Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
RESOURCES TYPES
Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowMAY 24, 2026
Every year, organizations send their vendors a security questionnaire. The vendor fills it out. The security team reviews it. A risk score is recorded. The relationship is approved. Everyone proceeds with a documented sense of assurance.
And every year, a significant portion of those organizations experience a breach that traces back to a vendor who passed their assessment.
54% of organizations experienced a third-party breach in 2025. 30% of all confirmed breaches now involve a third party, double the previous year’s rate. The organizations behind those statistics almost universally had a vendor review process in place. What they lacked was the visibility to know when something changed between reviews.
This blog makes the case, with data, that the security questionnaire as the primary TPRM control is structurally inadequate for the current threat environment. Not because questionnaires are inherently useless, but because the assumptions they are built on (that vendors answer honestly, that the assessment reflects current reality, that annual cycles match threat velocity) are false. And then it describes what actually works.
| 4% of organizations have high confidence that vendor questionnaire responses match reality (RiskRecon 2025) | 75% of vendors do not answer security questionnaires or fail to do so on time (Whistic 2025) | 94% of companies cannot assess all the vendors they want to assess due to resource constraints | 54% of organizations experienced a third-party breach in 2025; most had an assessment process in place |
The security questionnaire was designed for a different era of vendor risk. When third-party relationships were fewer, vendor ecosystems were simpler, and attackers did not systematically exploit supply chain access as a primary attack vector, the questionnaire made reasonable operational sense. It created a documented record of a vendor’s claimed security posture. It enabled compliance reporting. It gave procurement teams a structured basis for vendor approval decisions.
The threat environment changed faster than the methodology. The average organization now maintains relationships with 286 third-party vendors. Third-party breach rates have doubled in a single year. Attackers have made supply chain compromise their most economically efficient attack strategy, specifically because they know that the organizations they are targeting trust their vendors and that the questionnaire filed six months ago does not reflect what those vendors look like today.
The methodology stayed the same. The threat did not.
The questionnaire model’s inadequacy is not a single problem. It is a constellation of structural failures that compound each other. Addressing any one of them without addressing the others leaves the program fundamentally exposed.
Self-Reported Data Is Not Verified Data: Security questionnaires are, by design, self-assessments. The vendor fills them out. Only 4% of organizations have high confidence that questionnaire responses match reality (RiskRecon 2025). The remaining 96% are making risk decisions based on data they cannot verify. A vendor who answers ‘Yes, we enforce MFA on all systems’ is not lying necessarily; they may genuinely believe it to be true. But belief and verification are not the same thing. Until an external party independently confirms the control exists and functions as described, the questionnaire answer is an assertion, not evidence.
Annual Cycles Cannot Match Daily Threat Velocity: The most structurally damaging assumption in questionnaire-based TPRM is that an assessment completed once per year accurately represents a vendor’s security posture throughout the year. A vendor who passes an assessment in January can be compromised in February. Their credentials can appear in a stealer log in March. An initial access broker can list confirmed access to their network in April. The questionnaire is silent on all of this. The organization learns about the breach when the vendor discloses it, or when their own data appears on a dark web leak site, with a median disclosure gap of 73 days.
75% of Vendors Do Not Answer Questionnaires On Time: You cannot assess vendors who do not respond. 75% of vendors either do not answer security questionnaires or fail to do so in a timely manner (Whistic 2025). TPRM teams running 400+ assessments per year with no headcount increase are forced to prioritize, follow up repeatedly, and eventually accept incomplete responses or delay approvals. The result is that the highest-risk vendors, those with the worst security posture and therefore the most friction in the assessment process, are often the ones with the most delayed or incomplete assessments.
Scale Is Mathematically Impossible With Manual Processes: The average TPRM team has 8.5 members and is responsible for 286 vendors, a ratio of 33.6 vendors per person. 94% of organizations cannot assess all the vendors they want to assess because they lack the resources (Whistic 2025). 97% say they would do more in-depth assessments if they could. The questionnaire model requires human effort at every step: sending the questionnaire, following up on non-responses, reviewing answers, requesting evidence, scoring the response, and producing a risk rating. At the current ratio of vendors to TPRM staff, thorough assessment of every vendor in the ecosystem is operationally impossible.
