Anyone who evaluates new suppliers or potential partners is familiar with the problem: Before a formal assessment can begin, many teams have to wait for approval from the company being evaluated. This waiting period delays the initial risk assessment—especially when quick decisions are needed. LocateRisk VRM now addresses this bottleneck with the No-Consent VRM Scanning: one Preliminary Scan Without Supplier Consent, which is based on publicly available Shodan data.
Classification: In Germany, the NIS2 Implementation Act has been in effect since December 6, 2025. NIS2 establishes supply chain security—including security-related aspects in relationships with direct suppliers or service providers—as a central component of EU cybersecurity requirements. The BSI has published a separate information package on this topic secure supply chain ready. The new Preliminary Scan helps GRC professionals, investors, and insurers speed up the initial assessment phase—without replacing compliance requirements.
The No-Consent VRM Scanning uses only publicly available infrastructure data to conduct an initial analysis of a company’s external attack surface. Shodan continuously scans the public internet, indexing devices, services, and systems that are directly connected to the internet—no internal systems, no protected areas.
Technically, the scan runs through the existing analyzeCompany pipeline using the parameter lightScan=true. The results are formatted in exactly the same data format as a full scan. This means that the VRM Dashboard, Report View, and Management Report work directly with the data from the preliminary scan without any additional adjustments. Existing workflows for analysis and reporting can be seamlessly continued.
The greatest benefit of the Preliminary Scan Without Supplier Consent lies in the time saved during the initial assessment. Instead of waiting for a potential partner’s formal consent, you receive an initial data-driven assessment. This is particularly relevant for:
The Preliminary Scan is designed as a tool for rapid initial assessment. It provides an initial indication of the security posture, but is based on a limited set of publicly available data. It does not replace the detailed scan, which is performed with the supplier’s consent and enables a significantly more in-depth analysis of the attack surface.
The No-Consent VRM Scanning complements the initial step of vendor risk management. For continuous monitoring of your supply chain, the full LocateRisk VRM scan remains the recommended approach.
The scan processes only publicly available information from internet scans, such as those available via Shodan. Shodan is a legitimate service that indexes publicly available information about devices and networks. No internal or protected systems are targeted.
Since only publicly available and non-personal data related to the IT infrastructure is processed, the process is compliant with the GDPR. LocateRisk is a German company that operates in compliance with the GDPR and uses only certified data centers in Germany and Europe.
No. It is intended as a quick initial assessment. For a comprehensive risk assessment to serve as the basis for contracts or a long-term partnership, we still recommend conducting the full scan after obtaining the supplier’s consent.
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
English 
Deutsch 
Français