Every year, the world's largest organisations send millions of security questionnaires to their suppliers, and the suppliers fill them in, and the completed documents are filed, and almost nothing about anyone's actual security changes.It is not fraud. It is not negligence. It is the industrial logic of a control that was designed in the era of the annual audit being applied to a threat that moves in hours, and the waste it generates is invisible because it is distributed: a few hundred hours here, a few thousand pounds there, across every procurement department on earth, none of it ever appearing as a line item labelled the cost of pretending to manage supply chain risk.Risk Ledger believes that entire apparatus, the questionnaire industrial complex, is not a process to be optimised but a category to be replaced. The London company announced this morning a £24 million ($32 million) Series B, led by Axiom Equity, a specialist B2B SaaS growth fund, alongside Mercia Ventures, the repeat investor that led its Series A. The funding will deepen its UK customer network, build a generation of AI tools on top of the network's data, and carry the company into the United States, the largest third-party risk market in the world and the one it has not yet entered.The pitch is unusual for a cybersecurity company in 2026, because it contains no detection promise at all. Risk Ledger does not claim to spot the attacker faster, scan the perimeter harder, or score the vendor more precisely. It claims that supply chain security is not a product problem but a coordination problem, that the correct unit of defence is not the organisation but the network, and that the 16,000 organisations already on its platform are the early shape of something the industry has talked about for twenty years and never built: collective defence that actually operates.The Most Expensive Blind Spot in CybersecurityThe numbers behind Risk Ledger's thesis come from a decade of research that every CISO has read, internalized, and never been resourced to act on. The Verizon 2025 Data Breach Investigations Report, the closest thing the industry has to a census, found that third-party involvement in confirmed breaches doubled in a single year, from 15 per cent to 30 per cent, across 12,195 confirmed breaches in 139 countries. It is the largest single-year shift in any category in the report's history. Verizon attributes it to three forces arriving at once: MOVEit-style mass exploitation of file-transfer software, credential reuse across vendor ecosystems, and the maturing of access-broker markets that resell footholds into mid-market suppliers to whoever pays.The economics follow the same curve. IBM's Cost of a Data Breach 2025 puts the average supply chain compromise at $4.91 million against a $4.44 million all-breach average, with a mean lifecycle of 267 days, the longest of any attack vector it tracks, because the victim is frequently not the organisation that was breached first and does not find out until the damage has propagated. In Britain, the June 2024 ransomware attack on Synnovis, an NHS pathology supplier, produced an estimated £32.7 million financial hit, cancelled thousands of appointments across London trusts, and was linked by an NHS review to a patient death. A supplier compromise is no longer an IT event. It is an operational, financial and in the worst cases a human one.The structural problem is simple to state and brutal to solve. The tool the entire industry relies on to manage this exposure, third-party risk management, was built for a simpler world. It assesses suppliers one at a time, at a single point in time, in isolation. Every client sends its own questionnaire. Every supplier answers the same two hundred questions dozens of times a year, once per customer, in slightly different formats. The answers are stale the day they are returned, and nothing in the process reaches the place the risk actually lives, which is several hops away, inside a supplier's supplier, in a dependency nobody on the client side has ever heard of.The buyers know this. In Liminal's market study, 83 per cent of organisations said their current risk assessment methods are too complicated and only 9 per cent rated their own third-party risk capabilities as fully advanced. Whistic's 2025 benchmark found 94 per cent of TPRM teams cannot assess all the vendors they want to review. KPMG found only 17 per cent of organisations rate their own third-party risk data as fully reliable. That is not a market waiting to be educated. It is a market that has already confessed.Founder-Market Fit, Measured in Questionnaires EnduredIf any founder has earned the right to make that diagnosis, it is, plausibly, this one. Haydn Brooks spent years as a cybersecurity consultant at KPMG and then Deloitte, specialising in exactly one thing: helping large clients understand how secure their supply chains were, which in practice meant administering the questionnaire process he would later describe as a paper shield. He founded Risk Ledger in 2018 with Daniel Saul on the premise that the deliverable he had been paid to produce was structurally incapable of doing the job it was sold for, and he did the unfashionable thing for a security founder of that vintage, which was to build a network instead of a scanner.The architecture is the company. Each supplier completes one standardised assessment, covering validated