NopalCyber Scales Vendor Risk Oversight Across 1,200+ Vendors with Leah

Faster vendor onboarding across client risk programs
Reduction in conventional vendor scoring effort
Vendors under continuous monitoring after rollout
Leah has transformed how we deliver Third-Party Risk Management services at scale. Its multi-tenant architecture gives our Strategic Security Advisory team continuous visibility across every client, while automating the evidence collection and risk intelligence that would otherwise require significant manual effort.
Vikram Chabra, Chief Technology Officer, NopalCyber
NopalCyber is an AI-native cybersecurity company whose Strategic Security Advisory practice helps clients find, prioritize, and reduce cyber risk across complex vendor ecosystems. As that practice expanded across financial services, legal, healthcare, and technology clients, the team needed to assess, score, and monitor more than a thousand active vendors without adding a matching layer of manual work.
The existing third-party risk management process depended on email questionnaires, shared spreadsheets, and point-in-time scoring during onboarding. That model created slow cycles and limited visibility after the initial review. A full InfoSec due diligence cycle could take two to three weeks per vendor, especially when third parties were slow to respond, while consultants spent more than 40 hours each month rechecking certifications and rescoring vendors by hand.
The risk became concrete when a legal client discovered that a vendor's SOC 2 certification had lapsed for six weeks without being flagged until a compliance audit. For NopalCyber, that incident exposed the limitation of conventional vendor due diligence: clients did not just need a faster onboarding process. They needed continuous, evidence-backed oversight that could catch changes before they became business risks.
NopalCyber selected Leah Procurement's Supplier Risk Assessment and Due Diligence Agent to modernize vendor due diligence while preserving the flexibility its managed-service model required. The rollout began with two clients in financial services and legal in Q3 2025, then expanded across the broader portfolio by the end of Q1 2026.
The team needed one standard operating model that could still adapt to each client's sector, regulatory profile, and risk appetite. Leah gave NopalCyber that balance by combining financial, compliance, InfoSec, ESG, sanctions, adverse media, and credit signals into explainable vendor risk scores. Each score could be broken down by category and backed by the evidence behind the recommendation, giving consultants a clear basis for client and auditor conversations.
Configurable due diligence templates let NopalCyber keep InfoSec-first assessments for controls such as data security, access management, breach history, SOC 2, and ISO 27001, while reweighting criteria by client sector without engineering support. Continuous monitoring closed the gap left by spreadsheet-based workflows: certificate expirations, sanctions hits, adverse media, and credit changes could trigger automatic rescoring and alerts instead of waiting for the next manual review.
Leah also reduced friction with vendors. The vendor portal could ingest documents and pull answers from existing security repositories, cutting back-and-forth clarifications while improving response speed. That allowed NopalCyber consultants to spend less time chasing evidence and more time applying judgment to material risk decisions.
Leah fit NopalCyber's operating model because the same evidence trail could support many client programs without forcing every engagement into the same scoring model. One console gave the Strategic Security Advisory team visibility across client portfolios, while configurable scoring and due diligence depth let each client program reflect its own regulatory obligations and risk appetite.
The platform's explainability was central to the decision. NopalCyber needed vendor scores that clients could trust and auditors could inspect, not black-box recommendations. Leah tied scores to supporting evidence, source documents, and monitoring signals, making the output usable in risk committee reporting, compliance reviews, and ongoing client advisory work.
External intelligence also removed manual lookup work across sources such as sanctions, adverse media, credit, and ESG data. Combined with audit-ready documentation trails and artifact repositories, Leah helped NopalCyber turn third-party risk management from a labor-intensive assessment process into a scalable managed service.
Six months after full rollout, NopalCyber cut vendor onboarding time by 55% and reduced conventional scoring effort by 65%. More than 1,200 vendors are now under continuous monitoring, and the team has recorded zero missed certificate renewals since go-live.
The impact extends across the sectors NopalCyber serves. Financial services clients can weight InfoSec and business-continuity assessments for risk committee reporting ahead of regulatory exams. Legal clients can tune due diligence around data confidentiality controls for outside vendors and co-counsel technology providers. Healthcare clients can keep continuous oversight of vendor certifications and regulatory status across a large, fast-changing vendor base.
Most importantly, Leah helped NopalCyber scale its Supply Chain Trust Intelligence offering without scaling headcount in lockstep with vendor count. Consultants now spend less time collecting evidence and rescoring vendors manually, and more time advising clients on the risks that require expert judgment.
