The other 388 are a question your auditor is going to ask. Verisq scores them all — and monitors them daily, no extra invoice — the AI does the work, your team handles the edge cases.
Onboarded in 12 hours. Per-vendor scoring in 30 minutes. 100% AI-drafted, reviewed only where it matters. No analysts to hire. No consultants to onboard.
FREE · 10 VENDORS · NO CARD
Verisq doesn't. Continuous external monitoring is part of the platform — every vendor, every day. No separate invoice. No second contract to negotiate. No procurement cycle to run twice.
That's because we own LiveThreat. Most vendor risk platforms don't own their scorecard data — they license it from a third party and pass the cost on. We built the scoring stack ourselves, so it's just part of what you get.
See how LiveThreat works →Auto-scoring at 100%. Auto-authored questionnaires from a single description. Auto-extracted SOC 2 reports. Auto-discovered data inventories. Auto-generated RoPAs. Auto-derived findings flowing to the risk register. Every step that was a labor unit becomes a review unit.
One operator runs what used to take a team of analysts. The platform routes ambiguous answers, low-confidence AI scores, and contested findings to a review queue. Everything else closes itself. Your reviewer's job becomes the part that actually requires judgment.
Every AI-drafted score, every reviewer override, every implied rating accepted, every state transition — captured with actor, model version, prompt path, before-state, after-state, and signature. When the auditor asks "did a human review this," the log answers definitively.
Every row is a labor unit Verisq removes. Not a feature. A removed task.
↓ Here's how Verisq does it
First, get the platform live. Twelve hours from signup to ready-to-assess. Then, every vendor you add: thirty minutes from domain entered to scorecard live and assessment dispatched. Two distinct workflows, both run themselves.
From the moment your team signs up. No multi-week implementation, no professional services contract, no consultant hand-holding.
Work email, company name, SKU. No credit card on the Free tier. Tenant provisioned in seconds.
Eight frameworks seeded. Risk tiers auto-populated. Default email templates branded with your logo. No setup wizard to walk through.
SSO, ServiceNow, Jira, Teams, PagerDuty — connect what you use. Each takes 5–10 minutes. Skip what you don't.
Same morning, you're operating. Add your first vendor. Timeline 2 starts.
Every vendor you add. Drop a domain in, walk away, come back to a live scorecard and an assessment already on its way to the vendor. Then continuous monitoring takes over forever.
Type acmecorp.com in the add-vendor field. That's the entire input. No questionnaire to pick, no upload, no integration setup.
DNS, WHOIS, RDAP, subsidiary mapping, alias detection. Pulls company identity, M&A history, executives, jurisdiction. ~50 fields populated.
External attack-surface scan — IPs, ports, certs, sub-services, CVE correlation, breach feed. Outputs the LiveThreat scorecard: 250–900 rating, A–F grade, risk vector breakdown.
Scorecard renders. AI authors the questionnaire from the vendor profile, mapped to your frameworks. Sent to the vendor responder portal. You don't draft a question. You don't pick a template.
Every card below is a labor unit Verisq removes. Click any card for the dedicated page.
The questionnaire engine that powers every program. AI-authored, auto-scored, framework-mapped. Full conditional logic, evidence capture, signature workflow, save-and-resume on the responder side. The engine name your auditor will hear in every conversation.
QFX runs four programs — TPRM, Privacy Reviews, M&A Diligence, Controls Maturity — each with its own subject noun, decision verbs, AI prompt profile, and downstream output handler.
Describe what you need, pick a category and framework, generate. Sectioned questionnaires with control mappings, scoring weights, and conditional logic — drafted automatically by the QFX AI, ready to send.
Assess once. Cover everywhere. Rate a control in one framework; equivalent ratings surface in mapped frameworks for reviewer acceptance. Thousands of mapped pairs across the seeded catalog.
Outside-in scoring, every day. Continuous external risk scoring and breach intelligence via proprietary, industry-aligned methodology. Discrepancy alerts when self-attestation conflicts with external signal.
Every CVE, every component, every day. Ingest SBOMs in CycloneDX or SPDX. Pull from JFrog Xray, GitHub Dependency Graph, AWS Inspector. Findings auto-route to ServiceNow AVR or Jira.
Risks as first-class objects with a six-state lifecycle and five treatment strategies. Auto-generated from assessments, scans, breach feeds, and SOC 2 exception extraction. Accept-strategy plans capture executive approval for SOX and ISO 31000 evidence. Bidirectional sync with ServiceNow and Jira.
Deal-team vocabulary (Green-light / Red-flag), 7-day deadlines, multi-target dispatch for competitive deals, AI prompt profile tuned for in-flight breaches and regulatory exposure.
Self-assessment that the board will read. Controls Maturity programs with CMMI-aligned 1–5 tier ladder, recurring annual cadence, prior-cycle pre-population, longitudinal posture trends.
Drop a SOC 2 PDF; the platform extracts auditor, period, scope, every TSC, every CUEC, every exception, every subservice org. Auto-creates findings for failed CUECs.
Automated database discovery and classification across 241 master attributes in 23 PII categories. RoPA generation in three regulatory formats from one inventory. End-to-end DSAR automation through the public privacy center. The same data inventory feeds discovery, RoPA, DSAR, retention, and consent-aware marketing.
Article 30 done. CCPA disclosure done. Record of Processing Activities derived from the data flow inventory and exported in GDPR Article 30, CCPA/CPRA, or framework-agnostic formats — three regulatory exports from one inventory.
Subjects authenticate to the privacy center, request access, and download their own data. Discovery and classification feed the DSAR workflow without an engineer touching production. Ten-stage lifecycle, jurisdiction-aware SLAs, regulatory evidence package on demand.
Consent-aware list construction. Suppression of withdrawn consent and opted-out subjects propagates automatically. Legal-basis tagging on every export.
Pre-defined policies anchored to regulatory citations (GDPR, HIPAA, SOX, CCPA, ePrivacy) and assignable to datastores or master attributes. Notifications fire before expiry. Marketing-class data eligible for auto-deletion; sensitive categories require operator approval through the deletion runbook.
Seeded, cross-mapped, and ready. NIST CSF 2.0, ISO 27001:2022, SOC 2, 800-53 r5 with FedRAMP Low/Moderate/High, GDPR, HIPAA, PCI DSS 4.0, CIS v18. Tenant-private frameworks for internal standards layer on top.
Assessing one framework establishes posture across mapped controls in all the others. Non-destructive — it surfaces candidates for reviewer acceptance, never auto-writes across frameworks.
Every action — every override, every decision, every implied rating accepted, every AI generation, every state transition, every data flow auto-derived, every DSAR fulfilled — captured with actor, timestamp, before/after state, and free-text justification.
Compliance Pack Export bundles the full trail in a signed archive auditors can verify independently.
See audit defensibility →Scorecards, scans, send-only assessments. Lifetime cap of 10 vendors — upgrade when you need #11. No card.
Onboard in 12 hours. Score thirty vendors a day. The AI does the work; your team reviews the edge cases. The audit packet writes itself as you go.