internal controls across twelve security domains, and maintains it as a living profile. Every client connected to that supplier sees the same current profile. The supplier joins free, which is the detail that makes the whole machine turn: a client onboards its suppliers, those suppliers experience the platform, and when those suppliers are themselves clients of other organisations, the network extends another hop. The economics of the old model scale with clients multiplied by suppliers. The economics of the network scale with suppliers alone.The trajectory between funding rounds is the data point that closed this one. At seed in October 2021, 2,200 organisations sat on the network. At Series A in November 2023, 5,000. Today, more than 16,000, across financial services, insurance, critical national infrastructure, and central and regional government, including specialist deployments for federated organisations like the NHS and the police, which run supplier ecosystems internally. That is 7.3x network growth on £9.8 million of total prior capital, in a company whose client bookings have doubled year on year or better since the platform launched commercially in 2020.For calibration: SecurityScorecard has raised $292 million to reach a $1 billion valuation. BitSight took $250 million from Moody's alone at a $2.4 billion mark. Risk Ledger has built a 16,000-organisation network on less capital than either of those companies raised in a single round, which tells you something about what happens to customer acquisition costs when the supplier side of your market onboards itself for free.The Product: One Profile, Shared With Everyone Who Needs ItRisk Ledger connects to how supply chains actually operate rather than how compliance frameworks imagine them. The platform is network-first: the supplier's single profile replaces every questionnaire it would otherwise answer, the client's dashboard replaces every spreadsheet it would otherwise maintain, and the connections between them map the actual dependency graph, including the concentration risks and nth-party dependencies that point-in-time tools structurally cannot see. When one organisation on the network identifies an emerging threat, the architecture exists for every connected organisation to benefit, which is the operational meaning of the company's Defend-as-One framing.That framing sounds like marketing until you consider what the alternative architectures cannot do. An outside-in security rating, the BitSight and SecurityScorecard model, scores what an attacker can see from the public internet: certificate hygiene, open ports, leaked credentials. It is genuinely useful and genuinely shallow, because the controls that decide whether a supplier survives a ransomware event, offline backups, segmentation, privileged access management, incident response maturity, are invisible from the outside. A GRC workflow suite, the OneTrust and ProcessUnity model, orchestrates the questionnaire process beautifully without changing the fact that the questionnaire is the wrong instrument. Risk Ledger's profile contains the validated internal controls a scan cannot reach, maintained by the party that actually knows the answers, and shared rather than duplicated.The new capital funds the layer that makes this compound. A generation of AI tools, built on network data competitors do not hold, to automate the manual review work that consumes security teams and to surface the risk signals that emerge only in the connections: the software dependency that quietly sits under forty suppliers at once, the sub-processor that four of your critical vendors share without any of them knowing, the profile change that historically precedes an incident. AI in this category is only as good as its corpus, and a corpus of 16,000 validated, longitudinally maintained control profiles, wired together with real dependency edges, does not exist anywhere else.The Two TAMs? Understanding the Addressable MarketHere is where the analysis gets interesting, because Risk Ledger's market can be sized two completely different ways, and the gap between them is the whole investment story.Sized conventionally, Risk Ledger lives inside the third-party risk management software market, which Mordor Intelligence puts at $10.6 billion in 2026, heading to $20.7 billion by 2031 at a 14 per cent compound rate. Respectable, growing, and crowded: BitSight, SecurityScorecard, UpGuard and Black Kite on the ratings side, OneTrust, ProcessUnity, Prevalent and Panorays on the workflow side, and the Big Four consultancies selling the managed version of the questionnaire process to everyone simultaneously. If Risk Ledger is fighting for software-line-item TPRM dollars, it is competing on a category map that already has scale players defending every border.Active Supply Chain Security, points not at the software budget but at the loss pool the software exists to prevent, and the arithmetic of that pool is an order of magnitude larger. Estimates of the annual global cost of supply chain cyber attacks run from Juniper Research's $46 billion in 2023 to projections well above $100 billion by the end of the decade, against which the entire TPRM software market is a rounding error.There is precedent for this exact manoeuvre, and it is the most instructive comparable in enterprise software. LinkedIn did not compete inside the recruitment software market