Pre-Contract Vendor Due Diligence & Screening | VendorMark by Miles Brothers Consulting

The MNDA is signed.
The deal is moving fast.
Does anyone actually know who this vendor is?

Legal teams, procurement leads, and supply chain VPs all face the same gap: the commercial relationship is underway, but the vendor hasn't been formally checked. Not their cyber posture. Not whether they're on a restricted party list. Not whether they're financially stable enough to be a going concern in 18 months.

VendorMark fills that gap. We produce a structured, documentable screening report — informational intelligence you can attach to your vendor file, reference in contract negotiations, and present to auditors, insurers, or your own board.

The So-What

Your third-party vendor risk is larger than you think.
And most of it is unscreened.

Not the scary new ones. All of them. The SaaS tools your IT team approved in 2021. The accounting firm your CFO went to college with. The offshore dev shop your CTO "vouches for." The payroll processor you've been using for six years and nobody has thought about since.

Every one of those relationships is a potential regulatory violation, a business continuity failure, or a security incident waiting to be discovered. The question isn't whether you need vendor screening. The question is why you've been running blind this long.

What counts as a "vendor"

Any third party with access to your systems, data, finances, or operational continuity. If they can touch your stuff — or fail in a way that breaks your stuff — they're a vendor.

SaaS subscriptions Cloud infrastructure providers Payment processors Law firms Accounting & audit firms IT managed services (MSPs) Software development contractors Staffing agencies Marketing & PR agencies Benefits administrators Logistics & fulfillment partners Background check providers Insurance brokers HR platforms Data analytics tools
Who's Already Asking
Your Cyber Insurer

Underwriters are asking about your vendor oversight program at renewal. If your answer is "we look them up on LinkedIn," that's a premium increase or an exclusion — and after a claim, it's potentially a coverage denial.

Your SOC 2 / ISO 27001 Auditor

Vendor management is a required control in every major framework. Your auditor will ask for your vendor inventory, your assessment process, and your documentation. "We trust them" is not a control.

Your Enterprise Customers

Every enterprise customer sending you a security questionnaire wants to know who your vendors are. Their procurement team and their lawyers are asking if you've screened the parties that touch your — and by extension, their — data.

OFAC & Federal Regulators

Ignorance of a sanctions hit is not a defense. OFAC enforcement doesn't require intent — it requires a transaction. If you paid a vendor on the SDN list, you have a problem regardless of whether you knew. The fine is real. The reputational damage is worse.

Your Own Legal & Compliance Team

General Counsel has been carrying the risk of undocumented vendor relationships for years. When the breach happens, when the vendor goes bankrupt, when the audit flags the gap — GC needs documentation that the company exercised reasonable diligence. "We didn't know" doesn't close the loop.

Your Board & CFO

Directors have fiduciary duty over third-party risk. One supply chain incident, one sanctions violation, one financially distressed vendor taking your critical process down with them — and the board will ask why there was no oversight program. Have an answer ready before the question comes.

The vendors you "know and trust"
are the ones you should be most worried about.

New vendors at least get a second look. The ones who've been in your vendor list for three years? Nobody has touched them since the original contract. But things change. Ownership changes. Financial position deteriorates. Key people leave. A quiet acquisition puts a hostile actor in your supply chain. The relationship you have is with a version of that vendor that may not exist anymore.

SolarWinds was a trusted vendor to 18,000 organizations — including the US Treasury, Homeland Security, and Fortune 500 companies — right up until their software update was pushing nation-state malware. In 2025, nobody at the hundreds of companies using Drift thought of it as a vendor risk — it was just a chat widget integrated into Salesforce. Until attackers used its OAuth tokens to walk straight into their CRM and email. Qantas didn't get breached. Their call center vendor did. 5.7 million customers' data walked out the door anyway. Trust is not due diligence. It's the absence of it.

SolarWinds 2020

Trusted network monitoring vendor. Compromised software update reached 18,000+ customers — including US Treasury and Homeland Security. Attackers were inside for 9+ months before discovery.

