Vendor Breach Simulator — If this vendor is breached, what do they reach inside you?
Your vendor questionnaire asks the wrong question. This asks the right one.
Declare the access a vendor holds into you, and your twin computes what a breach of it reaches — routes to your crowns, priced, and the one cut. No external scan.
We model the access you declare — not the vendor’s posture. The restraint is the point.
Stop asking the vendor. Ask your own graph.
The questionnaire sends 300 generic questions and hopes the answers correlate with your risk. The simulator inverts it — you already know what access you granted. The output isn’t a score. It’s a route, a dollar figure, and a fix.

Name the vendor, tick its access
A data store it reads, a zone it dials into, a host it runs on, a role it can assume — facts you control.
A projected clone takes the hit
The vendor node exists only in a clone of your twin. The engine walks every modeled route from that foothold.
Routes, dollars, and the one cut
Every crown it reaches, priced and labeled modeled — plus the single min-cut that severs every route at once.
A vendor breach, priced to your crown.
The row you never get from an external score — the actual routes through your twin, with the total modeled exposure above them. A modeled example from the fictional Acme Capital estate.
jump host → prod VPC (network.allows) — put the jump host behind a broker with just-in-time access, and all three hops break. The fix to put in the renewal terms.
Printed on the row: this is your twin’s modeled reach IF this vendor is breached, given the access you declared — not a claim the vendor is insecure. A vendor that reaches nothing shows null, never a zero.
We don’t grade your vendors. We model your exposure.
External vendor-risk tools scan the third party from the outside and hand you a score. The simulator never touches the vendor — and says so on the screen.
We model your access grant, not their security.
No external scan, no posture score, no guess about the vendor. We model the blast radius of the access YOU declared — a fact you control and can act on. That’s more defensible and more actionable than a letter grade.
The vendor is hypothetical; your twin is untouched.
The vendor node and its edges live only in a projected clone of your twin for the length of the simulation. Your baseline environment model is never mutated.
Reach and dollars are modeled, conditional on breach.
Every path is a modeled “if this vendor is compromised” — never a claim it has been. A vendor that reaches no crown shows null, never a $0 that reads as safe.
What we can’t price, we don’t price.
A reached crown with no dollar profile reads priced=false, not zero. A declared touchpoint that doesn’t resolve to a real node in your twin is reported skipped — never invented.
An external score guesses at a vendor’s security and leaves you to imagine the consequences. We do the opposite: we make no claim about the vendor, and we show you exactly what their access reaches in your environment, in dollars. One is a guess about someone else. The other is a fact about you.
The same engine that draws your paths.
Do you scan or rate the vendor?
What if a vendor reaches nothing?
How is this different from a questionnaire?
We model the access you declare — not the vendor’s posture. Reach and dollars are modeled “if breached”; a vendor that reaches nothing shows null, never a zero.
One of your vendors can reach a crown. Which one?
Included in the Program tier — no add-on, no separate SKU.
Cross-stitched from the 15 security tools we support · annotated against 26 distinct MITRE ATT&CK techniques · backed by 9,000 automated tests
Full coverage & honesty detail → /features#coverage
The deliverables a senior consulting partner would produce — refreshable, sourced, board-ready.
If one service account leaks, what does it reach — and what is that worth?
Deep dive →Before you grant an AI agent its scopes: what could those scopes reach?
Deep dive →Your modeled loss vs your declared policy limit — where the limit breaks.
Deep dive →