Abstract
Cloud computing has become integral to contemporary organisational operations, yet firms increasingly encounter a transparency gap whereby critical cloud service providers and their sub-vendors decline to disclose detailed architectures, security controls, or incident histories. This dissertation investigates how organisations assess third-party resilience when vendor transparency is limited or absent. Adopting a systematic literature synthesis methodology, this research examines peer-reviewed scholarship published between 2014 and 2025 to identify emergent assessment strategies. The findings reveal four principal mechanisms: supply chain mapping and quantification using partial information; leveraging standardised registries, certifications, and external evidence; continuous automated monitoring through application programming interfaces and telemetry; and embedding resilience-centric criteria into vendor selection frameworks. These approaches collectively represent a paradigm shift from static, document-driven due diligence towards continuous, quantitative, and ecosystem-aware assessment. The research concludes that whilst complete transparency remains desirable, organisations can nonetheless derive meaningful resilience inferences through triangulating multiple data sources, behavioural observations, and standardised compliance signals. Future research should explore the validation of these indirect assessment methods against actual vendor failure events and investigate regulatory frameworks that might mandate minimum transparency thresholds.
Introduction
The adoption of cloud computing services has transformed organisational information technology infrastructure over the past two decades. Enterprises across sectors now routinely depend upon cloud service providers for mission-critical operations, data storage, and application delivery. According to Gartner research, worldwide end-user spending on public cloud services was projected to exceed $590 billion by 2024, representing sustained annual growth rates exceeding twenty percent (Gartner, 2023). This proliferation of cloud dependency has introduced novel risk management challenges, particularly concerning the assessment of third-party resilience and security postures.
A fundamental tension exists within contemporary cloud service relationships. Whilst organisations require detailed information about vendor security architectures, disaster recovery capabilities, and incident response procedures to conduct meaningful risk assessments, cloud service providers frequently decline to disclose such information. Vendors cite commercial confidentiality, competitive advantage protection, and the impracticality of bespoke disclosures to thousands of customers as justifications for limited transparency. This creates what researchers have termed a transparency gap—a systematic information asymmetry that impedes traditional due diligence processes (Akinrolabu, 2024).
The consequences of inadequate third-party risk assessment have become increasingly apparent through high-profile service disruptions and security breaches. The 2021 outage affecting Amazon Web Services impacted thousands of organisations globally, whilst security incidents at providers such as SolarWinds demonstrated how vulnerabilities within the cloud supply chain can propagate catastrophically to downstream customers. These events underscore the material importance of accurate resilience assessment, irrespective of disclosure limitations.
Traditional approaches to third-party risk assessment relied predominantly upon vendor questionnaires, audit reports, and contractual representations. However, these document-driven methods prove inadequate when vendors provide incomplete responses or when the complexity of multi-tier cloud supply chains obscures material dependencies. Organisations require alternative assessment mechanisms capable of inferring resilience characteristics from observable behaviours, external evidence, and continuous monitoring data.
This dissertation addresses a question of significant practical and academic importance: how do firms assess cloud vendor resilience when direct transparency is unavailable or insufficient? The research synthesises contemporary scholarship examining emergent assessment methodologies that compensate for transparency limitations through indirect inference, standardised signals, and continuous observation. Understanding these mechanisms carries implications for enterprise risk management practice, regulatory policy development, and the evolution of cloud service contracting norms.
Aim and objectives
The primary aim of this dissertation is to critically examine and synthesise the strategies that organisations employ to assess third-party cloud service provider resilience in circumstances where vendor transparency is limited or absent.
To achieve this aim, the following specific objectives have been established:
1. To analyse the nature and causes of the transparency gap affecting third-party risk assessment in cloud computing environments.
2. To identify and categorise the principal methodological approaches that organisations utilise to infer vendor resilience without comprehensive direct disclosure.
3. To evaluate the effectiveness and limitations of supply chain mapping, standardised certification frameworks, continuous monitoring technologies, and resilience-centric selection criteria as assessment mechanisms.
4. To examine how these approaches collectively represent a paradigm shift from static due diligence towards continuous, quantitative, ecosystem-aware assurance.
5. To propose recommendations for practitioners and identify directions for future research concerning third-party cloud resilience assessment under conditions of limited transparency.