Kaseya VSA 2021

Trusted MSP platform. REvil ransomware hit a zero-day and encrypted 1,500 downstream businesses in a single weekend. Many had no idea Kaseya was in their supply chain.

MOVEit / Progress Software 2023

A zero-day in a trusted file transfer tool used by payroll processors, government agencies, and healthcare systems. One vulnerability. 2,600+ downstream organizations breached — including the US Department of Energy, Shell, and British Airways. None of them were the target. They were just customers of the customer.

Okta 2023

Trusted identity provider for thousands of enterprises. Attackers accessed Okta's support system and stole session tokens belonging to Okta customers — including 1Password, Cloudflare, and BeyondTrust. Okta is how you log in to everything. When it's compromised, everything downstream is at risk.

WeWork 2023

Trusted real estate vendor under enterprise contracts with thousands of companies. Filed Chapter 11 with no warning. Long-term agreements became worthless overnight.

Salesloft / Drift 2025

Attackers didn't breach Salesforce — they went through Drift, a chat widget integrated via OAuth. Stolen tokens exposed CRM records and email data across hundreds of organizations. Nobody considered a chat plugin a vendor risk.

Qantas 2025

Not Qantas's systems — a third-party call center vendor. 5.7 million customer records exposed. Qantas had no visibility into how their vendor was secured. The breach wasn't theirs to control. The fallout was.

Ingram Micro 2025

One of the world's largest IT distributors — hit by ransomware. Order systems went offline. Downstream supply chain disruption across a global customer base. When your procurement vendor goes down, your procurement goes with it.

Change Healthcare 2024–2025

Ransomware froze claims processing across thousands of healthcare providers. Final count: 192.7 million individuals impacted — more than half the US population. Still the largest healthcare data breach on record. Vendors that "just handle payments" don't feel like a risk until they take down an entire industry.

What Happens When You Skip It
Scenario Discovered by Consequence
Vendor is on OFAC SDN list Regulator / bank

Civil penalty up to $1M+ per transaction. Criminal referral possible. No "we didn't know" defense.

Vendor breached; your data exposed Breach notification

Your breach, not just theirs. You own notification obligations, regulatory exposure, and customer fallout — even though it happened on their systems.

Vendor files for bankruptcy Your operations team

Critical process goes down with them. You had no early warning, no backup plan, and now you're negotiating with a bankruptcy trustee for data access.

Vendor is BIS Entity List / quietly state-owned Export control audit

Export control violation. Potential criminal liability. Enterprise customer terminates contract for cause. Reputational damage with US government relationships.

SOC 2 audit flags vendor management gap External auditor

Finding in audit report. Enterprise customer procurement puts deal on hold. Remediation required before certification renewed. That's the quarter you missed.

Cyber insurer asks for vendor program at renewal Underwriter

No documented program = premium increase, sub-limit, or exclusion. After a claim that traces to a vendor? Coverage dispute at the worst possible time.

Why VendorMark

VendorMark is a managed vendor due diligence service.
Not a platform. Not a dashboard.

VendorMark is a managed screening service. You submit a vendor. We do the work. You get a report. The people running the screen have spent decades doing this — in enterprise security, supply chain risk, and third-party compliance programs at companies far larger and more complex than yours. That's the product.

Plain English

You are not buying software. You are not getting a login. There is no onboarding flow. You are buying the judgment of people who have done this for a long time — applied to your specific vendor, documented in a report you can actually use.

