TPCRM
Sep 5, 2025

Inside-out vs. outside-in monitoring in third-party risk management: understanding the differences

When businesses search for ways to improve their third-party cyber risk management (TPCRM) program, automation is almost always part of the answer. Going a step further, it will probably involve a continuous monitoring strategy to substantially raise the reliability of risk information for at least a select number of third parties.

Continuous and automated approaches have the potential to avoid a common pitfall in third-party cyber risk management: assessments that only provide a "snapshot" of a third party's cybersecurity posture. This means that the data on record is not updated automatically, becoming increasingly inaccurate with every implemented change, vulnerability, or rollout of non-compliant processes.

Self-Assessment Questionnaires (SAQs) also suffer from this limitation, despite their popularity in third-party risk management programs. As part of this assessment strategy, third parties detail their cybersecurity practices by filling out SAQs requested by their customers. Unfortunately, this is a labor-intensive process, so the questionnaires are only updated once or twice a year.

Continuous monitoring is different. As the name implies, it’s an always-on solution that can generate reports as often as every day, avoiding the common downside of many "snapshot" approaches that create only a single report that is already out-of-date by the time it affects the decision-making process.

Furthermore, information is gathered by probing the IT infrastructure, allowing data points to be linked to real systems and risks. In other words, you will see things as they are in the real world.

One thing that can be overlooked, however, is that it's possible to work with your third parties to monitor their environments from within. Because it's not constrained by what can be seen from the outside, this inside-out monitoring comes with many benefits that will become evident as we explore how it works and how it differs from outside-in monitoring.

Why inside-out monitoring makes sense for TPCRM

Suppliers and partners, especially those that have their IT infrastructure connected to their customers' environments in some capacity, should not be viewed only as "external" entities. There is a high chance that incidents in this shared ecosystem will be felt by both parties, and criminals often attack IT and service providers to use them as stepping stones to reach their customers or large data sets.

Running security tests inside third parties at scale was not practical in the past, when corporate networks were all very different from each other. Internal cybersecurity audits had to be carefully tailored for each environment to be effective. In addition, cybersecurity was very focused on the "perimeter," which dismissed access controls for specific tasks and systems.

Today, nearly every business relies on software and IT services from companies like Microsoft, Amazon, and Google, all of which can be set up to provide visibility into deployed security controls without exposing corporate data or other sensitive features of internal systems. The interfaces made available by cloud providers can grant a read-only access that is restricted to the metadata required for TPCRM purposes.

Comparing monitoring approaches

Accuracy: The process of monitoring or scanning IT infrastructure from the outside is not new. In essence, by sending certain data packets to systems connected to a range of IP addresses, it's possible to map a company's network assets and even find vulnerabilities or misconfigurations. This does not require any special access or knowledge, as all the systems being scanned are connected to the internet.

Unfortunately, the more hands-off it is, the more this process requires guesswork to produce usable results. Which tests will be executed, how to identify systems, how to link IP addresses to each organization – each of these steps (and many more) relies on a best-effort guess that can lead to inaccuracies.

Inside-out monitoring gathers data directly from the third party's infrastructure, which reduces or even eliminates guesswork from the insights it can deliver. The scanning process understands the ecosystem because it uses the standard APIs provided by the cloud providers.

Security outcomes: Thanks to its accuracy, inside-out monitoring is assertive. Each alert is related to a real issue that can and should be addressed with specific steps.

In outside-in monitoring, a scoring system avoids putting too much weight into each test. Because the outside-in approach is basically restricted to attributable internet-facing assets, it's difficult to draw conclusions about specific risks or security gaps, forcing this method to lean more on its scoring formula.

An inside-out monitoring report can be summarized with a score to facilitate decision-making as well, but it's a bonus. Alternatively, the metrics can help the third party visualize the results of their effort to address each issue found by the monitoring.

Coverage: Outside-in monitoring is focused on internet-facing assets. While it can be supplemented by compliance reporting or self-monitoring, it cannot check internal controls or endpoints to the same degree of confidence that inside-out monitoring can. 

Many ransomware incidents begin or take shape from within, often due to a lack of multifactor authentication (MFA), phishing attacks, or insufficient network segmentation. Inside-out monitoring can detect accounts that lack MFA, check malware defenses, and validate data recovery policies, encryption, and the storage of secrets.

Outside-in monitoring relies on attributable IP address ranges. Cloud native applications, dynamic IPs, and other shared infrastructure can lead to misattributions (when an IT asset is linked to a different company than the one it belongs to) or "invisible segments" that cannot be reliably scanned from the outside. In other words, some sections of modern IT ecosystems cannot be observed externally as fixed assets, despite being potential vectors for attack.

Setup: Outside-in monitoring can be performed on any business that operates internet-facing infrastructure. Inside-out monitoring requires an initial setup process in which the third party grants the necessary permissions for the security tests to be carried out.

Although this seems like a drawback for inside-out monitoring, the availability of convenient but imprecise assessments drives businesses to the belief that managing third-party risk is about finding the "right" and "secure" third parties. However, TPCRM is more effective when it contemplates the lifecycle of each business agreement without antagonizing third parties.

Picking the best tool for the job

There is no single best approach to third-party risk management. Suppliers, vendors, partners, and even customers are all third parties, but each will have unique circumstances. Even among the same group of third parties (such as parts suppliers or IT service providers), some will be more critical than others, and their role in the business will not be the same.

Deciding the best ways to assess each third party requires a robust process that aligns multiple interests and the realities of the third parties that a business needs. Understanding the advantages of each strategy is essential to make the right call regarding which strategy is best suited for a given situation.

Inside-out monitoring should be part of that toolbox, and it should be considered whenever it has an edge in delivering the best cybersecurity outcome.

Share
Latest Posts
How continuous monitoring for third-party risk management helps your incident response
Read more
Tenchi’s Essence: Who We Are and How We Grow
Read more
Best API Practices for Integration with Security Tools
Read more