Methodology
This dissertation adopts a systematic literature synthesis methodology to investigate third-party resilience assessment strategies in cloud computing contexts. Literature synthesis represents an appropriate methodological approach for this research domain given the emergent nature of the field, the diversity of disciplinary perspectives contributing relevant scholarship, and the practical difficulty of conducting primary empirical research across multiple enterprise contexts simultaneously.
The literature search strategy encompassed multiple academic databases including IEEE Xplore, ACM Digital Library, ScienceDirect, and Google Scholar. Search terms included combinations of “cloud computing,” “third-party risk,” “vendor assessment,” “resilience,” “transparency,” “supply chain risk,” and “security posture assessment.” The temporal scope prioritised publications from 2014 onwards to capture contemporary developments in cloud risk management whilst including foundational works establishing core theoretical frameworks.
Inclusion criteria required that sources be peer-reviewed academic publications, conference proceedings from recognised professional bodies, or authoritative publications from standards organisations and regulatory bodies. Grey literature, commercial white papers, and blog content were excluded to ensure research quality and reliability. Sources were further filtered for direct relevance to the research question concerning resilience assessment under transparency constraints.
The analysis proceeded through systematic thematic coding of identified literature. Initial coding identified discrete assessment techniques and methodological approaches described within individual sources. Subsequent analytical synthesis aggregated these techniques into coherent thematic categories representing distinct strategic approaches to transparency-constrained assessment. This process yielded four principal categories: supply chain mapping and quantification; external evidence and standardised signals; continuous automated monitoring; and resilience-centric selection frameworks.
Methodological limitations inherent to literature synthesis include dependence upon the quality and comprehensiveness of published research, potential publication bias towards positive findings, and the interpretive nature of thematic categorisation. These limitations were addressed through inclusive search strategies spanning multiple databases, critical evaluation of source quality, and explicit documentation of categorisation decisions.
Literature review
### The transparency gap in cloud service relationships
Contemporary cloud computing architectures exhibit profound complexity and interdependency. A single software-as-a-service application may depend upon multiple infrastructure providers, content delivery networks, authentication services, and data processing sub-contractors—each representing potential failure points invisible to end customers. Akinrolabu (2024) characterises this structural opacity as a cyber supply chain transparency problem, wherein the cascading dependencies underlying cloud services remain substantially undisclosed to consuming organisations.
Several factors perpetuate this transparency deficit. Cloud service providers operate at scale serving thousands or millions of customers simultaneously, rendering bespoke disclosure impractical. Security information itself represents sensitive intellectual property whose revelation might advantage competitors or assist malicious actors. Furthermore, rapid infrastructure evolution means that detailed architectural disclosures would require continuous updating to remain accurate. These structural impediments suggest that comprehensive transparency is unlikely to emerge through market forces alone, necessitating alternative assessment approaches.
The European Union Agency for Cybersecurity has acknowledged these transparency challenges within its guidance documentation, noting that cloud customers frequently lack visibility into provider security practices and incident response capabilities (ENISA, 2020). Similarly, the United Kingdom National Cyber Security Centre advises organisations to assume incomplete information availability when assessing cloud suppliers and to develop assessment strategies accordingly (NCSC, 2021).
### Supply chain mapping and quantitative risk assessment
Researchers have developed risk assessment frameworks specifically designed to accommodate partial information availability within cloud supply chains. Akinrolabu, Nurse, Martin and New (2019) present a comprehensive cyber risk assessment framework for cloud provider environments, explicitly addressing scenarios where vendors disclose limited architectural details. Their approach emphasises mapping dependencies throughout the supply chain to identify concentration risks and single points of failure, even when precise technical configurations remain unknown.
The Cloud Supply Chain Cyber Risk Assessment model advanced by Akinrolabu, New and Martin (2019) provides a quantitative methodology for evaluating software-as-a-service provider risks using monetary impact metrics. This framework enables organisations to estimate potential financial consequences of vendor failures by combining high-level architectural understanding, publicly available incident reports, and reasonable assumptions regarding unobserved parameters. The monetisation of risk outcomes facilitates prioritisation of mitigation investments and supports board-level communication of third-party exposures.
Critically, these supply chain-aware models acknowledge that perfect information is unattainable and instead focus upon deriving actionable risk estimates from available evidence. Organisations utilising such frameworks can identify weak links within their cloud dependency structures, even when those weaknesses cannot be precisely characterised due to vendor non-disclosure.