Option A
Hire Someone Full-Time
  • $120K–$160K salary for a qualified vendor risk analyst — if you can find one
  • Add benefits, tools, and overhead — you're at $200K+ before they screen their first vendor
  • They'll spend 6 months building a program before you see a single report
  • When they leave — and they will — you start over
  • You're paying for 40 hours a week when you need 3 reports a quarter
Expensive. Slow. Fragile.
Option B
Buy a SaaS Platform
  • ! $15K–$80K/year for an enterprise vendor risk platform built for 500-person security teams
  • ! 3-month implementation before anyone screens anything
  • ! The platform tells you something is red. It doesn't tell you if it matters for your situation.
  • ! No one on your team has the background to interpret the findings or know what to do next
  • ! You're paying for continuous monitoring you don't need — for an active vendor list you haven't built yet
Tools without expertise are just expensive noise.
VendorMark
Managed Screening Service
  • Submit a vendor name, address, and website. That's it.
  • We run 24+ data sources across four risk layers — with the tools already built, calibrated, and in use
  • Analysts with decades in enterprise TPRM, supply chain risk, and cybersecurity interpret the findings
  • You get a report that tells you what the findings mean — not just that they exist
  • You pay per screen. No subscription. No implementation. No empty dashboard.
Right-sized. Ready now. No overhead.
20+
Years in enterprise third-party risk — building the programs that Fortune 500 companies use to manage vendor oversight at scale
CISSP
CISA
Industry-standard certifications in information security and audit — the same credentials your enterprise customers require of their own risk teams
24+
Active data sources across cyber, sanctions, financial, and geopolitical risk — already integrated, already calibrated, no setup on your end
What You'd Pay to Do This Without Us

These are not VendorMark's prices. This is what it costs to build and operate an equivalent vendor due diligence capability in-house — the tools, the platforms, and the qualified person you'd need to run them.

Annual licensing cost for the category of tools a proper vendor risk program requires — before a single analyst touches them
Tool / Platform Annual Cost What you still won't have
Black Kite — Third-Party Cyber Risk $15,000–$40,000/yr Someone to interpret which findings are material for your specific vendor relationships and industry context
Dun & Bradstreet (D&B) — Financial Intelligence $10,000–$30,000/yr The judgment to distinguish a distressed credit profile from a vendor that's simply early-stage or privately held
Thomson Reuters CLEAR / World-Check — Sanctions & Risk Intelligence $15,000–$50,000/yr Experience navigating false positives, name-matching ambiguity, and knowing when a hit requires escalation vs. documentation
Recorded Future / Mandiant — Threat Intelligence $25,000–$75,000/yr A security analyst who can contextualize threat intel findings against your actual risk exposure and vendor access level
LexisNexis / RELX — Legal Entity & Litigation Research $8,000–$25,000/yr Legal training to assess whether litigation history is routine commercial risk or a pattern that signals structural problems
Sayari / Kharon — Beneficial Ownership & Geopolitical Risk $12,000–$35,000/yr Expertise to trace ownership structures across jurisdictions and assess what foreign state-linked relationships actually mean
Archer / ServiceNow GRC / OneTrust — Vendor Risk Management Platform $20,000–$80,000/yr A trained program manager to configure, maintain, and run the platform — plus the vendors willing to respond to your questionnaires
Analyst time to operate, interpret & document across all platforms $120K–$160K/yr This is the part the tools can't replace. It's also the part that walks out the door when that person finds another job.
Tools alone: $105,000–$335,000/yr + $120K+ staff For a program that takes 6–12 months to stand up, requires continuous maintenance, and still depends entirely on the person operating it knowing what they're doing.
Do It Yourself
Build & staff an in-house vendor risk program
7 enterprise tool licenses + 1 qualified analyst + 6-month program build + ongoing maintenance — before a single vendor is screened.
$225K–$495K
Per year — year one only
VendorMark
Managed screening service
No staff. No tools. No implementation. No commitment.
Scales from 1 screen to 100. Cost moves with actual need.
First report in 48 hours. Not 6 months.

Cost ranges are illustrative estimates based on publicly available pricing, analyst research, and industry benchmarks as of 2026. Actual licensing costs vary significantly by contract terms, organization size, user count, data volume, and vendor negotiation. Some platforms do not publish list pricing and quote on a custom basis. These figures are intended to convey order-of-magnitude investment — not represent a specific vendor quote or binding price reference.

The VendorMark Framework

Four-layer vendor screening.
One report. Every vendor, before you commit.

No single database covers the full picture. VendorMark runs four independent screening layers across 24+ data sources and consolidates findings into one structured report.

Layer 01

Digital Exposure — Vendor Cyber Risk

Cyber & Attack Surface

What can an attacker see from outside your vendor's perimeter? This layer surfaces observable cyber risk before it becomes your problem.

