Table of Contents
Summary
Whistic's Vendor Monitoring feature continuously scans for breach-related activity tied to your vendors, giving you real-time visibility into potential security risks. When a breach signal is detected, Whistic generates an Alert so you can quickly assess the situation, review supporting evidence, and take action — all without leaving the platform.
Vendor Monitoring helps you stay ahead of security incidents by providing ongoing oversight of the vendors that matter most to your organization.
Key Benefits:
- Receive alerts when breach-related activity is detected for your monitored vendors
- Review severity levels to prioritize your response
- Access supporting evidence, including screenshots and source links
- Maintain continuous vendor oversight alongside your existing assessment workflows
🚀 Getting Started
Vendor Monitoring is an add-on feature that must be enabled for your account before you can begin using it.
Requirements:
- Your organization must have Vendor Monitoring included in your plan
- A Whistic administrator must enable the feature for your account
- Your account must have available monitoring licenses
If You Don't Have Access Yet
If you navigate to the Monitoring page and see an overview screen instead of your monitoring dashboard, this means the feature has not yet been enabled for your organization. From this page, you can:
- Watch a short demo to learn more about the feature
- Start Free Trial or Contact sales to discuss adding Vendor Monitoring to your plan
If you are interested and have the option to Start Free Trial, go here to learn more.
⚙️ How to Enable Vendor Monitoring
Monitoring is activated on a per-vendor basis. You'll need to enable it for each vendor you'd like to track.
To enable monitoring for a single vendor:
- Navigate to the Vendor Monitoring page in the Assess dropdown main menu
- Select Monitor a Vendor
- A panel will appear. Use the search or filter options to find the vendor you'd like to monitor.
- Select Enable alongside the vendor row
- To enable multiple vendors at once, use the checkboxes and the Enable button at the bottom of the panel
Once enabled, the vendor's domain will be actively monitored and alerts will begin appearing if any breach-related activity is detected. While the breach profile is being generated, you'll see a Processing status displayed — this is expected and simply means monitoring is active and data is on its way.
📊 Viewing Your Monitoring Dashboard
The Vendor Monitoring page provides a centralized view of all breach alerts across your monitored vendors.
To access the monitoring dashboard, click Assess > Vendor Monitoring in your main navigation menu.
From this page, you can:
- View a timeline of all breach alerts across your monitored vendors
- See the severity level of each alert at a glance
- Identify which vendors are affected
- Click into any alert to view full details and supporting evidence
- Customize the data that shows in the table
- Filter the data to show just the alerts that you are interested in
⚠️ Understanding Alert Severity
Each breach alert includes a severity level to help you prioritize your review and response. Severity levels are based on the type of source reporting the breach and the nature of the data involved.
| Severity Level | What It Means |
|---|---|
| Critical |
The highest level of concern. May involve highly sensitive data exposure across multiple sources. Immediate review is recommended. A breach event where both the source type and data type score at the highest end of the model. Source indicators include confirmed ransomware group activity, victim postings from active threat actor groups, or dark web listings tied to an ongoing extortion operation. Data indicators include credential exposure — usernames, passwords, or authentication tokens that give a threat actor direct access to systems. A Critical alert represents an active or ongoing threat with confirmed threat actor involvement and data that can be immediately weaponized. |
| High |
Significant breach activity detected. Prompt review is recommended. A breach event where the source or data type is significant, but the combination does not meet the active-threat threshold of Critical. Typical examples include dark web forum postings or data leak site activity involving PII, financial records, or internal business data where credentials are not the primary exposure. The incident is directly tied to the monitored vendor and warrants prompt review, but does not indicate an active, ongoing operation at the time of the alert. |
| Medium |
Moderate breach activity detected. Review at your earliest convenience. A breach event where the source is lower-weight — such as a news report, official disclosure, or government notification about an incident that has already been publicly acknowledged and is no longer active. The data involved may be broad or the vendor's exposure may be indirect. Medium alerts are informational: they confirm something occurred but do not indicate immediate risk to your vendor relationship. |
| Low |
Minor breach-related signals detected. Monitor for changes. A breach event where both the source and data type score at the low end of the model. Typically involves older or widely reported incidents, general mentions in aggregated breach databases, or activity confirmed as resolved. Low alerts are logged for completeness and audit trail purposes but do not require immediate action. |
Severity is influenced by factors such as the type of source reporting the breach (e.g., news outlets, official disclosures), the nature of the exposed data (e.g., credentials, financial information, personal data), and whether the breach appears across multiple sources.
🔍 Reviewing Alerts and Evidence
Reviewing Supporting Evidence
Alerts may include supporting evidence to help you assess the situation. This can include:
-
Key Data from the alert, such as:
- Date
- Cause
- Scope
- Actors
- Ongoing Status
- A screenshot of the source where the breach was reported
- A link to the public source (when available)
- A summary of the reported content
Sensitive Content Warning
Because breach evidence may contain exposed data such as credentials or personal information, you may see a one-time warning before viewing a screenshot for the first time. This is simply to let you know that the content may include sensitive information. You can choose to dismiss this warning permanently by selecting the option to not show it again.
Alerts within the Vendor Detail page
Each vendor with monitoring enabled includes a Monitoring section within their specific profile.
- Navigate to the vendor's profile
- Click the Monitoring tab
- Here you'll see all alerts related to that vendor, including severity levels and detection dates
🔔 Managing Notifications
When a breach alert is detected for one of your monitored vendors, you'll be notified in two ways:
Note: If new information is published after an alert is initially detected, the alert will be automatically updated with the latest details. You'll receive both an in-app and an email notification any time an existing alert is updated.
