investigação avançada
How to Run Vendor and Partner Due Diligence Using Open Source Intelligence
How to Run Vendor and Partner Due Diligence Using Open Source Intelligence
Learn how to conduct vendor and partner due diligence using OSINT. A step-by-step guide covering financial, legal, reputational, and digital risk checks , before you sign any contract.
Alisson Moretto
Founder of Sherlockeye
Why Vendor Due Diligence Can No Longer Be an Afterthought
In 2024, 30% of all data breaches involved a third-party vendor , double the rate from the previous year, according to Verizon's 2025 Data Breach Investigations Report. The average cost of a supply-chain breach has climbed to $4.91 million per incident, and supply-chain compromises take an average of 267 days to detect , longer than virtually any other attack vector.
The financial exposure is only part of the picture. According to IBM's 2025 Cost of a Data Breach Report, 86% of organizations experienced business disruption following a breach that originated in a vendor relationship. And a Gartner analysis found that third-party breaches cost roughly 40% more to remediate than internally originated incidents, due to the complexity of managing incidents across multiple entities and legal jurisdictions.
Beyond cyber risk, the numbers tell a similarly sobering story about operational and compliance risk. A 2024 survey of legal and compliance leaders found that 83% of organizations identified significant vendor risks only after onboarding , during the relationship itself rather than during pre-contract due diligence. Of those risks, 31% resulted in material financial or operational impact.
The uncomfortable truth is that most organizations are either not doing vendor due diligence at all, doing it too shallowly, or doing it once and never revisiting it. In a world where the average enterprise now manages 286 vendors, and where a single compromised partner can cascade failures across an entire supply chain, this is no longer an acceptable approach.
This guide explains how to do vendor due diligence properly , using open source intelligence (OSINT) to surface the risks that questionnaires, certifications, and self-reported financial statements routinely miss.
What Is Vendor Due Diligence?
Vendor due diligence is the systematic process of investigating and assessing a third-party supplier, service provider, or business partner before entering into a contractual relationship , and, critically, on an ongoing basis throughout the relationship.
The goal is to answer a simple question before you sign: Does this vendor pose an unacceptable level of financial, operational, legal, reputational, or security risk to my organization?
Vendor due diligence is distinct from vendor qualification (which focuses on capability) and vendor onboarding (which focuses on integration). Due diligence is specifically about risk assessment , understanding what could go wrong, and deciding whether the risk is acceptable, manageable, or disqualifying.
The scope of a due diligence investigation should be proportional to the vendor's importance and access. A vendor with access to sensitive customer data or critical infrastructure warrants a far more intensive investigation than one supplying office stationery. Most organizations classify vendors into risk tiers , typically high, medium, and low , and apply different due diligence depth at each tier.
The Five Risk Dimensions Every Due Diligence Process Must Cover
A comprehensive vendor due diligence program evaluates risk across five interconnected dimensions:
1. Financial Risk
Can this vendor actually deliver on their commitments? Financial instability is one of the leading causes of vendor failure. A vendor that goes insolvent mid-contract leaves you scrambling for a replacement, often at considerable cost and disruption.
Financial due diligence looks for: signs of financial distress, legal judgments, tax liens, late filings, or capital structure issues that suggest the business may not be viable over the contract term.
2. Legal and Regulatory Risk
Is this vendor operating within the law? Legal due diligence surfaces litigation history, regulatory violations, sanctions exposure, licenses and certifications, and any ongoing investigations or enforcement actions.
In regulated industries , financial services, healthcare, pharmaceuticals, government contracting , the legal standing of your vendors can directly affect your own compliance posture. A vendor under sanctions or subject to regulatory action can make you liable by association.
3. Reputational Risk
What does the market say about this vendor? Reputational risk is often the hardest to quantify but the easiest to miss entirely if you rely only on self-reported data. This includes media coverage (especially negative press), customer reviews, industry reputation, executive backgrounds, and any associations with controversial figures, entities, or events.
Reputational risk is particularly acute for high-profile partnerships where your brand is publicly visible alongside your vendor's.
4. Operational and Security Risk
Can this vendor deliver reliably, and how do they handle data? Operational due diligence examines business continuity planning, service reliability history, subcontractor dependencies, and , critically in modern supply chains , cybersecurity posture.
The digital attack surface of your vendor network is now your attack surface. Their misconfigurations, unpatched systems, and exposed credentials become entry points for attackers targeting you.
5. Integrity and Governance Risk
Who is actually behind this vendor? Integrity risk covers ownership transparency, beneficial ownership structures, political exposure, conflicts of interest, and anti-corruption compliance (including alignment with FCPA, UK Bribery Act, or LGPD in Brazil).
Beneficial ownership obfuscation , where the true controlling parties are hidden behind layers of corporate entities , is a significant red flag in any partnership context.
How OSINT Transforms Vendor Due Diligence
Traditional vendor due diligence has three fundamental limitations:
It relies on self-reported information. Questionnaires, certifications, and financial statements tell you what a vendor wants you to know. They cannot tell you what a vendor is concealing. OSINT looks at what is publicly verifiable , not what is voluntarily disclosed.
It is point-in-time. A due diligence check performed at contract signature reflects the vendor's situation on one day. Vendors can change dramatically , new litigation, ownership changes, financial deterioration, security incidents , without ever notifying you. OSINT enables continuous monitoring.