Certification Documents Are Not Controls: ISO 27001, SOC 2 Type II, and similar audit certifications are frequently accepted as proxies for security questionnaire responses. They are better than self-assessment in one respect: a third party has verified the claimed controls at a point in time. But they share the fundamental limitation of all periodic assessments: they describe what existed at the time of the audit, not what exists today. A vendor with a current ISO 27001 certificate and a freshly compromised network is not a contradiction. The certificate confirms controls were present when the auditor visited. It says nothing about the 11 months since that visit.
| 🔴 The Fundamental Problem Every failure listed above stems from the same root cause: questionnaire-based TPRM is a periodic, retrospective, self-reported process being applied to a continuous, forward-looking, externally-observable risk surface. The assessment answers the question ‘what did this vendor’s security posture look like when they filled out this form?’ Security decisions require the answer to a different question: ‘what does this vendor’s security posture look like right now?’ |
To be precise: questionnaires are not useless. They capture something real. The problem is organizational confusion about what that something is, and the consequent over-reliance on it as a primary risk signal.
| What Questionnaires CAN Measure | What Questionnaires CANNOT Measure |
| ✓ Vendor’s documented policies and procedures ✓ Claimed control inventory at point in time ✓ Organizational commitment to security as a practice ✓ Compliance framework alignment (ISO, SOC 2, NIST) ✓ Vendor’s awareness of basic security requirements ✓ Contractual baseline for minimum security standards | ✗ Whether claimed controls are actually implemented ✗ Changes to security posture since last assessment ✗ Credential exposure in dark web markets ✗ Active targeting by ransomware or APT groups ✗ Vulnerabilities in vendor-exposed infrastructure ✗ Actual security posture of vendor’s own third parties |
The left column describes useful inputs for onboarding decisions, contractual baseline setting, and compliance documentation. The right column describes the inputs that security decisions require: current, verified, externally observable evidence of a vendor’s actual security posture and active risk exposure. Questionnaires provide the first column. They provide nothing from the second.
| 💡 The Compliance Theater Problem When questionnaire completion becomes the primary metric by which TPRM teams are measured, organizations inadvertently create an incentive structure where the goal is completing assessments rather than reducing risk. A TPRM program that has assessed 95% of its vendor portfolio but has no continuous visibility into any of those vendors has documented its exposure extensively without reducing it. Questionnaire completion is activity. It is not security. |
Continuous monitoring does not replace vendor assessments. It replaces the assumption that a periodic assessment provides current risk intelligence. The operational model shifts from ‘assess vendors periodically and trust the results until the next cycle’ to ‘maintain current external visibility into every vendor’s actual risk exposure at all times.’
Every vendor’s external-facing infrastructure is observable from the internet: open ports, exposed services, certificate issuance patterns, domain registration activity, and misconfigured cloud resources. This observable surface provides continuous, independently verifiable evidence of a vendor’s actual security posture, without relying on their self-assessment.
A vendor who answers ‘Yes, we have a patch management program’ in a questionnaire but shows 14 unpatched critical CVEs in externally observable services is providing a questionnaire answer that contradicts reality. Continuous external attack surface monitoring surfaces that contradiction in real time, not during the next annual review cycle.
The most predictive indicator of an imminent vendor-related breach is not a questionnaire score. It is the appearance of vendor employee credentials in infostealer log distributions or combolist markets. When a vendor’s staff credentials are found in a stealer log, it means a device in their environment was compromised, credentials were extracted, and those credentials are now available to attackers who may use them to reach your organization through the vendor’s access.
This signal appears before any breach occurs. It appears before any incident disclosure. It appears in the window when an organization still has the opportunity to require credential rotation, suspend vendor access, or force MFA re-enrollment before an attacker validates the compromised credentials. The questionnaire cannot surface this signal at any price. Continuous dark web monitoring provides it continuously.