### Standardised registries and certification-based assessment
The proliferation of standardised security assessment frameworks has created public information repositories that organisations can leverage when direct vendor disclosure is unavailable. The Cloud Security Alliance Security, Trust, Assurance and Risk registry provides self-reported assessment information from participating cloud providers using the Consensus Assessment Initiative Questionnaire. Whilst self-reported data carries inherent reliability limitations, the standardised question structure enables cross-provider comparison and identifies providers declining participation entirely.
Cayirci, Garaga, De Oliveira and Roudier (2016) developed the Cloud Adopted Risk Assessment Model, which aggregates information from multiple external sources including questionnaire responses, certifications, and publicly documented security characteristics. This model demonstrates that meaningful risk differentiation between providers is achievable through systematic collection and weighting of available evidence, without requiring bespoke disclosure.
Industry certifications provide additional assessment signals. ISO/IEC 27001 certification indicates that an independent auditor has verified implementation of an information security management system meeting international standards. SOC 2 reports provide assurance regarding service organisation controls across security, availability, processing integrity, confidentiality, and privacy domains. Whilst these certifications do not eliminate information asymmetry entirely, they provide verified attestations reducing reliance upon unvalidated vendor representations.
Ghosh, Ghosh and Das (2014) present the SelCSP framework for cloud service provider selection, incorporating certification status, vulnerability histories, and outage records as assessment inputs. This approach recognises that observable provider behaviours over time—including responses to security incidents and reliability performance—constitute valuable evidence regarding underlying resilience capabilities.
### Continuous monitoring through technological mechanisms
Contemporary third-party risk assessment increasingly incorporates continuous technological monitoring rather than periodic manual review. Djemame, Armstrong, Guitart and Macías (2016) present a risk assessment framework for cloud computing that utilises application programming interface integration and telemetry collection to gather real-time operational data from cloud environments. This continuous data collection enables dynamic risk scoring that responds to changing conditions rather than reflecting outdated point-in-time assessments.
Pinto, Cioffi and Espósito (2024) advance methodologies for third-party cloud risk management that leverage direct observation of configuration states, performance metrics, and service level agreement violations. These observable characteristics provide indirect evidence regarding underlying resilience capabilities—providers consistently meeting availability commitments demonstrate operational maturity that may correlate with broader resilience qualities.
The emergence of artificial intelligence applications within third-party risk management has accelerated these continuous monitoring capabilities. Adegbenro, Hundeyin, Olinmah and Adaba (2025) examine how AI-powered threat intelligence platforms integrate live data feeds, compliance analytics, and automated document processing to produce dynamic vendor risk scores. Such platforms can process SOC 2 reports, identify relevant regulatory changes, and flag emerging threats relevant to specific provider relationships at speeds impossible for manual review processes.
Toslali et al. (2024) describe AgraBOT, a generative artificial intelligence system designed to accelerate third-party security risk management within enterprise settings. This system automates review of vendor security documentation, identifies discrepancies between claimed and demonstrated capabilities, and synthesises risk assessments from heterogeneous information sources. The application of large language models to vendor assessment represents a significant methodological evolution enabling continuous rather than episodic evaluation.
### Consumer-centric trust frameworks and behavioural observation
An alternative assessment paradigm focuses upon deriving trust inferences from observable provider behaviours rather than disclosed information. Balcão-Filho, Ruiz, De Franco Rosa, Bonacin and Jino (2023) present a consumer-centric framework for trust assessment that evaluates cloud service providers across governance, transparency, and security dimensions using behavioural indicators observable from the customer perspective. These indicators include service level agreement clarity, incident communication practices, and policy publication completeness.
This framework recognises that trust develops through repeated interactions over time. Providers demonstrating consistent behaviour, transparent communication during service disruptions, and proactive disclosure of material changes earn trust incrementally through demonstrated conduct rather than documentary claims. Conversely, providers exhibiting erratic behaviour, poor incident communication, or post-hoc service level agreement modifications reveal operational qualities warranting concern regardless of formal attestations.
John and K (2024) contribute comparative assessment of cloud trust evaluation methods, proposing resilience-centric metrics that emphasise recovery capabilities, service continuity, and adaptive capacity under stress. Their research suggests that resilience can be meaningfully assessed through historical performance analysis, examining how providers have responded to previous disruptions and whether recovery occurred within acceptable timeframes.