It is slow and manual. A comprehensive manual due diligence investigation can take days or weeks and requires significant specialist expertise. AI-powered OSINT platforms can surface cross-referenced intelligence across hundreds of sources in seconds.
Open Source Intelligence (OSINT) complements traditional due diligence by mining publicly available data , corporate registries, court records, domain registrations, social media, news archives, breach databases, and much more , to build a verifiable picture of a vendor's true risk profile.
The combination is powerful: traditional due diligence tells you what the vendor claims, OSINT tells you what the evidence shows.
Step-by-Step: Running OSINT-Based Due Diligence on a Vendor
Here is the methodology used by compliance teams, corporate intelligence professionals, and risk analysts when conducting vendor due diligence with open source intelligence.
Step 1: Define the Scope and Risk Tier
Before beginning any investigation, establish:
What is this vendor's role and level of access to systems, data, or critical processes?
What is the risk tier (high, medium, low) based on criticality?
What is the contract value and duration?
Higher-risk, higher-value vendors warrant deeper investigation. Not every vendor needs the same level of scrutiny , but any vendor with access to customer data, financial systems, or core infrastructure should receive a thorough OSINT-based review.
Step 2: Verify Corporate Identity and Legal Standing
Start with the basics: confirm that the vendor is who they say they are.
Corporate registry search , Verify the legal name, registration number, registered address, incorporation date, and current status. In Brazil, search by CNPJ. In the US, check state-level Secretary of State databases. In the UK, consult Companies House.
Beneficial ownership , Who actually controls this company? Look beyond the legal entity to identify ultimate beneficial owners. Shell companies, nominee directors, and complex holding structures are worth investigating further.
Sanctions and watchlists , Screen the company name, key executives, and any known affiliates against OFAC (US), UN, EU, and relevant national sanctions lists.
Licenses and certifications , Verify any industry-specific licenses or certifications the vendor claims (security certifications, professional licenses, regulatory approvals).
Step 3: Research Key Executives and Decision-Makers
A company's risk profile is often inseparable from the individuals leading it. OSINT on senior executives can surface:
Prior business failures , Have key executives led companies that failed, were investigated, or were involved in fraud?
Litigation history , Search court records for civil or criminal proceedings involving executives by name.
Reputational signals , News coverage, professional reputation in industry forums, and social media presence all provide context.
Political exposure , Are any executives Politically Exposed Persons (PEPs)? PEP status requires enhanced due diligence under most anti-money laundering frameworks.
Conflicts of interest , Do executives have undisclosed relationships with competitors, clients, or public officials?
Step 4: Search Legal and Regulatory Records
Court and regulatory records are among the most revealing open sources available:
Search federal and state/national court databases for litigation involving the vendor entity and key personnel
Check regulatory enforcement databases for penalties, investigations, or debarments in your industry
Review labor and employment records for significant workforce disputes, OSHA violations, or discrimination cases (these can signal governance issues)
In Brazil, search for legal proceedings via the CNJ (Conselho Nacional de Justiça) and Receita Federal records
Step 5: Analyze the Digital Footprint
This step is uniquely enabled by OSINT and rarely covered by traditional due diligence processes.
Domain and IP research , Who registered the company's web domains, and when? Do the registrant details match the disclosed corporate information? Are there related domains that suggest brand confusion or deception?
Technology infrastructure , What systems does the vendor use? Are there publicly exposed services, misconfigurations, or outdated software visible in public network scans?
Cloud storage and data exposure , Are there publicly accessible cloud storage buckets (Amazon S3, Azure Blob, Google Cloud) associated with this vendor's domains that contain sensitive data?
Code repository exposure , Has the vendor's development team inadvertently exposed credentials, API keys, or proprietary code in public repositories?
Data breach history , Has the vendor's domain or known email addresses appeared in credential breach databases? This can indicate poor security hygiene.
Step 6: Conduct Media and Reputation Research
Systematic media analysis surfaces reputational risks that never appear in any formal database:
Search major news sources and industry publications for the company name and key executives over the past 3–5 years
Look for negative coverage: fraud allegations, customer complaints, product failures, regulatory criticism, environmental violations, labor disputes
Monitor social media and review platforms for customer sentiment and any emerging controversies
Check industry-specific forums and communities for professional reputation signals
Step 7: Cross-Reference and Synthesize
The real power of OSINT-based due diligence is not in any single source , it is in the cross-referencing of multiple sources. An address that appears in both a corporate filing and a court document. A director whose name appears in connection with a sanctioned entity. A domain registered by someone with a different surname than the company's disclosed ownership.
AI-powered platforms like Sherlockeye automate this cross-referencing step , simultaneously querying hundreds of open sources by company name, CNPJ, domain, executive name, or email address, and surfacing connections that a manual investigator would likely miss entirely.
