessment is a structured audit of your third-party and supplier security controls, aligned to a specific regulatory mandate such as RBI, SEBI CSCRF, NPCI, or DPDP. It evaluates whether vendors handling your data, infrastructure, or payment flows meet the security and governance standards your regulator expects you to enforce.

Who Needs a Vendor Risk Assessment and Why?

Regulatory mandates across India now make structured vendor risk governance a board-level obligation, not optional due diligence.

RBI-Regulated Entities

Banks, NBFCs, and fintechs must audit outsourced IT vendors per RBI outsourcing directions, retaining responsibility for vendor data security and preserving audit rights.

SEBI-Regulated Entities

Market infrastructure institutions, brokers, and intermediaries must assess vendor and cloud stacks for SEBI CSCRF alignment covering cyber resilience, SOC, incident handling, and vulnerability management.

NPCI Ecosystem Participants

PSPs are responsible for ensuring TPAP systems are audited. Annual compliance reports with no open findings are expected by December 31 each year.

DPDP Data Fiduciaries

Organizations processing personal data through third-party processors must validate security safeguards, breach notification readiness, sub-processor controls, and contractual obligations.

Board or Risk-Committee Driven

Enterprises governing critical vendors proactively — evaluating concentration risk, fourth-party exposure, breach history, attack surface, and contractual gaps for board-level reporting.

M&A and Customer Questionnaires

Transaction-driven or assurance-driven assessments mapping vendor controls to ISO 27001, SOC 2, DPDP, GDPR, cloud security, and incident response requirements.

Methodology

3 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

TPRM Questionnaire (What They Say)

Self-reported answers, annual or onboarding only, no external validation, compliance on paper.

Testing
02

ShadowMap VRM (What We Observe)

Continuous external scanning, leaked credential detection, exposed service discovery, attack surface evidence that validates or contradicts questionnaire answers.

Delivery
03

Security Brigade Audit (The Bridge)

Consulting-led assessment that combines questionnaire review, technical validation, ShadowMap intelligence, and regulator-specific control mapping into a single defensible report.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Indian Private Sector Bank

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Platform Only — ShadowMap VRM

Continuous vendor attack surface monitoring, leaked credential alerts, TPRM questionnaire workflow, risk scoring, and fourth-party visibility. Your team runs the program; ShadowMap provides the intelligence. Best for organizations with mature GRC teams who need the monitoring layer.

Service Only — Consulting-Led Audit

Security Brigade performs a structured vendor risk assessment against your regulatory mandate. You receive vendor-wise assessment reports, a master gap matrix, remediation tracker, and a board-level summary. Best for organizations that need a regulator-ready deliverable or do not have internal capacity to run assessments.

Hybrid — Audit Plus Continuous Monitoring

Security Brigade performs the initial assessment, then onboards your vendors into ShadowMap for ongoing monitoring. Findings from the audit feed directly into the ShadowMap dashboard. You get the defensible report and the always-on governance layer. This is the model most enterprise BFSI clients choose.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

RBI Outsourcing Directions
Due diligence, audit rights, customer da
SEBI CSCRF
Cyber resilience, asset inventory, SOC/M
NPCI Third-Party Audit
UPI/TPAP controls, application and backe
DPDP Processor Due Diligence
What personal data is handled, legal bas
ISO 27001 and SOC 2
International standard mapping for vendo
GDPR Processor Assessment
For Indian companies acting as processor

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

Vendor-Wise Assessment Report

Individual report per vendor covering controls, evidence, gaps, risk ratings, and remediation guidance aligned to your regulatory mandate.

Master Gap Matrix

Consolidated view across all assessed vendors showing systemic control gaps, concentration risks, and common weaknesses.

Risk-Ranked Remediation Tracker

Every finding tracked with owner, severity, target closure date, and revalidation status. Managed in Lemon for structured follow-through.

Board and Management Summary

Executive-level pack summarizing critical third-party risks, unresolved exceptions, concentration risks, and recommended actions for board or risk committee presentation.

Regulator-Aligned Control Checklist

For regulator-driven engagements: control checklist with evidence references, observation status, closure requirements, and residual risk — formatted for submission.

ShadowMap VRM Scan Summary (Optional)

External attack surface intelligence for each assessed vendor — exposed services, leaked credentials, shadow assets, and risk score. Included in hybrid engagements.

Audit + Platform

What does the vendor say? vs. What does ShadowMap observe?

