CyberTwin
Program tier · Third-party risk

Vendor Breach Simulator — If this vendor is breached, what do they reach inside you?

Your vendor questionnaire asks the wrong question. This asks the right one.

Declare the access a vendor holds into you, and your twin computes what a breach of it reaches — routes to your crowns, priced, and the one cut. No external scan.

We model the access you declare — not the vendor’s posture. The restraint is the point.

No agent · No external scan · No vendor posture guess · Included in the Program tier
The reverse questionnaire

Stop asking the vendor. Ask your own graph.

The questionnaire sends 300 generic questions and hopes the answers correlate with your risk. The simulator inverts it — you already know what access you granted. The output isn’t a score. It’s a route, a dollar figure, and a fix.

The workflow. Name the vendor. Tick what it can reach in your environment — a data store it reads, a network zone it dials into, a host it runs on, a role it can assume. Hit simulate. In seconds you have the modeled blast radius: which crowns it reaches, in how many hops, the dollar band, and the single min-cut that severs every route at once.
The Vendor Breach Simulator surface — declare a vendor's access and the twin computes the modeled blast radius.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
1
Declare

Name the vendor, tick its access

A data store it reads, a zone it dials into, a host it runs on, a role it can assume — facts you control.

2
Simulate

A projected clone takes the hit

The vendor node exists only in a clone of your twin. The engine walks every modeled route from that foothold.

3
Cut

Routes, dollars, and the one cut

Every crown it reaches, priced and labeled modeled — plus the single min-cut that severs every route at once.

The worked example

A vendor breach, priced to your crown.

The row you never get from an external score — the actual routes through your twin, with the total modeled exposure above them. A modeled example from the fictional Acme Capital estate.

Vendor: Acme Managed IT$2,400,000
Acme Managed IT → jump host → prod VPC → cardholder database (crown) · cross-surface · 3 hops · ALE p50 $2.4M
THE ONE CUT

jump host → prod VPC (network.allows) — put the jump host behind a broker with just-in-time access, and all three hops break. The fix to put in the renewal terms.

Printed on the row: this is your twin’s modeled reach IF this vendor is breached, given the access you declared — not a claim the vendor is insecure. A vendor that reaches nothing shows null, never a zero.

Why this is defensible

We don’t grade your vendors. We model your exposure.

External vendor-risk tools scan the third party from the outside and hand you a score. The simulator never touches the vendor — and says so on the screen.

We model your access grant, not their security.

No external scan, no posture score, no guess about the vendor. We model the blast radius of the access YOU declared — a fact you control and can act on. That’s more defensible and more actionable than a letter grade.

The vendor is hypothetical; your twin is untouched.

The vendor node and its edges live only in a projected clone of your twin for the length of the simulation. Your baseline environment model is never mutated.

Reach and dollars are modeled, conditional on breach.

Every path is a modeled “if this vendor is compromised” — never a claim it has been. A vendor that reaches no crown shows null, never a $0 that reads as safe.

What we can’t price, we don’t price.

A reached crown with no dollar profile reads priced=false, not zero. A declared touchpoint that doesn’t resolve to a real node in your twin is reported skipped — never invented.

THE DISTINCTION THAT MATTERS

An external score guesses at a vendor’s security and leaves you to imagine the consequences. We do the opposite: we make no claim about the vendor, and we show you exactly what their access reaches in your environment, in dollars. One is a guess about someone else. The other is a fact about you.

Questions

The same engine that draws your paths.

Do you scan or rate the vendor?
No external scan, no posture score. We model the blast radius of the access you declare — not the vendor’s security. The vendor node lives only in a projected clone of your twin for the length of the simulation.
What if a vendor reaches nothing?
It shows null, never a $0 that reads as safe. Every path is a modeled “if this vendor is compromised” — never a claim it has been. A reached crown we can’t value reads priced=false, not zero.
How is this different from a questionnaire?
A questionnaire asks the vendor 300 generic questions and hopes the answers correlate with your risk. This asks your own graph: the routes through your twin, the dollars above them, and the single cut that severs every one.

We model the access you declare — not the vendor’s posture. Reach and dollars are modeled “if breached”; a vendor that reaches nothing shows null, never a zero.

Coverage

One of your vendors can reach a crown. Which one?

Included in the Program tier — no add-on, no separate SKU.

Cross-stitched from the 15 security tools we support · annotated against 26 distinct MITRE ATT&CK techniques · backed by 9,000 automated tests

Full coverage & honesty detail → /features#coverage

ProgramMost Popular
$36,000/yr
Annual only

The deliverables a senior consulting partner would produce — refreshable, sourced, board-ready.