Dark web forums and underground markets are where ransomware groups discuss targets, initial access brokers list confirmed access, and threat actors share tools designed to compromise specific platforms. When a vendor’s name appears in these discussions, or when software that vendor deploys appears in active exploitation campaigns, it signals that the vendor is being actively targeted before any breach has occurred.
In 2025, initial access brokers posted 6,406 listings for financial sector access credentials in a single year across monitored forums. For each of those listings, there was a window between when the access was obtained and when it was sold and used. Organizations with continuous dark web monitoring of their vendor ecosystem had a detection opportunity in that window. Organizations relying on annual questionnaires had no visibility at all.
When a critical vulnerability is disclosed in software that your vendors deploy, the window between disclosure and active exploitation has compressed to hours or days in 2025. A questionnaire completed before the disclosure date provides no information about whether the vendor has patched the vulnerability. Continuous vulnerability intelligence, mapped against your vendor ecosystem’s known technology stack, provides an alert when a disclosed vulnerability is likely to affect a critical vendor, before exploitation occurs.
| RELATED READING: Third-Party Risk: How Your Supplier’s Vulnerability Becomes Your Breach brandefense.io/blog/third-party-risk-supplier-vulnerability-breach How the Cleo MFT campaign (400+ victims) and Oracle EBS compromise (Washington Post, GlobalLogic) played out; and why continuous monitoring is the only program that could have caught early signals. |
The argument here is not that organizations should stop sending security questionnaires. It is that questionnaires should be repositioned from primary risk control to baseline documentation, with continuous external monitoring providing the ongoing risk intelligence that questionnaires structurally cannot deliver.
| Function | Questionnaire Role | Continuous Monitoring Role |
| Onboarding decision | Document vendor’s claimed security posture and policy compliance as a baseline | Independently verify external-facing controls before granting production access |
| Ongoing risk signal | Reviewed once annually; provides snapshot of claimed posture at assessment date | Real-time: credential exposure, vulnerability status, dark web targeting, posture changes |
| Incident early warning | None: questionnaire cannot detect active compromise | Dark web credential alerts, IAB listing detection, ransomware group targeting signals |
| Scale | Requires significant analyst effort per vendor; 94% of organizations cannot cover all vendors | Automated; scales to full vendor ecosystem without proportional headcount increase |
| Contract enforcement | Documents contractual baseline for minimum security requirements | Detects when actual vendor security posture deviates from contracted requirements |
| Regulatory compliance | Documents due diligence for GDPR, DORA, NIS2, and similar frameworks | Demonstrates continuous oversight as required by DORA’s operational resilience mandate |
This combined model also addresses the DORA regulatory imperative directly. The EU’s Digital Operational Resilience Act, which came into force in January 2025 for EU-regulated financial entities, requires continuous monitoring of ICT third-party risk, not point-in-time assessments. A questionnaire-only program that has not integrated continuous monitoring is now a compliance gap for any organization subject to DORA, in addition to being a security gap.
| ⚙️ The DORA Compliance Imperative DORA Article 28 requires financial entities to implement a comprehensive ICT third-party risk management policy, including continuous monitoring of ICT third-party service providers. ‘Continuous monitoring’ is not defined as ‘annual assessment.’ For organizations subject to DORA, transitioning from questionnaire-only TPRM to continuous monitoring is not optional security improvement: it is a regulatory requirement. |
The transition from questionnaire-based TPRM to continuous monitoring does not require discarding the existing program. It requires repositioning what already exists and adding the monitoring layers that provide current risk intelligence.