Step 8: Document and Risk-Rate Your Findings
All findings should be:
Documented with timestamps and source references
Organized by risk dimension (financial, legal, reputational, operational, integrity)
Risk-rated (high, medium, low) based on significance and evidence strength
Reviewed by the appropriate stakeholders (legal, compliance, procurement, security) before contract execution
What to Look For: Red Flags in Vendor Research
Not all findings are equally significant. Here are the most important red flags across each risk dimension:
Corporate and Legal Red Flags
Inconsistencies between self-reported information and publicly verifiable records
Recent incorporation (especially for vendors claiming long operating histories)
Frequent changes of registered address or company name
Dissolved or inactive status in registry records
Multiple related entities with similar names sharing addresses or directors
Litigation history involving fraud, breach of contract, or regulatory violations
Sanctions list matches for the entity, directors, or affiliated companies
Financial Red Flags
Tax liens, judgments, or outstanding legal orders
Evidence of late statutory filings or incomplete financial disclosure
Negative credit signals visible in public records
Signs of rapid growth without apparent legitimate explanation (possible money laundering indicator)
Executive and Personnel Red Flags
Prior involvement in failed, investigated, or fraudulent businesses
Undisclosed roles at competitors, clients, or conflicting entities
PEP status without disclosure
Criminal records or serious civil judgments
Significant discrepancy between public professional profiles and disclosed credentials
Digital and Security Red Flags
Domain registered recently despite claims of long-established history
Registrant details that don't match disclosed corporate information
Publicly exposed cloud storage or misconfigured infrastructure
Credentials or sensitive data found in breach databases associated with company domains
Exposed internal documents or code in public repositories
Reputational Red Flags
Sustained pattern of negative customer or partner reviews
Credible fraud or misconduct allegations in press coverage
Associations with controversies, sanctioned entities, or high-risk jurisdictions
Executive social media activity inconsistent with stated corporate values or practices
Due Diligence by Vendor Type
The depth and focus of vendor due diligence should reflect the specific risk profile of each vendor category.
Technology and SaaS Vendors
Emphasize digital infrastructure assessment, data handling practices, security certifications (SOC 2, ISO 27001), breach history, and the vendor's own third-party dependency chain. Shadow IT risk is acute here , understand which subprocessors have access to data flowing through the vendor.
Financial Service Providers
Prioritize regulatory standing, sanctions screening, AML compliance, PEP exposure among key personnel, and beneficial ownership clarity. Financial services vendors are often subject to enhanced due diligence requirements under FATF, GDPR, and local banking regulations.
Professional Services Firms (Legal, Accounting, Consulting)
Research partner and key personnel backgrounds, conflicts of interest, professional licensing status, and any disciplinary actions by relevant professional bodies. Law firms and accounting firms may have fiduciary obligations that create conflicts with your interests if they also serve competitors or counterparties.
Manufacturing and Physical Suppliers
Emphasize operational stability, quality certifications, labor practices, environmental compliance, and geopolitical risk associated with the vendor's country of operation and supply chain. Physical supply chain disruption risk , especially for single-source suppliers , deserves particular attention.
International and Cross-Border Vendors
Apply heightened scrutiny to vendors operating in high-risk jurisdictions (as defined by FATF, Transparency International's Corruption Perception Index, or US State Department guidance). FCPA, UK Bribery Act, and local anti-corruption laws may impose additional due diligence obligations.
Regulatory Frameworks That Require Vendor Due Diligence
Vendor due diligence is not only good risk management practice , it is increasingly a legal and regulatory obligation. The following frameworks impose specific third-party oversight requirements:
GDPR (EU General Data Protection Regulation) , Requires organizations to conduct due diligence on all data processors (vendors who process personal data) and to establish data processing agreements that specify security and processing obligations.
LGPD (Lei Geral de Proteção de Dados , Brazil) , Brazil's data protection law mirrors GDPR requirements for vendor oversight, requiring organizations to ensure that third parties processing personal data meet equivalent protection standards.
DORA (Digital Operational Resilience Act , EU) , Applies to financial entities and their ICT (information and communication technology) third-party providers, mandating comprehensive risk assessment, contractual requirements, and ongoing monitoring.
NIS2 Directive (EU) , Extends cybersecurity and supply chain risk management requirements across critical sectors, explicitly requiring member states to ensure that organizations manage third-party ICT risks.
FCPA (Foreign Corrupt Practices Act , US) , Requires US companies and their agents to conduct due diligence on foreign business partners to prevent facilitation of bribery, with significant penalties for violations even when the company itself did not directly engage in corrupt acts.
UK Bribery Act , Imposes similar obligations on UK-incorporated companies, with the notable addition of a "failure to prevent bribery" offense that makes organizations liable for the actions of associated third parties if they did not implement adequate preventive procedures.
PCI-DSS , Payment Card Industry Data Security Standard requires assessment of all third-party service providers with access to cardholder data, including ongoing monitoring of their security posture.
From One-Time Check to Continuous Monitoring
One of the most important shifts in modern vendor risk management is the recognition that due diligence is not a one-time event , it is a continuous process.
A vendor that passes a thorough due diligence review at contract signature can develop serious risk exposures over the contract term. Leadership changes, financial deterioration, regulatory penalties, security incidents, reputational crises, and ownership changes are all events that can materially alter a vendor's risk profile without any notification to you.
