The cybersecurity company teaching AI agents to do the one job security teams never have enough hands for: watching every vendor, all the time.
Every modern company is really a network of other companies. The payroll provider, the cloud host, the analytics vendor, the small contractor with a login - each one is a door into your data, and each one is somebody else's security program. Rescana was built around an uncomfortable arithmetic: the number of vendors an enterprise depends on keeps multiplying, while the security team assigned to vet them does not.
Founded in 2016 and run between New York and Tel Aviv, Rescana is a cybersecurity company that builds autonomous, AI-agent-driven software for third-party risk management (TPRM) and external attack surface management (EASM). Instead of asking analysts to chase questionnaires and re-check spreadsheets, Rescana deploys AI agents that discover a company's vendors, classify them, assess their security posture, monitor them continuously, and push remediation when something slips.
The company describes its product bluntly as "the first real autonomous vendor risk management." The claim behind the tagline is that oversight should scale with automation, not with hiring - that a security team should be able to cover five times as many vendors without growing five times larger.
Performance figures are self-reported by Rescana and describe typical outcomes rather than guaranteed results. Treat as approximate.
Third-party risk is the quiet center of most large breaches. An attacker rarely needs to break the front door of a well-funded bank when a smaller supplier with network access is easier to compromise. Regulators know this, which is why frameworks like DORA, NIST CSF and ISO 27001 increasingly demand evidence that a company is watching its supply chain.
Rescana's customers are the security, GRC and risk teams inside regulated, vendor-heavy organizations - banking and capital markets, telecommunications and critical infrastructure, healthcare, real-estate and asset-heavy enterprises, and government bodies. These are the places with hundreds or thousands of vendors and audit obligations that never sleep.
The problems Rescana targets are familiar to anyone who has run a vendor program by hand: vendors you never formally onboarded, questionnaires that take weeks to return, self-reported answers no one has time to verify, and posture that silently degrades the day after assessment. A point-in-time review, in other words, is stale almost immediately.
One detail sets Rescana's discovery apart: it aims to classify vendors even when a vendor has no web presence at all, pulling from procurement and identity systems plus OSINT rather than relying on a company having a website to scan. In supply-chain security, the vendor you can't see is often the one that matters.
| Agent / Module | What it does |
|---|---|
| Discovery & Classification | Identifies and classifies vendors across identity platforms, procurement systems and OSINT - including vendors with no web footprint. |
| Risk Assessment | Collects documentation, analyzes questionnaires, validates claims against evidence, and produces risk scores. |
| Communication & Remediation | Runs automated vendor outreach, follow-ups and remediation workflows so humans don't chase email threads. |
| Contract Compliance | Automatically reviews contracts for missing cybersecurity and compliance clauses. |
| Exposure Monitoring | Real-time tracking of posture changes, CVEs, breaches and external attack surface. |
| Post-Engagement | Keeps monitoring former vendors that may still hold custody of your data. |
| Executive Reporting | Risk metrics and dashboards mapped to board- and leadership-level decisions. |
Most established TPRM tools fall into two camps: security-ratings platforms that scan external signals, and GRC workflow tools that organize questionnaires. Rescana positions itself as AI-native across the whole lifecycle - the difference it emphasizes is validation and autonomy, not just data collection.
Bars illustrate where Rescana concentrates its differentiation, per its public materials - not independently benchmarked scores.
Surface the suppliers and contractors that never made it into a spreadsheet - including ones with no website to scan.
Instead of accepting a self-reported PDF, agents match vendor answers against real-world evidence and OSINT.
Track CVEs, breaches and posture drift in real time, so a clean assessment doesn't quietly go stale.
Align evidence to NIST CSF, ISO 27001, SOC 2, MITRE ATT&CK and DORA for auditors and boards.
Automated outreach and follow-up push vendors toward fixes without an analyst babysitting the thread.
Keep monitoring relationships that ended, because your data may still live inside their systems.
Rescana competes in a crowded and well-funded category. On large-enterprise TPRM shortlists it turns up alongside established names - the security-ratings and GRC platforms that most CISOs already know. Its wedge is being AI-native and agent-driven rather than retrofitting automation onto an older workflow tool.
The business runs as B2B SaaS, sold directly and through the AWS Marketplace, with entry pricing reported to start around $25/month and enterprise deals quoted separately. As a smaller company - roughly 11 to 50 people - Rescana leans on focus and product depth rather than scale.
Guy Halfon and co-founders start Rescana to tackle third-party and attack-surface risk.
The company reported raising early-stage funding; publicly cited figures vary across sources.
Recognized for applying generative AI to attack surface and third-party risk management.
Featured in Haaretz coverage on AI tools that help information-security professionals.
Positions its full suite of AI agents as "the first real autonomous vendor risk management."
Rescana is led by co-founder and CEO Guy Halfon, with a founding team rooted in Israel's cybersecurity scene. The company's expertise shows up in two places: the agent architecture that runs the vendor lifecycle, and a blog that reads less like marketing and more like a threat-intelligence newsroom - near-daily breakdowns of CVEs, supply-chain attacks and incident analysis.
That publishing habit is a tell. It signals a team that lives close to the threats its product is meant to catch, and it doubles as a way to demonstrate the kind of monitoring and analysis the platform automates.
Rescana is a cybersecurity company whose AI-agent platform automates third-party risk management and external attack surface management - discovering, assessing, monitoring and remediating vendor cyber risk across an enterprise's supply chain.
It was co-founded by Guy Halfon, who serves as CEO. The company operates between New York, USA and Tel Aviv, Israel.
Security, GRC and risk teams at regulated, vendor-heavy enterprises - banking and capital markets, telecom and critical infrastructure, healthcare, real estate and government.
Rescana emphasizes autonomous AI agents that run the full vendor-risk lifecycle - including discovering vendors with no web presence and validating evidence - rather than periodic manual questionnaires or external ratings alone.
Rescana maps vendor evidence to frameworks including NIST CSF, ISO 27001, SOC 2, MITRE ATT&CK and DORA.
Compiled from public sources including Rescana's website, Crunchbase, G2, AWS Marketplace, Startup Nation Central and press coverage. Funding, revenue, headcount and pricing figures reported by third parties vary and should be treated as approximate. This profile is editorial and not affiliated with or endorsed by Rescana.