### Resilience engineering approaches to provider assessment
The resilience engineering discipline contributes frameworks for embedding resilience requirements into cloud service procurement and oversight. Fargnoli and Murgianu (2023) apply resilience engineering principles to information technology service risk assessment, defining critical-to-quality requirements that specify recovery time objectives, failover capabilities, and supplier redundancy expectations. These requirements establish measurable criteria against which provider capabilities can be evaluated, including assessment of their own sub-supplier arrangements.
This approach shifts assessment focus from security control inventories towards operational resilience outcomes. Organisations specify the resilience performance they require—maximum acceptable downtime, data durability expectations, geographic redundancy requirements—and assess providers against these criteria using whatever evidence sources are available. A provider demonstrating consistent achievement of resilience outcomes provides meaningful assurance regardless of whether underlying technical implementations have been disclosed.
Amoujavadi and Nemati (2024) develop a comprehensive framework for cloud service provider viability assessment incorporating sustainability, resiliency, agility, and security dimensions. Their hierarchical evaluation structure includes specific indices for availability, restorability, and transparency, recognising that provider longevity and operational stability represent material risk factors beyond narrow security considerations. Organisations selecting providers using such frameworks systematically address resilience as a procurement criterion rather than an afterthought.
Discussion
The literature examined within this dissertation reveals a fundamental transformation occurring within third-party cloud risk management practice. Organisations confronting the transparency gap are not simply accepting inadequate assessment—rather, they are developing sophisticated alternative mechanisms that compensate for disclosure limitations through multiple complementary strategies.
### Triangulation as an assessment philosophy
The emergent assessment paradigm rests upon triangulation across diverse information sources. Rather than depending upon any single disclosure or attestation, organisations combine supply chain mapping, certification verification, continuous monitoring data, and behavioural observation to construct composite resilience assessments. This triangulated approach proves more robust than document-dependent alternatives because falsification or manipulation of any single source does not vitiate the overall assessment. A vendor might obtain certification whilst exhibiting poor incident response behaviour; continuous monitoring might reveal service level agreement violations inconsistent with claimed capabilities. Triangulation enables detection of such inconsistencies.
This represents a meaningful advance beyond traditional questionnaire-based due diligence, which Akinrolabu (2024) critiques as inadequate for contemporary cloud complexity. Questionnaires capture point-in-time representations that may become immediately obsolete, cannot verify claimed capabilities, and provide limited insight into operational resilience under stress conditions. The shift towards continuous, multi-source assessment addresses these limitations systematically.
### The value of standardisation
The role of standardised assessment frameworks—CSA STAR, ISO 27001, SOC 2—emerges as particularly significant for enabling assessment without bespoke disclosure. These frameworks impose common evaluation structures that facilitate cross-provider comparison and reduce assessment costs for consuming organisations. Crucially, they transfer assessment burden from individual customers to professional auditors and certifying bodies possessing relevant expertise.
However, standardised frameworks exhibit important limitations requiring acknowledgement. Certification processes assess control implementation at specific points in time; controls may subsequently degrade without triggering decertification. Self-reported questionnaire responses may reflect aspirational states rather than operational reality. Furthermore, standardised frameworks necessarily address generic rather than organisation-specific risk considerations—a certification demonstrating adequate controls for typical workloads provides limited assurance for organisations with exceptional requirements.
These limitations suggest that certifications function most appropriately as screening mechanisms rather than definitive assessments. Organisations can efficiently filter provider populations using certification requirements, then conduct deeper assessment of surviving candidates using complementary methods. This staged approach balances assessment rigour against practical resource constraints.
### Technological enablement of continuous assessment
The increasing availability of application programming interface access, telemetry data, and artificial intelligence processing capabilities fundamentally transforms assessment possibilities. Where periodic assessments previously represented the practical maximum, organisations can now implement continuous monitoring regimes that detect resilience-relevant changes as they occur. Service level agreement violations, configuration changes, and performance anomalies become visible in near-real-time rather than awaiting the next scheduled review.
The AI-powered tools described by Adegbenro et al. (2025) and Toslali et al. (2024) extend this continuous assessment to documentary and threat intelligence domains. Generative AI systems can process vendor security documentation at scales impossible for human reviewers, identifying material disclosures, comparing claims against external evidence, and flagging areas warranting human attention. Integration with threat intelligence feeds enables dynamic adjustment of risk assessments reflecting the current threat landscape rather than historical baselines.
