OwlyScan
What is OwlyScan?
OwlyScan is a deep and dark web monitoring platform. It indexes documents in every format and language, watches your company and your suppliers, and turns hits into alerts and audit-ready reports.
- Continuous watch on you, your suppliers, and their subcontractors
- Credentials, contracts, source code, databases, mentions, and more
- Alerts and reports you can show to auditors, customers, and IR teams
How OwlyScan maps to the requirements
-
01
Name who you must protect
Your organisation, direct suppliers, and critical subcontractors enter the watch list.
-
02
OwlyScan monitors underground sources
Leaks, dumps, forums, and marketplaces are indexed; AI filters what concerns your perimeter.
-
03
Keep proof for auditors and IR
Alerts and audit-ready reports document that supply-chain exposure watch is running.
OwlyScan supports selected measures with external monitoring and evidence. It is not a certification, and it does not replace your full compliance programme.
Which requirements OwlyScan covers
Where OwlyScan covers the requirement
| Ref | Domain | What the framework asks | Coverage | How OwlyScan helps |
| Art. 21(2)(d) | Supply chain security | Manage cybersecurity risk in relationships with direct suppliers and service providers, including their vulnerabilities and practices. | Covered | Continuous deep and dark web monitoring of named suppliers and subcontractors, with alerts and reports for the supplier risk file. |
Art. 21(2)(d) Covered
Supply chain security
Manage cybersecurity risk in relationships with direct suppliers and service providers, including their vulnerabilities and practices.
Continuous deep and dark web monitoring of named suppliers and subcontractors, with alerts and reports for the supplier risk file.
Where OwlyScan supports the requirement
| Ref | Domain | What the framework asks | Coverage | How OwlyScan helps |
| Art. 21(2)(b) | Incident handling | Detect, analyse, contain, and respond to cybersecurity incidents. | Partial | Early external signal when credentials or documents appear on the dark web; sourced findings for analysis. Not containment or SOC tooling. |
| Art. 21(2)(a) | Risk analysis | Policies on risk analysis and information system security. | Partial | Objective exposure evidence of what actually circulates about you and your chain — input to risk analysis beyond self-attestation. |
| Art. 21(2)(f) | Effectiveness of measures | Policies and procedures to assess the effectiveness of cybersecurity risk-management measures. | Partial | Audit-ready monitoring reports document that supply-chain and self exposure watch is operational over time. |
| Art. 23 | Incident reporting | Report significant incidents to competent authorities within mandated timelines. | Partial | Timestamped artefacts for the narrative and timeline. Does not file notifications. |
| Art. 21(2)(c) | Business continuity / crisis | Business continuity, backup, disaster recovery, and crisis management. | Partial | Faster awareness of exfiltration can reduce time-to-decision. Not a BCP or backup product. |
Art. 21(2)(b) Partial
Incident handling
Detect, analyse, contain, and respond to cybersecurity incidents.
Early external signal when credentials or documents appear on the dark web; sourced findings for analysis. Not containment or SOC tooling.
Art. 21(2)(a) Partial
Risk analysis
Policies on risk analysis and information system security.
Objective exposure evidence of what actually circulates about you and your chain — input to risk analysis beyond self-attestation.
Art. 21(2)(f) Partial
Effectiveness of measures
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
Audit-ready monitoring reports document that supply-chain and self exposure watch is operational over time.
Art. 23 Partial
Incident reporting
Report significant incidents to competent authorities within mandated timelines.
Timestamped artefacts for the narrative and timeline. Does not file notifications.
Art. 21(2)(c) Partial
Business continuity / crisis
Business continuity, backup, disaster recovery, and crisis management.
Faster awareness of exfiltration can reduce time-to-decision. Not a BCP or backup product.
Proof you can show
Outputs designed for CISOs, compliance, procurement, and incident responders.
- Continuous alerts on first relevant mention
- Audit-ready monitoring reports
- Supplier exposure views for risk files
- Sourced findings for investigation and remediation
Who uses this mapping
- CISOs and security leaders
- Compliance and risk teams
- Procurement and supplier risk
- MSSPs supporting in-scope entities
- CSIRT and remediation teams
EU hosted · Audit-ready reports · Free company check