Email Notifications
Account administrators will receive an email notification that includes:
- The vendor name
- The severity level of the alert
- The source type
- A link to view the vendor's alert details directly in Whistic
In-App Notifications
You'll also see a notification within the Whistic platform. Clicking the notification will take you directly to the vendor's monitoring details so you can begin your review.
Acting on Monitoring Alerts
Now that you have alerts, what should you do next? We've plugged this monitoring feature into other key functionality, such as Issues and Assessments. Here is a list of the tools you can use to dive deeper into alerts and ensure they are resolved.
Alert Status
Use the alert status at the bottom of the alert information panel to give a simple indication of how you are going to handle the alert.
- Open (default status)
- In Review
- Resolved
- Closed
Create an Issue
Will there be follow up needed on an alert? If yes, consider creating an Issue. Issues allow you to drill deeper into alerts by coordinating with other stakeholders, both internal and external. You can gather additional information, comment and manage resolution.
Start an Assessment
Does this alert warrant a new ad hoc assessment? Start an assessment directly from the alert panel. Take it a step further and create a quick custom questionnaire to address this specific alert to ensure the vendor has resolved it and there is no additional impact to your business.
🚫 Disabling Monitoring for a Vendor
You can stop monitoring a vendor at any time. Disabling monitoring immediately returns the license to your pool so it can be reassigned.
To disable monitoring:
- Open Vendor Monitoring
- Select Monitor a Vendor
- Locate the vendor by searching or using the Status filter
- Select Disable Monitoring
- Monitoring will stop immediately however historical data will be retained
You can re-enable monitoring for the same vendor at any time, as long as you have an available license.
❓ FAQ
How does Whistic determine which vendor to monitor?
Monitoring is based on the vendor's domain. When you enable monitoring for a vendor, Whistic tracks breach-related activity associated with that vendor's domain.
What are the various data sources/types that we are pulling in via Vendor Monitoring?
We aggregate data from multiple layers including credible news reports, official breach disclosures and regulatory filings, dark web and underground forum monitoring, ransomware group activity tracking, data leak detection, government breach notification databases, and curated threat intelligence feeds — all continuously monitored and correlated.
Why did multiple vendors receive the same alert?
If multiple vendor records in your account share the same domain, a breach alert tied to that domain will appear on each of those vendor records. This ensures that domain-level breach activity is not missed regardless of how your vendors are organized.
How many monitoring licenses do I have?
In Admin Tools, navigate to the Plan Overview section to view your total monitoring licenses and current usage.
Can I reassign a monitoring license to a different vendor?
Yes. When you disable monitoring for a vendor, the license is immediately returned to your pool. You can then enable monitoring for a different vendor using that freed-up license.
What should I do when I receive a breach alert?
Review the alert details and supporting evidence within the vendor's Monitoring tab. Assess the severity level and the nature of the reported breach, then determine whether any action is needed based on your organization's risk tolerance and your relationship with the vendor.
Why can't I see a link to the source for some alerts?
Some alerts originate from sources where a direct link cannot be provided (such as dark web sources). In these cases, a screenshot of the source is included so you can still review the reported content.
Will I be notified every time a new alert is detected?
Yes. Account administrators receive both an email notification and an in-app notification for each new breach alert. You'll also be notified if an existing alert is updated with new published information. Additional notification preferences will be available in future updates.
Can I customize which alerts I receive notifications for?
Not at this time. In the current version, all breach alerts generate notifications for account administrators. Customizable notification preferences are planned for a future release.
Does disabling monitoring delete my previous alerts?
No. Disabling monitoring stops new alerts from being generated, but your existing alert history for that vendor is preserved.
Is Vendor Monitoring included in my current plan?
Vendor Monitoring is an add-on feature. If you're unsure whether it's included in your plan, check with your Customer Success Manager or visit the Plan Overview section in Admin Tools.
Does Whistic Vendor Monitoring distinguish between confirmed and alleged breaches, similar to BitSight or RecordFuture?
Whistic's breach alerts are not raw, unverified signals. Our system employs a human review process — before a breach alert is surfaced in Vendor Monitoring, a human analyst has reviewed the evidence and determined there is sufficient basis to warrant action. This means you are not chasing automated, unconfirmed noise.
Does that mean every breach alert I receive has been verified by a person?
Yes. Unlike fully automated threat feeds that may surface unconfirmed or alleged incidents, our system's process includes human validation before an alert is raised. The alert reaching you has cleared a human review threshold.
How does this compare to the "confirmed" label used by BitSight or RecordFuture?
The intent is similar — both approaches aim to reduce noise by filtering out unsubstantiated alerts. While Whistic does not currently display an explicit "confirmed" vs. "alleged" label in the UI, the underlying data is already held to a human-verified standard before it reaches you. A roadmap enhancement to surface that confirmation status visibly in the alert UI is something we can explore based on customer feedback.
Is Vendor Monitoring breach notification data available in Whistic's reporting?
No. Breach notification data is not included in Whistic's reporting module. Users can view breach notifications directly from the Vendor Monitoring dashboard. To export data, use the Actions drop-down on the dashboard — this provides the same view and export options available in the product.
What can I edit or change on a breach notification?
Currently, the only field you can modify on a breach notification is the Review Status. No other fields are editable at this time. In future versions, users will have the ability to add a reason when overriding breach notification information, providing better audit context for status changes.
Is there a way to add notes or comments to a breach notification?
There is no dedicated notes field on breach notifications. However, Issues can be used to house comments and additional context related to a breach.