TPRM tells you what vendors claim, submit, and attest. VRM tells you what ShadowMap observes independently across attack surface, credential exposure, and dark-web footprint. Together they close the gap between self-attestation and real exposure.

Vendor Risk Management + TPRM

Continuous external scanning, questionnaire workflow, dark-web monitoring, scoring, and remediation tracking — in one platform.

Bridges what vendors say (TPRM) with what ShadowMap observes (VRM).

Explore on ShadowMap
See the full ShadowMap platform 30-day POC available · Platform Only · Service Only · Hybrid

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What is a vendor risk assessment and why do Indian companies need one?+
A vendor risk assessment is a structured evaluation of the security controls, data handling practices, and compliance posture of your third-party vendors. Indian companies need one because regulators including RBI, SEBI, and NPCI now mandate that regulated entities formally assess and govern the risk introduced by their vendor ecosystem. Failure to do so can result in penalties, audit failures, and operational disruption.
What is the difference between TPRM and VRM?+
TPRM, or Third-Party Risk Management, traditionally relies on questionnaires and document review — what the vendor says about their security. VRM, or Vendor Risk Management, adds continuous external monitoring to validate those claims against observable evidence such as exposed services, leaked credentials, and attack surface changes. Security Brigade's hybrid model combines both approaches for a complete picture.
Is a CERT-In empanelled auditor required for vendor risk assessments?+
For certain RBI-mandated audits, including System Audit Reports and Payment Aggregator audits, a CERT-In empanelled auditor is required. For board-driven or DPDP processor assessments, CERT-In empanelment is not legally mandatory but significantly strengthens the credibility and defensibility of the assessment report. Security Brigade is CERT-In empanelled.
How is this different from a generic VAPT engagement?+
A vendor risk assessment evaluates governance, compliance, data handling, contractual controls, and security posture across a vendor organization — not just technical vulnerabilities in a single application. It maps vendor controls to a regulatory framework and produces a compliance-grade deliverable. VAPT may be one component of the assessment but it is not the entire scope.
Can Security Brigade assess vendors we have already onboarded?+
Yes. Most engagements are assessments of existing vendors, not just new-onboarding due diligence. Security Brigade assesses your current critical vendor ecosystem, identifies gaps, and provides a remediation roadmap. ShadowMap can then be used for continuous monitoring of those vendors going forward.
How does ShadowMap help with ongoing vendor risk monitoring?+
ShadowMap's VRM module continuously scans the external attack surface of every vendor in your ecosystem. It detects exposed services, leaked credentials, misconfigured cloud assets, expired certificates, and dark web mentions. This gives you evidence-based, always-on visibility into vendor risk that supplements periodic audit assessments.
What regulatory mandates require a vendor risk assessment in India?+
RBI outsourcing directions require banks and NBFCs to audit technology vendors. SEBI CSCRF requires market intermediaries to assess vendor and cloud stacks. NPCI requires PSPs to audit TPAP systems annually. The DPDP Act requires data fiduciaries to validate processor security safeguards. Additionally, boards and risk committees increasingly mandate vendor risk governance as a best practice.
What does a vendor risk assessment cost?+
Pricing depends on the number of vendors assessed, the regulatory framework applied, the depth of technical testing required, and whether you choose the platform-only, service-only, or hybrid engagement model. Security Brigade provides a detailed scope and quote after an initial scoping call. Most engagements are priced per vendor or as a program-level fixed fee.
How long does a vendor risk assessment take?+
A single-vendor assessment typically takes one to two weeks depending on scope and vendor responsiveness. Multi-vendor programs are batched and run in parallel. ShadowMap VRM scans begin producing results within 24 hours of vendor onboarding. The Lemon platform tracks progress across all vendors in a single dashboard.
Can the assessment cover fourth-party and sub-processor risk?+
Yes. Security Brigade's assessment includes a review of fourth-party dependencies and sub-processor chains where they are relevant to your regulatory obligation. ShadowMap can also surface external exposure introduced by your vendors' own vendors, providing visibility into concentration risk and cascading dependencies.

Start Governing Your Vendor Risk Today

Whether you need a one-time regulator-ready audit, continuous vendor monitoring through ShadowMap, or a hybrid program that combines both — the first step is a 30-minute scoping call.

Request a Scoping Call

Typically responds within 1 business day · No commitment required

Request a Scoping Call