when it launched; it built the profile professionals maintained once and shared everywhere, and then sold access to the network that resulted, at economics no applicant-tracking vendor could touch. The supplier security profile today looks structurally identical to the CV in 2003: a document every organisation demands, every subject duplicates endlessly, and nobody maintains, waiting for the network that makes maintaining it once worthwhile. The company that owns that profile does not compete inside the TPRM software market at all. It becomes the infrastructure the market runs on.The SaaS Playbook: How This Business Actually CompoundsFor readers building or evaluating B2B software, the Risk Ledger model rewards a closer look, because the classic SaaS mechanics all show up wearing different clothes.Acquisition. The supplier joins free, invited by a client the supplier cannot refuse. That is not freemium; it is mandated adoption with zero acquisition cost, and it seeds every future sales conversation, because a supplier that already maintains a profile is a warm prospect for the paid client product the moment it needs to assess its own suppliers. The 16,000-organisation network on £9.8 million of capital is what that motion looks like on a balance sheet.Net revenue retention. Land-and-expand is built into the graph rather than the sales deck. A client that starts by assessing fifty critical suppliers is one procurement cycle from assessing two hundred, one from turning on continuous monitoring, and one from the federated deployment that covers its own internal ecosystem, the configuration the NHS and police work pioneered. Each expansion deepens the network for every other member, which is the property that separates a network business from a software business with integrations.The moat. Every profile maintained, every connection mapped, every incident that propagates visibly through the graph adds to a dataset that cannot be scraped, bought, or reconstructed from the outside, because it consists of validated internal controls voluntarily maintained by the parties themselves inside a trust framework that took seven years to build. A competitor with a larger model and a smaller network is a competitor with better tooling for worse data. Switching costs compound in both directions: the client loses its living view of the supply chain, and the supplier loses the single profile that spares it the questionnaire flood. Metcalfe economics in a security wrapper.The valuation discipline. This is a £24 million Series B, in a market where SecurityScorecard raised $180 million in one round and BitSight took a quarter-billion from Moody's. Axiom is a specialist fund closing out its first vehicle, not a tourist writing a momentum cheque. The read is a company priced on network compounding rather than on cybersecurity narrative, which, in a category littered with over-capitalised ratings vendors, is the structurally safer place to sit.Competitive Landscape: Three Rings Around the Same SupplierRisk Ledger enters its growth phase with incumbents on every side, none of whom currently does what it does.The first ring is the ratings vendors. BitSight, valued at $2.4 billion with Moody's as anchor investor and 3,500 customers, and SecurityScorecard, Sequoia-backed at $1 billion, which acquired the UK scanning startup Driftnet in May 2026 to feed its TITAN AI platform. Both are formidable, both are outside-in by architecture, and both sell a score that correlates with breach likelihood without containing a single validated internal control. They are the credit bureaus of this market. Risk Ledger is trying to be its LinkedIn, and those are different companies with different ceilings.The second ring is the workflow suites: OneTrust, ProcessUnity, which absorbed CyberGRX in 2023, Prevalent and Panorays. They orchestrate the existing process with increasing elegance, and the existing process is the thing being replaced.The third ring is the one nobody prices: the Big Four consultancies, whose third-party risk practices bill by the questionnaire and for whom every efficiency in this market is revenue lost. Brooks worked inside two of them, which is worth remembering when evaluating whether the network model was designed with full knowledge of what it disintermediates.The competitive question is not whether the incumbents can see the network model. It is whether any of them can adopt it, because a ratings vendor that starts hosting shared supplier profiles cannibalises its per-client subscription arithmetic, and a workflow vendor that kills the questionnaire kills its own seat count. The network is not just hard to replicate. It is hard for the incumbents to want to replicate, and that, historically, is the condition under which categories actually flip.The Investor Thesis: Why Axiom, Why Mercia Again, Why NowThe syndicate is quieter than a Silicon Valley round, and quieter is the point. Axiom Equity is a specialist growth fund for B2B SaaS headquartered in the UK and Ireland, and Risk Ledger is the final investment from its first fund, the deal a fund manager chooses to complete a portfolio with, with Fund II already committed behind it. Jonathan Organ's stated rationale ris that: a network that is hard to replicate and grows more valuable with every organisation that joins. Growth equity funds of this profile underwrite retention curves and unit economics, not