Organizations that monitor their vendor portfolios continuously detect risks significantly faster and with less financial exposure than those that rely on periodic point-in-time reviews. Key events to monitor on an ongoing basis include:
New litigation or regulatory actions involving the vendor or its key personnel
Changes in corporate ownership or directorship
Media coverage involving negative allegations or controversies
New appearances in breach databases or security incident reports
Domain or infrastructure changes that might indicate financial stress or ownership change
Sanctions list additions for the vendor entity or affiliated persons
AI-powered OSINT platforms enable this kind of continuous monitoring at scale , automatically surfacing changes across hundreds of data sources for an entire vendor portfolio, rather than requiring manual reviews of each vendor individually.
Building a Scalable Due Diligence Program
For organizations managing dozens or hundreds of vendor relationships, an ad-hoc approach to due diligence is neither practical nor sufficient. Here is a framework for building a scalable program:
Establish a Vendor Inventory
You cannot manage risk you don't know about. Start by mapping every third-party vendor relationship, the systems or data they access, the business processes they support, and the contractual terms in place.
Implement Risk Tiering
Not every vendor requires the same depth of scrutiny. Classify vendors by risk tier , based on data access, system access, criticality, and contract value , and define the due diligence requirements for each tier.
Standardize the Investigation Methodology
Define a repeatable process for each risk tier: which sources are checked, what outputs are produced, who reviews findings, and what criteria trigger escalation or rejection.
Use Technology to Scale
Manual due diligence does not scale. For organizations with significant vendor portfolios, AI-powered OSINT platforms dramatically reduce the time and specialist expertise required per investigation while improving consistency and coverage depth.
Sherlockeye enables compliance and procurement teams to investigate vendors by company name, CNPJ, domain, email, IP, or executive name , simultaneously querying hundreds of open sources, cross-referencing results with AI, and surfacing connections and risk signals that manual research would miss. All searches and results are end-to-end encrypted, with a 30-day maximum retention policy.
Define Escalation and Rejection Criteria
Document clear criteria for what constitutes a disqualifying finding versus a risk that can be mitigated with contractual protections, enhanced monitoring, or additional information requests. This prevents inconsistent decision-making and protects the organization from accusations of selective enforcement.
Automate Ongoing Monitoring
Configure continuous monitoring for your highest-risk vendors. Automated alerts triggered by new litigation, media mentions, regulatory actions, or digital risk signals allow your team to respond proactively rather than discovering problems after they become crises.
Frequently Asked Questions
What is the difference between vendor due diligence and a background check?
Background checks typically focus on individuals (criminal records, employment history, credit). Vendor due diligence is a broader organizational assessment that covers the business entity itself , its legal standing, financial health, regulatory history, digital infrastructure, and reputational profile , as well as the key individuals leading it.
How long should vendor due diligence take?
The depth of investigation determines the timeline. A basic OSINT scan of a low-risk vendor can be completed in minutes with the right tools. A comprehensive investigation of a high-risk, high-value vendor , including executive background research, legal database searches, and digital infrastructure analysis , may require several hours to several days, depending on the complexity of the entity and the tools used.
What information can OSINT surface that questionnaires cannot?
OSINT surfaces independently verifiable information from public records, rather than relying on the vendor's self-reported responses. It can reveal litigation history that a vendor chooses not to disclose, security vulnerabilities in their digital infrastructure, negative media coverage, financial distress signals, and beneficial ownership structures that are obscured in self-reported materials.
Is OSINT-based vendor research legal?
Yes. OSINT uses only publicly available information and does not involve unauthorized access to any system or private data. Using public records, news archives, corporate registries, and similar sources to assess business partners is standard practice and legally permissible in virtually all jurisdictions.
How often should we review our existing vendors?
At minimum, high-risk vendors should be reviewed annually, with continuous monitoring for key risk signals in between formal reviews. Medium-risk vendors warrant annual or biannual reviews. Low-risk vendors may be reviewed every two to three years or when a contract renewal triggers reassessment. Significant vendor events (ownership changes, regulatory actions, major incidents) should trigger an immediate unscheduled review regardless of tier.
What should we do if we find red flags during due diligence?
Red flags should be escalated to the appropriate stakeholders (legal, compliance, security, procurement leadership) and documented. Depending on severity, potential responses include: requesting additional information and explanations from the vendor, implementing enhanced contractual protections, requiring third-party audit rights, placing the vendor on enhanced monitoring, renegotiating scope to limit exposure, or rejecting the vendor entirely. The response should be proportional to the severity of the finding and the criticality of the vendor relationship.
How do we handle vendor due diligence across a large vendor portfolio?
Large vendor portfolios require a risk-tiered approach and technology-enabled investigation. Risk-tiering allows you to focus deep investigation on the vendors that pose the most significant risk, while using automated tools to conduct baseline checks across the rest of the portfolio. AI-powered OSINT platforms significantly reduce the per-vendor investigation time without sacrificing coverage depth.
Conclusion
Vendor and partner due diligence has evolved from a compliance checkbox into a business-critical capability. In a world where third-party relationships account for a growing share of organizational risk , cyber breaches, regulatory penalties, financial losses, and reputational crises , the question is not whether to conduct thorough due diligence, but how to do it efficiently and consistently at scale.
Open source intelligence offers a powerful answer: independently verifiable, cross-referenced intelligence from hundreds of public sources, surfaced in seconds rather than days. When combined with traditional due diligence methods, OSINT-based vendor research surfaces the risks that questionnaires miss, the connections that registries don't reveal, and the signals that only emerge when you look at a vendor's entire public footprint , not just the documents they choose to provide.
