Kyanite Blue
Product News 6 min read

Supply Chain Cyber Risk: How Panorays Protects Your Business

David, Managing Director·24 March 2026

Why Supply Chain Risk Is Your Biggest Blind Spot

Gartner predicts that by 2026, 60% of organisations will use cybersecurity risk as a primary determinant in third-party transactions. The reason: supply chain attacks are devastating and accelerating. The SolarWinds breach in 2020 compromised 18,000 organisations through a single software update. The MOVEit Transfer breach in 2023 hit 2,600+ organisations through a file transfer tool. The 3CX supply chain attack in 2023 targeted a VoIP application used by 600,000 organisations. The average UK business has 5,600 third-party connections according to SecurityScorecard. Each one is a potential entry point.

The Problem with Annual Questionnaires

Most organisations assess vendor risk using annual questionnaires — spreadsheets sent to suppliers asking about their security controls. This approach is fundamentally broken. Questionnaires are self-reported and rarely verified. They capture a point-in-time snapshot that may be outdated within weeks. They do not scale — a business with hundreds of vendors cannot meaningfully assess each one annually. And they miss the most dangerous risks: a vendor might pass their questionnaire in January and suffer a breach in March. Continuous monitoring is the only approach that matches the speed of modern threats.

  • Self-reported: vendors mark their own homework
  • Point-in-time: outdated within weeks of completion
  • Unscalable: cannot meaningfully cover hundreds of vendors
  • Reactive: discovers problems after the breach, not before

How Panorays Works

Panorays provides automated, continuous third-party risk management that combines three assessment layers. The external attack surface assessment scans each vendor's internet-facing infrastructure for vulnerabilities, misconfigurations, and exposures — similar to what an attacker would find. The security questionnaire automation uses AI to streamline and validate vendor self-assessments, comparing responses against external evidence. The continuous monitoring layer tracks changes in each vendor's security posture in real time and alerts you when risk increases. Together, these provide a comprehensive, verified, and current view of your supply chain risk.

From MOVEit to Proactive Defence

If you had been using Panorays before the MOVEit breach, your risk dashboard would have flagged every vendor in your supply chain that used MOVEit Transfer. You would have known your exposure before Cl0p exploited it. When Progress disclosed the vulnerability, Panorays would have automatically updated the risk scores of affected vendors and alerted your team. This is the difference between learning about your supply chain exposure from a breach notification and knowing about it before the breach happens. Combined with BlackFog's ADX for data exfiltration prevention, you protect both the data your vendors hold and the data on your own network.

Frequently Asked Questions

How many vendors does the average business have?

SecurityScorecard estimates the average business has 5,600 third-party connections. Many organisations significantly undercount their vendor relationships because they do not track SaaS subscriptions, embedded components, and sub-processors.

Can Panorays replace vendor security questionnaires?

Panorays automates and enhances questionnaires rather than eliminating them entirely. Its AI pre-fills responses based on external evidence and previous answers, validates self-reported claims against observable data, and continuously monitors between assessment cycles.

What is the difference between point-in-time and continuous monitoring?

Point-in-time assessment (annual questionnaires, periodic pen tests) captures risk at a single moment. Continuous monitoring tracks changes in real time — new vulnerabilities, configuration changes, breach disclosures, and certificate expirations. A vendor that passes a point-in-time assessment can develop critical vulnerabilities days later.

How does Panorays fit with the rest of the Kyanite Blue stack?

Panorays handles Layer 4 (third-party risk) in our five-layer approach. Coro covers endpoint protection, Hadrian handles attack surface management, BlackFog provides anti data exfiltration, and Kyanite Blue manages the entire stack. Each layer addresses a different part of the attack lifecycle.

panorayssupply chainthird-party riskvendor risktprm

Related articles

Threat Intelligence

MOVEit Breach: What UK Businesses Must Learn

The MOVEit Transfer breach compromised over 2,600 organisations and exposed 95 million records — without a single piece of ransomware being deployed. Here is what UK businesses must take away.

Guides

Building a Cybersecurity Stack for SMBs: The 5-Layer Approach

Most SMBs either have no security stack or a patchwork of disconnected tools. Here is the 5-layer approach that gives you enterprise-grade protection without enterprise complexity.

Guides

5 Cybersecurity Priorities for UK Businesses in 2026

The threat landscape is shifting faster than most UK businesses can adapt. Here are the five cybersecurity priorities that should be on every board agenda in 2026.

Want to discuss this with our team?

Book a free 20-minute call with David or Max.

Book a call
Back to all posts