narratives; a specialist choosing this asset to close a fund is a data point about the numbers we cannot see.The Mercia cheque is the one that carries the most information. Mercia led the Series A in November 2023 and returned for the B, and the fund that has sat on the board for three years is the fund with the least excuse for being wrong. Adam Lovell's language, that the conviction has only strengthened, is standard investor liturgy, but re-upping at a higher price into a company you already have full information rights on is not liturgy. It is the strongest signal available in private markets.And the round Haydn Brooks is not raising is itself informative. This is a founder who said at seed that he did not plan to need a Series A, who said at Series A that it should be the last raise before profitability, and who has now taken a disciplined £24 million to fund a specific, nameable expansion rather than a nine-figure war chest to fund a narrative. In a security market that has spent five years teaching investors what over-capitalisation does to ratings vendors, capital discipline is not a limitation. It is a strategy.What Has to Go RightHonest analysis requires naming the hard parts, and Risk Ledger has three worth naming. The first is the cold-start problem in the United States. The network's compounding logic is also its geographic constraint: 16,000 organisations dense in UK financial services, government and critical infrastructure are worth very little to a hospital system in Texas whose suppliers are not on the graph. The US entry means rebuilding network density from something close to zero, in the largest and most competitive TPRM market on earth, against incumbents with decade-old enterprise relationships. The mitigation is the playbook itself, anchor a handful of large federated buyers and let mandated supplier onboarding do the rest, and the fact that US regulatory pressure, from SEC cyber disclosure rules to OCC third-party guidance, is manufacturing demand faster than incumbents can service it. But network businesses do not export like software businesses, and the next eighteen months of US logo announcements are the metric that settles it.The second is the honesty of the self-reported profile. The standardised assessment is maintained by the supplier, and a supplier under commercial pressure has every incentive to present its controls generously. Risk Ledger's answer is validation tooling, the trust dynamics of a shared network where misrepresentation is visible to every connected client at once, and the reputational cost of being caught lying to sixteen thousand counterparties rather than one. That answer is structurally better than the questionnaire's, where nobody checks at all, but it is not yet adversarially proven, and the first public incident involving a supplier whose network profile said one thing while its controls said another will be the category's real stress test.The third is the platform-versus-signal question that AI is now forcing. The ratings vendors are racing to bolt LLM-driven assessment automation onto their scan data, and the consultancies are doing the same to their questionnaire practices. If generative tooling makes traditional assessments cheap enough, the waste that the network model eliminates gets smaller, and with it part of the wedge. The counter-argument, and it is a strong one, is that automating a broken instrument produces broken output faster, and that AI applied to a validated, connected, longitudinal dataset will always outperform AI applied to stale self-declarations, which is precisely the asymmetry this round is funding. But the window in which the network's data advantage converts into an unassailable product advantage is the next two years, not the next ten.What to Watch ForThe most valuable software categories have always been built where a document everyone maintains badly gets replaced by a profile someone maintains once. The CV became LinkedIn. The company filing became the credit bureau. The developer's code history became GitHub. The supplier security questionnaire, a document filled in millions of times a year, trusted by no one, and stale on arrival, has been waiting for its network for two decades.If Risk Ledger's thesis holds, the prize is not a slice of the $10.6 billion TPRM software line. It is the position of default infrastructure for how connected organisations demonstrate security to one another, priced against a loss pool measured in the tens of billions and defended by a dataset that gets harder to replicate with every organisation that joins. That is a structurally larger opportunity than the comparable set suggests, and it explains why a specialist SaaS fund chose this company to complete its first portfolio and why the Series A lead came back for more at a higher price.Series B announcements are easy to make and hard to interpret, but this one comes with an unusually clean test: either the US network reaches critical density in the next eighteen months, visible in anchor-client logos and supplier counts, or it does not. In a security market exhausted by detection narratives, that kind of falsifiability might be the most valuable thing this funding announcement actually communicates.Don't forget to like and share the story!Vested Interest Disclosure: HackerNoon has reviewed the report for quality, but the claims herein belong to the author. #DYOR.