Start screening your vendors with the depth they deserve. Explore Sherlockeye , the AI-powered OSINT platform built for compliance, legal, and security teams who need verifiable answers before they sign.
Why Vendor Due Diligence Can No Longer Be an Afterthought
In 2024, 30% of all data breaches involved a third-party vendor , double the rate from the previous year, according to Verizon's 2025 Data Breach Investigations Report. The average cost of a supply-chain breach has climbed to $4.91 million per incident, and supply-chain compromises take an average of 267 days to detect , longer than virtually any other attack vector.
The financial exposure is only part of the picture. According to IBM's 2025 Cost of a Data Breach Report, 86% of organizations experienced business disruption following a breach that originated in a vendor relationship. And a Gartner analysis found that third-party breaches cost roughly 40% more to remediate than internally originated incidents, due to the complexity of managing incidents across multiple entities and legal jurisdictions.
Beyond cyber risk, the numbers tell a similarly sobering story about operational and compliance risk. A 2024 survey of legal and compliance leaders found that 83% of organizations identified significant vendor risks only after onboarding , during the relationship itself rather than during pre-contract due diligence. Of those risks, 31% resulted in material financial or operational impact.
The uncomfortable truth is that most organizations are either not doing vendor due diligence at all, doing it too shallowly, or doing it once and never revisiting it. In a world where the average enterprise now manages 286 vendors, and where a single compromised partner can cascade failures across an entire supply chain, this is no longer an acceptable approach.
This guide explains how to do vendor due diligence properly , using open source intelligence (OSINT) to surface the risks that questionnaires, certifications, and self-reported financial statements routinely miss.
What Is Vendor Due Diligence?
Vendor due diligence is the systematic process of investigating and assessing a third-party supplier, service provider, or business partner before entering into a contractual relationship , and, critically, on an ongoing basis throughout the relationship.
The goal is to answer a simple question before you sign: Does this vendor pose an unacceptable level of financial, operational, legal, reputational, or security risk to my organization?
Vendor due diligence is distinct from vendor qualification (which focuses on capability) and vendor onboarding (which focuses on integration). Due diligence is specifically about risk assessment , understanding what could go wrong, and deciding whether the risk is acceptable, manageable, or disqualifying.
The scope of a due diligence investigation should be proportional to the vendor's importance and access. A vendor with access to sensitive customer data or critical infrastructure warrants a far more intensive investigation than one supplying office stationery. Most organizations classify vendors into risk tiers , typically high, medium, and low , and apply different due diligence depth at each tier.
The Five Risk Dimensions Every Due Diligence Process Must Cover
A comprehensive vendor due diligence program evaluates risk across five interconnected dimensions:
1. Financial Risk
Can this vendor actually deliver on their commitments? Financial instability is one of the leading causes of vendor failure. A vendor that goes insolvent mid-contract leaves you scrambling for a replacement, often at considerable cost and disruption.
Financial due diligence looks for: signs of financial distress, legal judgments, tax liens, late filings, or capital structure issues that suggest the business may not be viable over the contract term.
2. Legal and Regulatory Risk
Is this vendor operating within the law? Legal due diligence surfaces litigation history, regulatory violations, sanctions exposure, licenses and certifications, and any ongoing investigations or enforcement actions.
In regulated industries , financial services, healthcare, pharmaceuticals, government contracting , the legal standing of your vendors can directly affect your own compliance posture. A vendor under sanctions or subject to regulatory action can make you liable by association.
3. Reputational Risk
What does the market say about this vendor? Reputational risk is often the hardest to quantify but the easiest to miss entirely if you rely only on self-reported data. This includes media coverage (especially negative press), customer reviews, industry reputation, executive backgrounds, and any associations with controversial figures, entities, or events.
Reputational risk is particularly acute for high-profile partnerships where your brand is publicly visible alongside your vendor's.
4. Operational and Security Risk
Can this vendor deliver reliably, and how do they handle data? Operational due diligence examines business continuity planning, service reliability history, subcontractor dependencies, and , critically in modern supply chains , cybersecurity posture.
The digital attack surface of your vendor network is now your attack surface. Their misconfigurations, unpatched systems, and exposed credentials become entry points for attackers targeting you.
5. Integrity and Governance Risk
Who is actually behind this vendor? Integrity risk covers ownership transparency, beneficial ownership structures, political exposure, conflicts of interest, and anti-corruption compliance (including alignment with FCPA, UK Bribery Act, or LGPD in Brazil).
Beneficial ownership obfuscation , where the true controlling parties are hidden behind layers of corporate entities , is a significant red flag in any partnership context.
How OSINT Transforms Vendor Due Diligence
Traditional vendor due diligence has three fundamental limitations:
It relies on self-reported information. Questionnaires, certifications, and financial statements tell you what a vendor wants you to know. They cannot tell you what a vendor is concealing. OSINT looks at what is publicly verifiable , not what is voluntarily disclosed.
It is point-in-time. A due diligence check performed at contract signature reflects the vendor's situation on one day. Vendors can change dramatically , new litigation, ownership changes, financial deterioration, security incidents , without ever notifying you. OSINT enables continuous monitoring.
It is slow and manual. A comprehensive manual due diligence investigation can take days or weeks and requires significant specialist expertise. AI-powered OSINT platforms can surface cross-referenced intelligence across hundreds of sources in seconds.