  • Open ports & exposed infrastructure scanning
  • SSL/TLS certificate health & expiry
  • Email security posture — SPF, DKIM, DMARC
  • Technology stack identification
  • Historical breach exposure & domain threat intelligence
  • Domain threat intelligence & malware associations
Layer 02

Compliance Clearance — Sanctions & Restricted Party Screening

Sanctions, Restricted Party & Debarment

Are you prohibited from doing business with this vendor? Missing a sanctions hit is a compliance failure — and increasingly, an insurance coverage issue.

  • OFAC SDN & all active country sanction programs
  • BIS Denied Persons, Entity List, Unverified, MEU
  • EU, UN, UK HMT consolidated lists
  • State Dept. nonproliferation lists
  • SAM.gov federal debarment & exclusion check
  • PEP (Politically Exposed Persons) screening
Layer 03

Financial Standing — Vendor Financial Risk Assessment

Credit Health, Entity & Litigation

Is this vendor a stable counterparty? A vendor in financial distress is a business continuity risk — and a renegotiation you didn't plan for.

  • Business credit score & payment behavior
  • Bankruptcy, insolvency & distress signals
  • Federal litigation history & court filings
  • SEC EDGAR disclosures (public companies)
  • Legal entity & good standing verification
  • Key officer & UBO surface review
Layer 04

Origin & Ownership — Geopolitical & Supply Chain Risk

Geopolitical Risk & Adverse Media

Where is this vendor truly from, and who ultimately owns it? Country of incorporation doesn't always tell the full story — especially for software, hardware, and data-handling vendors.

  • Country of incorporation & HQ location
  • Country bribery risk & rule-of-law scoring
  • Foreign state-linked ownership flags
  • Adverse media — fraud, settlement, enforcement actions
  • Reputational review — BBB, G2, Trustpilot
  • OFAC country program cross-check
The Process

How the pre-contract vendor screening process works.

We designed VendorMark for the realities of pre-contract workflows — no lengthy questionnaires, no required EIN, no delay waiting on vendor cooperation.

Submit Vendor Details

Provide the vendor's name, address, and website. That's it. VendorMark is designed to work from publicly available information — no EIN, no access to vendor systems required.

We Run the Screen

Our analysts run all four layers against 24+ data sources — structured, consistent, and documented. Standard turnaround is 48 hours. Rush delivery available.

Receive Your Report

You receive a formatted PDF report with findings by layer, a risk summary, and documented sources. Ready to file, share with counsel, or reference in contract negotiations.

The Deliverable

The vendor due diligence report —
structured for your vendor file.

Every VendorMark report follows a consistent structure — one document covering all four screening layers, with a clear risk summary and documented sources. Formatted to attach to a vendor file, reference in contract negotiations, or present to an auditor.

Section 1
Vendor Profile

Confirmed legal name, address, entity status, and known officers. The baseline facts the rest of the report is built on.

Section 2
Layer Findings

Findings across all four screening layers — Digital Exposure, Compliance Clearance, Financial Standing, and Origin & Ownership — with analyst notes on material items.

Section 3
Risk Summary

A plain-language summary of the overall risk posture, notable flags, and recommended considerations for your team — not a score, a judgment.

Section 4
Source Documentation

Every data source consulted, date of access, and search parameters used — so your vendor file documents the methodology, not just the conclusions.

Reports are point-in-time informational screening documents intended to support internal decision-making. They do not constitute legal advice, a legal opinion, or a compliance certification. See full disclaimer below.

Who Uses VendorMark

Who uses VendorMark for third-party risk management.

VendorMark is designed for professionals who need documented vendor intelligence — not a SaaS dashboard built for a 500-person security team.

Legal

General Counsel & Legal Operations

You're being asked to approve vendor contracts faster than ever. VendorMark gives you documented screening you can attach to the file — sanctions clearance, litigation history, entity verification — before the ink dries.

Supply Chain

VP Supply Chain & Procurement

Your vendor network is your risk surface. VendorMark flags financially distressed counterparties, restricted party hits, and geopolitical exposure before they become contract renegotiations or regulatory problems.