Nevertheless, technological monitoring approaches carry their own limitations. Telemetry access depends upon vendor cooperation or contractual negotiation; providers may restrict data availability precisely for those operational domains of greatest assessment interest. AI-powered systems exhibit reliability limitations, potentially generating plausible but incorrect assessments requiring human verification. Organisations implementing technological monitoring must maintain appropriate human oversight rather than delegating assessment entirely to automated systems.
### Resilience as procurement criterion
The frameworks advanced by Fargnoli and Murgianu (2023) and Amoujavadi and Nemati (2024) position resilience explicitly as a procurement criterion rather than a post-selection assessment concern. This represents a significant conceptual advance. Traditional procurement processes prioritised functional capabilities and cost considerations, with security and resilience addressed subsequently through supplemental questionnaires. Contemporary frameworks incorporate resilience requirements from initial specification through ongoing oversight.
This procurement-integrated approach enables organisations to define acceptable resilience parameters—maximum recovery times, redundancy requirements, sub-supplier restrictions—and evaluate providers against these criteria using available evidence. Providers unable or unwilling to demonstrate compliance with resilience requirements can be excluded regardless of other capabilities. This shifts negotiating dynamics, providing organisations leverage to demand resilience evidence as a procurement condition.
### Achievement of research objectives
The research has addressed its stated objectives comprehensively. The transparency gap has been analysed as a structural phenomenon arising from cloud complexity, commercial confidentiality concerns, and scalability constraints affecting bespoke disclosure. Four principal methodological approaches—supply chain mapping, standardised evidence, continuous monitoring, and resilience-centric selection—have been identified and categorised from contemporary scholarship. The effectiveness and limitations of each approach have been evaluated, revealing that none provides complete assessment assurance independently, but that triangulated application across approaches enables meaningful resilience inference. The collective paradigm shift from static to continuous, quantitative, ecosystem-aware assessment has been documented and analysed.
Conclusions
This dissertation has examined how organisations assess third-party cloud service provider resilience when vendor transparency is limited or absent. The research reveals that whilst the transparency gap presents genuine assessment challenges, organisations are not helpless in its face. A sophisticated arsenal of compensatory assessment mechanisms has emerged, collectively enabling meaningful resilience inference without comprehensive direct disclosure.
Four principal assessment strategies have been identified: systematic mapping and quantification of cyber supply chain dependencies using partial information; leveraging standardised registries, certifications, and external evidence as proxy indicators; continuous automated monitoring through application programming interfaces and telemetry; and embedding explicit resilience criteria into provider selection and ongoing oversight frameworks. These approaches represent a paradigm shift from static, document-driven due diligence towards continuous, quantitative, and ecosystem-aware assurance.
The research carries significant implications for enterprise risk management practice. Organisations should implement triangulated assessment approaches combining multiple evidence sources rather than depending upon any single disclosure or certification. Investment in continuous monitoring capabilities—both technological infrastructure and analytical expertise—enables assessment responsiveness that periodic reviews cannot achieve. Procurement processes should incorporate resilience requirements as selection criteria from the outset, positioning resilience alongside functional capabilities and cost considerations in vendor evaluation.
For cloud service providers, the research suggests that transparency limitations carry commercial consequences. Organisations increasingly possess alternative assessment mechanisms that identify providers exhibiting poor resilience indicators regardless of formal disclosures. Providers maintaining strong operational practices may benefit from increased transparency as a competitive differentiator, enabling customers to verify capabilities that assessment alternatives might underestimate.
Regulatory and policy implications also emerge. The current voluntary transparency regime produces systematic information asymmetries disadvantaging cloud customers. Regulatory frameworks mandating minimum transparency thresholds—perhaps requiring disclosure of significant sub-processor dependencies, material incident reporting, or standardised resilience metrics—could address market failures whilst preserving legitimate confidentiality interests. The European Union Digital Operational Resilience Act represents initial movement in this direction, imposing information sharing requirements upon financial sector participants regarding their cloud dependencies.
Several directions for future research warrant identification. Empirical validation studies comparing indirect assessment predictions against actual vendor failure events would strengthen confidence in the methodologies examined. Investigation of how assessment approaches perform across different cloud service models—infrastructure, platform, and software services present distinct transparency characteristics—would enhance practical applicability. Research examining the effectiveness of AI-powered assessment tools, including their failure modes and appropriate human oversight requirements, addresses an increasingly consequential technological development. Finally, comparative analysis of regulatory approaches across jurisdictions would inform policy development regarding transparency mandates and cloud supply chain oversight.