Open Source Intelligence (OSINT) complements traditional due diligence by mining publicly available data , corporate registries, court records, domain registrations, social media, news archives, breach databases, and much more , to build a verifiable picture of a vendor's true risk profile.
The combination is powerful: traditional due diligence tells you what the vendor claims, OSINT tells you what the evidence shows.
Step-by-Step: Running OSINT-Based Due Diligence on a Vendor
Here is the methodology used by compliance teams, corporate intelligence professionals, and risk analysts when conducting vendor due diligence with open source intelligence.
Step 1: Define the Scope and Risk Tier
Before beginning any investigation, establish:
What is this vendor's role and level of access to systems, data, or critical processes?
What is the risk tier (high, medium, low) based on criticality?
What is the contract value and duration?
Higher-risk, higher-value vendors warrant deeper investigation. Not every vendor needs the same level of scrutiny , but any vendor with access to customer data, financial systems, or core infrastructure should receive a thorough OSINT-based review.
Step 2: Verify Corporate Identity and Legal Standing
Start with the basics: confirm that the vendor is who they say they are.
Corporate registry search , Verify the legal name, registration number, registered address, incorporation date, and current status. In Brazil, search by CNPJ. In the US, check state-level Secretary of State databases. In the UK, consult Companies House.
Beneficial ownership , Who actually controls this company? Look beyond the legal entity to identify ultimate beneficial owners. Shell companies, nominee directors, and complex holding structures are worth investigating further.
Sanctions and watchlists , Screen the company name, key executives, and any known affiliates against OFAC (US), UN, EU, and relevant national sanctions lists.
Licenses and certifications , Verify any industry-specific licenses or certifications the vendor claims (security certifications, professional licenses, regulatory approvals).
Step 3: Research Key Executives and Decision-Makers
A company's risk profile is often inseparable from the individuals leading it. OSINT on senior executives can surface:
Prior business failures , Have key executives led companies that failed, were investigated, or were involved in fraud?
Litigation history , Search court records for civil or criminal proceedings involving executives by name.
Reputational signals , News coverage, professional reputation in industry forums, and social media presence all provide context.
Political exposure , Are any executives Politically Exposed Persons (PEPs)? PEP status requires enhanced due diligence under most anti-money laundering frameworks.
Conflicts of interest , Do executives have undisclosed relationships with competitors, clients, or public officials?
Step 4: Search Legal and Regulatory Records
Court and regulatory records are among the most revealing open sources available:
Search federal and state/national court databases for litigation involving the vendor entity and key personnel
Check regulatory enforcement databases for penalties, investigations, or debarments in your industry
Review labor and employment records for significant workforce disputes, OSHA violations, or discrimination cases (these can signal governance issues)
In Brazil, search for legal proceedings via the CNJ (Conselho Nacional de Justiça) and Receita Federal records
Step 5: Analyze the Digital Footprint
This step is uniquely enabled by OSINT and rarely covered by traditional due diligence processes.
Domain and IP research , Who registered the company's web domains, and when? Do the registrant details match the disclosed corporate information? Are there related domains that suggest brand confusion or deception?
Technology infrastructure , What systems does the vendor use? Are there publicly exposed services, misconfigurations, or outdated software visible in public network scans?
Cloud storage and data exposure , Are there publicly accessible cloud storage buckets (Amazon S3, Azure Blob, Google Cloud) associated with this vendor's domains that contain sensitive data?
Code repository exposure , Has the vendor's development team inadvertently exposed credentials, API keys, or proprietary code in public repositories?
Data breach history , Has the vendor's domain or known email addresses appeared in credential breach databases? This can indicate poor security hygiene.
Step 6: Conduct Media and Reputation Research
Systematic media analysis surfaces reputational risks that never appear in any formal database:
Search major news sources and industry publications for the company name and key executives over the past 3–5 years
Look for negative coverage: fraud allegations, customer complaints, product failures, regulatory criticism, environmental violations, labor disputes
Monitor social media and review platforms for customer sentiment and any emerging controversies
Check industry-specific forums and communities for professional reputation signals
Step 7: Cross-Reference and Synthesize
The real power of OSINT-based due diligence is not in any single source , it is in the cross-referencing of multiple sources. An address that appears in both a corporate filing and a court document. A director whose name appears in connection with a sanctioned entity. A domain registered by someone with a different surname than the company's disclosed ownership.
AI-powered platforms like Sherlockeye automate this cross-referencing step , simultaneously querying hundreds of open sources by company name, CNPJ, domain, executive name, or email address, and surfacing connections that a manual investigator would likely miss entirely.