Compliance & Risk

Compliance Officers & Risk Teams

SOC 2 auditors, cyber insurers, and enterprise customers are all asking about your vendor oversight process. VendorMark gives you a consistent, documentable answer — reports you can produce on demand.

Common Questions

Vendor screening questions, answered.

What information is needed to run a vendor due diligence screen?

Just three things: the vendor's legal name, their address, and their website. VendorMark is designed to work from publicly available information. No EIN required, no vendor cooperation needed, no questionnaire sent to the other party.

How is VendorMark different from a standard vendor background check?

A Google search won't check 130+ global sanctions lists, federal debarment databases, federal court records for litigation, or your vendor's exposed attack surface. VendorMark runs structured checks across 24+ data sources and produces a documented report — not a search results page.

Does a VendorMark report satisfy vendor due diligence requirements?

No. VendorMark reports are informational screening documents intended to support your internal decision-making process. They are not legal opinions, legal advice, or audit certifications. For regulated industries, we recommend using reports in conjunction with your legal and compliance counsel.

How long does a pre-contract vendor screening take?

Standard turnaround is 48 business hours from the time we receive your vendor information. Rush delivery (24 hours) is available. We'll confirm timing when you submit your request.

Can we run batch third-party vendor screening for multiple vendors?

Yes. We work with teams that screen vendors in batches — new supplier onboarding cycles, annual re-screens, or M&A due diligence workflows. Contact us to discuss volume pricing and turnaround options.

What add-ons are available for deeper supply chain due diligence?

Reports come in tiers, and targeted add-ons are available — including deep UBO/ownership research, state-level litigation searches, COI insurance verification, and vendor security questionnaire scoring. Ask about add-on options when you request your sample.

Get Started

See the report before
you order one.

Request a redacted sample report and see exactly what your team receives — structure, findings format, risk summary, and source documentation.

Request a Sample Report

No commitment required. Typically delivered within one business day.

Important Limitations & Disclaimers
Point-in-Time Analysis Only

Every VendorMark report reflects conditions as of the date the screen was conducted. Vendor circumstances change — financial standing deteriorates, ownership structures shift, sanctions lists are updated, and cyber postures evolve. A report generated today does not represent the state of a vendor in six months. VendorMark does not provide continuous monitoring or real-time alerts of any kind.

No Guarantee of Accuracy or Completeness

VendorMark reports are derived from third-party data sources, public records, and commercial databases. We do not independently verify the accuracy of underlying source data and cannot guarantee that all findings are complete, current, or free of error. Data providers may have coverage gaps, reporting delays, or inaccuracies that are beyond our control and visibility.

Not a Legal Opinion or Compliance Certification

Nothing in a VendorMark report constitutes legal advice, a legal opinion, a compliance determination, or a certification of any kind. Reports are informational screening documents intended to support your internal decision-making process. Regulated industries and high-stakes vendor relationships should involve qualified legal counsel and compliance professionals.

No Assured Outcome or Risk Elimination

A clean VendorMark report does not mean a vendor is without risk — it means no significant adverse findings were identified at the time of screening using the data sources available. Vendor screening reduces exposure and supports documentation; it does not eliminate risk or guarantee that a vendor will perform as expected, remain financially stable, or remain compliant with applicable law.

Not a Substitute for Professional Judgment

VendorMark findings are intended to inform — not replace — the judgment of qualified legal, compliance, procurement, and security professionals within your organization. Material vendor decisions should incorporate your organization's own due diligence standards, contractual requirements, and risk tolerance.

Scope Limitations Apply

Standard screens cover the four layers documented on this page. They do not include state-level civil litigation, insurance certificate verification, deep beneficial ownership tracing, or foreign-language source review unless explicitly purchased as add-ons. No screen covers every possible risk category, and the absence of a finding in an uncovered category should not be interpreted as clearance.

VendorMark is a service of Miles Brothers Consulting, LLC. Use of VendorMark reports is subject to our Terms of Service. Reports are provided for informational purposes only and do not create a professional services relationship beyond the scope of the screening engagement.