The transparency gap in cloud service relationships represents a genuine constraint upon third-party risk assessment, but not an insurmountable one. Organisations adopting the multi-faceted assessment strategies documented within this research can derive meaningful resilience inferences despite disclosure limitations. The evolution from static questionnaires towards continuous, quantitative, ecosystem-aware assurance represents an appropriate adaptation to the complexity and opacity characterising contemporary cloud computing environments.
References
Adegbenro, S., Hundeyin, W., Olinmah, F. and Adaba, C., 2025. Mitigating third-party cyber risk using AI-powered threat intelligence and compliance analytics. *World Journal of Advanced Research and Reviews*, 26(2). https://doi.org/10.30574/wjarr.2025.26.2.1968
Akinrolabu, O., 2024. Cyber supply chain risks in cloud computing: the effect of transparency on the risk assessment of SaaS applications. Doctoral thesis.
Akinrolabu, O., New, S. and Martin, A., 2019. CSCCRA: A novel quantitative risk assessment model for SaaS cloud service providers. *Computers*, 8(3), p.66. https://doi.org/10.3390/computers8030066
Akinrolabu, O., Nurse, J., Martin, A. and New, S., 2019. Cyber risk assessment in cloud provider environments: current models and future needs. *Computers & Security*, 87. https://doi.org/10.1016/j.cose.2019.101600
Amoujavadi, S. and Nemati, A., 2024. Developing sustainability, resiliency, agility, and security criteria for cloud service providers’ viability assessment: a comprehensive hierarchical structure. *Sustainable Futures*, 8. https://doi.org/10.1016/j.sftr.2024.100219
Balcão-Filho, A., Ruiz, N., De Franco Rosa, F., Bonacin, R. and Jino, M., 2023. Applying a consumer-centric framework for trust assessment of cloud computing service providers. *IEEE Transactions on Services Computing*, 16(1), pp.95-107. https://doi.org/10.1109/tsc.2021.3134125
Cayirci, E., Garaga, A., De Oliveira, A. and Roudier, Y., 2016. A risk assessment model for selecting cloud service providers. *Journal of Cloud Computing*, 5(1). https://doi.org/10.1186/s13677-016-0064-x
Djemame, K., Armstrong, D., Guitart, J. and Macías, M., 2016. A risk assessment framework for cloud computing. *IEEE Transactions on Cloud Computing*, 4(3), pp.265-278. https://doi.org/10.1109/tcc.2014.2344653
ENISA, 2020. *Cloud security for healthcare services*. Heraklion: European Union Agency for Cybersecurity.
Fargnoli, M. and Murgianu, L., 2023. A resilience engineering approach for the risk assessment of IT services. *Applied Sciences*, 13(20), p.11132. https://doi.org/10.3390/app132011132
Gartner, 2023. *Gartner forecasts worldwide public cloud end-user spending to reach nearly $600 billion in 2023*. Stamford: Gartner Inc.
Ghosh, N., Ghosh, S. and Das, S., 2014. SelCSP: a framework to facilitate selection of cloud service providers. *IEEE Transactions on Cloud Computing*, 3(1), pp.66-79. https://doi.org/10.1109/tcc.2014.2328578
John, J. and K, J., 2024. Resilience-centric trust evaluation in cloud computing: a comparative assessment of cloud trust evaluation methods using the RAA metric. *2024 International Conference on Smart Electronics and Communication Systems (ISENSE)*, pp.1-6. https://doi.org/10.1109/isense63713.2024.10872061
NCSC, 2021. *Cloud security guidance*. London: National Cyber Security Centre.
Pinto, B., Cioffi, L. and Espósito, F., 2024. Third-party cloud risk management. *2024 IEEE International Conference on Cyber Security and Resilience (CSR)*, pp.445-451. https://doi.org/10.1109/csr61664.2024.10679395
Toslali, M., Snible, E., Chen, J., Cha, A., Singh, S., Kalantar, M. and Parthasarathy, S., 2024. AgraBOT: accelerating third-party security risk management in enterprise setting through generative AI. *Companion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering*. https://doi.org/10.1145/3663529.3663829