Step 8: Document and Risk-Rate Your Findings
All findings should be:
Documented with timestamps and source references
Organized by risk dimension (financial, legal, reputational, operational, integrity)
Risk-rated (high, medium, low) based on significance and evidence strength
Reviewed by the appropriate stakeholders (legal, compliance, procurement, security) before contract execution
What to Look For: Red Flags in Vendor Research
Not all findings are equally significant. Here are the most important red flags across each risk dimension:
Corporate and Legal Red Flags
Inconsistencies between self-reported information and publicly verifiable records
Recent incorporation (especially for vendors claiming long operating histories)
Frequent changes of registered address or company name
Dissolved or inactive status in registry records
Multiple related entities with similar names sharing addresses or directors
Litigation history involving fraud, breach of contract, or regulatory violations
Sanctions list matches for the entity, directors, or affiliated companies
Financial Red Flags
Tax liens, judgments, or outstanding legal orders
Evidence of late statutory filings or incomplete financial disclosure
Negative credit signals visible in public records
Signs of rapid growth without apparent legitimate explanation (possible money laundering indicator)
Executive and Personnel Red Flags
Prior involvement in failed, investigated, or fraudulent businesses
Undisclosed roles at competitors, clients, or conflicting entities
PEP status without disclosure
Criminal records or serious civil judgments
Significant discrepancy between public professional profiles and disclosed credentials
Digital and Security Red Flags
Domain registered recently despite claims of long-established history
Registrant details that don't match disclosed corporate information
Publicly exposed cloud storage or misconfigured infrastructure
Credentials or sensitive data found in breach databases associated with company domains
Exposed internal documents or code in public repositories
Reputational Red Flags
Sustained pattern of negative customer or partner reviews
Credible fraud or misconduct allegations in press coverage
Associations with controversies, sanctioned entities, or high-risk jurisdictions
Executive social media activity inconsistent with stated corporate values or practices
Due Diligence by Vendor Type
The depth and focus of vendor due diligence should reflect the specific risk profile of each vendor category.
Technology and SaaS Vendors
Emphasize digital infrastructure assessment, data handling practices, security certifications (SOC 2, ISO 27001), breach history, and the vendor's own third-party dependency chain. Shadow IT risk is acute here , understand which subprocessors have access to data flowing through the vendor.
Financial Service Providers
Prioritize regulatory standing, sanctions screening, AML compliance, PEP exposure among key personnel, and beneficial ownership clarity. Financial services vendors are often subject to enhanced due diligence requirements under FATF, GDPR, and local banking regulations.
Professional Services Firms (Legal, Accounting, Consulting)
Research partner and key personnel backgrounds, conflicts of interest, professional licensing status, and any disciplinary actions by relevant professional bodies. Law firms and accounting firms may have fiduciary obligations that create conflicts with your interests if they also serve competitors or counterparties.
Manufacturing and Physical Suppliers
Emphasize operational stability, quality certifications, labor practices, environmental compliance, and geopolitical risk associated with the vendor's country of operation and supply chain. Physical supply chain disruption risk , especially for single-source suppliers , deserves particular attention.
International and Cross-Border Vendors
Apply heightened scrutiny to vendors operating in high-risk jurisdictions (as defined by FATF, Transparency International's Corruption Perception Index, or US State Department guidance). FCPA, UK Bribery Act, and local anti-corruption laws may impose additional due diligence obligations.
Regulatory Frameworks That Require Vendor Due Diligence
Vendor due diligence is not only good risk management practice , it is increasingly a legal and regulatory obligation. The following frameworks impose specific third-party oversight requirements:
GDPR (EU General Data Protection Regulation) , Requires organizations to conduct due diligence on all data processors (vendors who process personal data) and to establish data processing agreements that specify security and processing obligations.
LGPD (Lei Geral de Proteção de Dados , Brazil) , Brazil's data protection law mirrors GDPR requirements for vendor oversight, requiring organizations to ensure that third parties processing personal data meet equivalent protection standards.
DORA (Digital Operational Resilience Act , EU) , Applies to financial entities and their ICT (information and communication technology) third-party providers, mandating comprehensive risk assessment, contractual requirements, and ongoing monitoring.
NIS2 Directive (EU) , Extends cybersecurity and supply chain risk management requirements across critical sectors, explicitly requiring member states to ensure that organizations manage third-party ICT risks.
FCPA (Foreign Corrupt Practices Act , US) , Requires US companies and their agents to conduct due diligence on foreign business partners to prevent facilitation of bribery, with significant penalties for violations even when the company itself did not directly engage in corrupt acts.
UK Bribery Act , Imposes similar obligations on UK-incorporated companies, with the notable addition of a "failure to prevent bribery" offense that makes organizations liable for the actions of associated third parties if they did not implement adequate preventive procedures.
PCI-DSS , Payment Card Industry Data Security Standard requires assessment of all third-party service providers with access to cardholder data, including ongoing monitoring of their security posture.
From One-Time Check to Continuous Monitoring
One of the most important shifts in modern vendor risk management is the recognition that due diligence is not a one-time event , it is a continuous process.
A vendor that passes a thorough due diligence review at contract signature can develop serious risk exposures over the contract term. Leadership changes, financial deterioration, regulatory penalties, security incidents, reputational crises, and ownership changes are all events that can materially alter a vendor's risk profile without any notification to you.
Organizations that monitor their vendor portfolios continuously detect risks significantly faster and with less financial exposure than those that rely on periodic point-in-time reviews. Key events to monitor on an ongoing basis include:
New litigation or regulatory actions involving the vendor or its key personnel
Changes in corporate ownership or directorship
Media coverage involving negative allegations or controversies
New appearances in breach databases or security incident reports
Domain or infrastructure changes that might indicate financial stress or ownership change
Sanctions list additions for the vendor entity or affiliated persons
AI-powered OSINT platforms enable this kind of continuous monitoring at scale , automatically surfacing changes across hundreds of data sources for an entire vendor portfolio, rather than requiring manual reviews of each vendor individually.