| 1 | Vendor Tiering Based on Risk, Not Just Size Not all vendors require the same monitoring intensity. Tier vendors by the sensitivity of data they access, the depth of their system integration, and their criticality to operations. Tier 1 vendors (privileged system access, sensitive data) require full continuous monitoring. Tier 2 vendors (limited data access) require external attack surface monitoring and dark web credential monitoring. Tier 3 vendors (no data access, no system integration) require only periodic questionnaire baseline updates. This tiering focuses monitoring resources where risk is highest. |
| 2 | Automate External Attack Surface Discovery External attack surface monitoring for your vendor ecosystem should be automated, not manual. The goal is to maintain a continuously updated inventory of vendor-exposed infrastructure and identify security posture changes, new exposures, and vulnerability matches without requiring analyst effort at each discovery event. Alerts should fire when a material change occurs, not on a scheduled review cycle. |
| 3 | Integrate Dark Web Monitoring for Vendor Credentials Dark web monitoring for your own organization’s credentials is now standard practice for mature security programs. Extending that monitoring to cover your Tier 1 and Tier 2 vendors’ domains and employee email addresses closes the most critical blind spot: the window between when a vendor’s credentials are compromised and when they are used to reach your organization. This monitoring should be continuous and should produce actionable alerts, not monthly reports. |
| 4 | Reposition Questionnaires as Contractual Baseline Tools Continue using questionnaires for their genuine purpose: documenting the minimum security standards a vendor has committed to meeting as a condition of the relationship, and providing a structured onboarding assessment for new vendors. Remove questionnaire completion rate as a primary TPRM program success metric and replace it with metrics that reflect actual risk reduction: time to detect vendor credential exposure, number of vendor posture degradations detected and addressed, percentage of Tier 1 vendors with continuous dark web coverage. |
| 5 | Define Response Workflows Before Monitoring Goes Live Continuous monitoring generates alerts. Those alerts require response workflows that do not yet exist in most questionnaire-based programs. Before deploying continuous monitoring, define: who receives a dark web credential alert for a Tier 1 vendor? What is the response timeline? Can vendor access be suspended pending investigation? Who approves escalation to the vendor for mandatory credential rotation? The monitoring layer is only as effective as the response workflows it feeds. |
Brandefense’s threat intelligence platform provides the continuous monitoring layer that complements existing questionnaire-based programs: delivering real-time external risk signals for your vendor ecosystem rather than replacing the documentation and contractual baseline functions that questionnaires serve well.
| Brandefense Capability | What It Provides That Questionnaires Cannot |
| Vendor External Attack Surface Monitoring | Continuous discovery and assessment of your critical vendors’ externally exposed assets: open ports, unpatched services, misconfigured cloud resources, and certificate anomalies. Independent verification of vendor security posture changes between assessment cycles. |
| Dark Web Vendor Credential Monitoring | Real-time scanning of infostealer log distributions and dark web credential markets for your vendors’ employee credentials. When a vendor’s staff accounts are compromised, you know before the attacker validates and uses those credentials. |
| Ransomware Group Targeting Intelligence | Monitoring of ransomware group dark web activity and IAB market listings for access to your vendor ecosystem. Early warning when a vendor is being actively targeted or when confirmed access to a vendor’s network is listed for sale. |
| Vulnerability Exploitation Intelligence | Alert when vulnerabilities in software your vendors deploy are being actively exploited in campaigns. Provides a response window before exploitation reaches your specific vendor relationships. |
| Leak Site Monitoring | Continuous monitoring of active ransomware data leak sites for your vendors’ names. Detects vendor breach disclosures before official notification, often while the incident is still in progress. |
| DORA-Ready Continuous Coverage | Documented continuous monitoring for ICT third-party service providers as required by DORA Article 28; provides the monitoring record that demonstrates regulatory compliance rather than periodic assessment only. |
| 24/7 Analyst Coverage | All vendor intelligence is supported by continuous analyst review; escalation protocols for high-severity vendor incidents requiring immediate organizational response. |
The questionnaire filed in January answered the question: ‘What did this vendor’s security program look like in January?’ That question is useful for onboarding decisions and contractual baselines. It is not useful for detecting the breach that started in March, the credentials that appeared in an infostealer log in April, or the ransomware group that listed access to the vendor’s network in May.
The 54% of organizations that experienced a third-party breach in 2025 were not lacking questionnaires. They were lacking the continuous visibility to know when their vendor’s security posture had changed since the last time anyone looked.
Take control of your digital security with an exclusive demo of our powerful threat management platform.