Building a Scalable Due Diligence Program
For organizations managing dozens or hundreds of vendor relationships, an ad-hoc approach to due diligence is neither practical nor sufficient. Here is a framework for building a scalable program:
Establish a Vendor Inventory
You cannot manage risk you don't know about. Start by mapping every third-party vendor relationship, the systems or data they access, the business processes they support, and the contractual terms in place.
Implement Risk Tiering
Not every vendor requires the same depth of scrutiny. Classify vendors by risk tier , based on data access, system access, criticality, and contract value , and define the due diligence requirements for each tier.
Standardize the Investigation Methodology
Define a repeatable process for each risk tier: which sources are checked, what outputs are produced, who reviews findings, and what criteria trigger escalation or rejection.
Use Technology to Scale
Manual due diligence does not scale. For organizations with significant vendor portfolios, AI-powered OSINT platforms dramatically reduce the time and specialist expertise required per investigation while improving consistency and coverage depth.
Sherlockeye enables compliance and procurement teams to investigate vendors by company name, CNPJ, domain, email, IP, or executive name , simultaneously querying hundreds of open sources, cross-referencing results with AI, and surfacing connections and risk signals that manual research would miss. All searches and results are end-to-end encrypted, with a 30-day maximum retention policy.
Define Escalation and Rejection Criteria
Document clear criteria for what constitutes a disqualifying finding versus a risk that can be mitigated with contractual protections, enhanced monitoring, or additional information requests. This prevents inconsistent decision-making and protects the organization from accusations of selective enforcement.
Automate Ongoing Monitoring
Configure continuous monitoring for your highest-risk vendors. Automated alerts triggered by new litigation, media mentions, regulatory actions, or digital risk signals allow your team to respond proactively rather than discovering problems after they become crises.
Frequently Asked Questions
What is the difference between vendor due diligence and a background check?
Background checks typically focus on individuals (criminal records, employment history, credit). Vendor due diligence is a broader organizational assessment that covers the business entity itself , its legal standing, financial health, regulatory history, digital infrastructure, and reputational profile , as well as the key individuals leading it.
How long should vendor due diligence take?
The depth of investigation determines the timeline. A basic OSINT scan of a low-risk vendor can be completed in minutes with the right tools. A comprehensive investigation of a high-risk, high-value vendor , including executive background research, legal database searches, and digital infrastructure analysis , may require several hours to several days, depending on the complexity of the entity and the tools used.
What information can OSINT surface that questionnaires cannot?
OSINT surfaces independently verifiable information from public records, rather than relying on the vendor's self-reported responses. It can reveal litigation history that a vendor chooses not to disclose, security vulnerabilities in their digital infrastructure, negative media coverage, financial distress signals, and beneficial ownership structures that are obscured in self-reported materials.
Is OSINT-based vendor research legal?
Yes. OSINT uses only publicly available information and does not involve unauthorized access to any system or private data. Using public records, news archives, corporate registries, and similar sources to assess business partners is standard practice and legally permissible in virtually all jurisdictions.
How often should we review our existing vendors?
At minimum, high-risk vendors should be reviewed annually, with continuous monitoring for key risk signals in between formal reviews. Medium-risk vendors warrant annual or biannual reviews. Low-risk vendors may be reviewed every two to three years or when a contract renewal triggers reassessment. Significant vendor events (ownership changes, regulatory actions, major incidents) should trigger an immediate unscheduled review regardless of tier.
What should we do if we find red flags during due diligence?
Red flags should be escalated to the appropriate stakeholders (legal, compliance, security, procurement leadership) and documented. Depending on severity, potential responses include: requesting additional information and explanations from the vendor, implementing enhanced contractual protections, requiring third-party audit rights, placing the vendor on enhanced monitoring, renegotiating scope to limit exposure, or rejecting the vendor entirely. The response should be proportional to the severity of the finding and the criticality of the vendor relationship.
How do we handle vendor due diligence across a large vendor portfolio?
Large vendor portfolios require a risk-tiered approach and technology-enabled investigation. Risk-tiering allows you to focus deep investigation on the vendors that pose the most significant risk, while using automated tools to conduct baseline checks across the rest of the portfolio. AI-powered OSINT platforms significantly reduce the per-vendor investigation time without sacrificing coverage depth.
Conclusion
Vendor and partner due diligence has evolved from a compliance checkbox into a business-critical capability. In a world where third-party relationships account for a growing share of organizational risk , cyber breaches, regulatory penalties, financial losses, and reputational crises , the question is not whether to conduct thorough due diligence, but how to do it efficiently and consistently at scale.
Open source intelligence offers a powerful answer: independently verifiable, cross-referenced intelligence from hundreds of public sources, surfaced in seconds rather than days. When combined with traditional due diligence methods, OSINT-based vendor research surfaces the risks that questionnaires miss, the connections that registries don't reveal, and the signals that only emerge when you look at a vendor's entire public footprint , not just the documents they choose to provide.
Start screening your vendors with the depth they deserve. Explore Sherlockeye , the AI-powered OSINT platform built for compliance, legal, and security teams who need verifiable answers before they sign.
