C-TPAT · U.S. Customs & Border Protection

Five steps stand betweenyour suppliers and theborder. Can you run them?

C-TPAT certification isn't about your security, it's about your suppliers'. We run the five steps CBP requires, on every supplier, so your team doesn't have to.

Show me my gaps8 suppliers · 15 days · no credit card

Certification deadline

Nov 30, 2026

00

Days

00

Hrs

00

Min

After this date, importers without C-TPAT certification are barred from informal U.S. entry and must file formal entry through a certified broker.

30 yrs

Doing this by hand

44,000+

Organizations assessed

500,000+

Assessments completed

100%

C-TPAT · PIP · AEO success

Trusted across three decades of supply chains

DHLGlaxoSmithKlineChryslerCNJ.M. SmuckerBall CorporationKrugerFreshstone BrandsErb TransportDelon LaboratoriesSmucker Foods of CanadaLes Emballages KnowltonLepage MillworkAliments AstaBody BlueLuxorDHLGlaxoSmithKlineChryslerCNJ.M. SmuckerBall CorporationKrugerFreshstone BrandsErb TransportDelon LaboratoriesSmucker Foods of CanadaLes Emballages KnowltonLepage MillworkAliments AstaBody BlueLuxor

Has keeping your supply chain compliant become a full-time job on top of your full-time job?

Your suppliers are exhausted. Questionnaire fatigue is real. And every time they push back, it lands on you.

It's not about us. It's about you.

C-TPAT looks like a security checklist. It's a behavioral audit. A validator rarely fails you on a missing fence, they fail you on the distance between what a supplier wrote on a form and what actually happens on the floor: at the end of a double shift, on the load that's already late, when the trained manager is away.

That distance has a name: the human factor. Not negligence, but people doing their best in moments no procedure prepared them for. It hides in the three places almost no assessment looks:

01

The sub-supplier you never mapped.

02

The process that works on paper but not under pressure.

03

The new hire onboarded after the busy season, not before.

A form cannot see a moment like that. A person under pressure cannot be audited by a questionnaire. That is where every breach actually begins, and it is the one gap that gets closed for you, supplier by supplier, before it reaches your border.

The C-TPAT 5-Step Risk Assessment

Here's exactly what CBP requires.

Flip each step. Tick the boxes your team can honestly do today, for every supplier. Watch your exposure.

Your live exposure

15

of 15 checks still unmet

Map the cargo journey & every partner

Can you name every party your cargo touches?

flip

Step 01 · Required

This is the step most teams skip. You map the cargo's whole journey, every hand it passes through from the plant floor to the dock. Map only your direct suppliers and the risk hides in the ones you forgot.

Conduct a threat assessment

Have you rated each stop for the threats CBP looks for?

flip

Step 02 · Required

For each stop on that map, you weigh what could go wrong: smuggling, tampering, theft, and the pressures a region puts on its people. Real threats, named honestly, not a checkbox.

Conduct a vulnerability assessment

Can you prove your gaps against all 12 criteria?

flip

Step 03 · Required

Then the harder question: where could someone actually get in? You hold each supplier against all 12 criteria and look for the space between the policy on paper and the practice on the floor.

Write a corrective action plan

An owner, a deadline, and proof of fix for each gap?

flip

Step 04 · Required

Every gap gets a name, an owner, and a date. Not a note in a binder, but a fix someone is accountable for, with proof it actually happened.

Document the process, every year

Could you hand a validator your process tomorrow?

flip

Step 05 · Required

Last, you write down how you did all of it and keep it current, so when a validator asks, you hand them a living process instead of scrambling to rebuild one.

You can complete 0 of 15.
A validator will find the other 15.

These five steps were written for a customs officer, not a procurement team with a day job. Run your 8 highest-risk suppliers and we'll surface every gap they'd find, in days, and hand you the report.

And the gap is already moving.

One supplier who won't be assessed. One validation that lands before you're ready. One client who asks for your C-TPAT status and doesn't wait for the answer.

When budgets tighten, security is the first thing companies cut, the one thing protecting the revenue.

more likely to be pulled for security inspection without C-TPAT (U.S. CBP)

$200M

exposure for an uncertified importer: 20,000 shipments at $10K a day

Waiting is the most expensive thing you can do.

One family. Four ways we carry it.

The program hands you the burden.
We built four products to carry it.

Pick a product to see this page through its lens, or open COMMANDCENTER and watch the whole family answer at once.

XFACTOR COMMANDCENTER

The parent platform

C-TPAT is not a season.
It lives in your departments.

Certification is won or lost between the annual assessments: in HR, in IT, in Shipping & Receiving, on the days nobody is watching. COMMANDCENTER gives every department its own criteria, its own audits, and one command calendar with every obligation on its date. The program stops being a scramble and becomes how the building runs.

  • Department assessment bands: each team answers for its own criteria, in its own language.
  • Monthly audits catch the drift before a validator does.
  • The command calendar: every renewal, review, and follow-up on its date, checked off where everyone sees it.
  • Training built in, so the person at the dock knows why the seal matters.
Department assessment bands
Department assessment bands
Monthly audits, findings and drift
Monthly audits, findings and drift
The command calendar
The command calendar
Training bands, department by department
Training bands, department by department
XFACTOR VERIFIED

Your suppliers, carried

We run the five steps on every supplier.
You keep the certification.

XFACTOR runs the actual CBP 5-step. It assesses, finds, corrects, and gets your supplier to SIGN. The gap does not get catalogued. It gets closed, and proven closed, before a validator ever asks.

  • Drop in your supplier list. Morpheus maps it, no spreadsheet wrangling.
  • Each supplier runs the assessment as cinematic scenarios, in their own language, scored against all 12 MSC areas.
  • Every gap becomes a finding; every finding a corrective action plan with an owner and a deadline.
  • The living Master Risk Assessment Report: the exact evidence package validation asks for.
The intelligence map: every supplier geo-pinned by risk, scored live
The intelligence map: every supplier geo-pinned by risk, scored live
XFACTOR VALIDATED

Your people, ready

The validation is a conversation.
VALIDATED makes sure your people can hold it.

CBP does not validate your binder. They talk to your people and measure the distance between what the paper says and what the floor does. VALIDATED runs that conversation first: mock interviews, department by department, scored and drilled until the answer on the floor matches the procedure on file.

  • Mock validation interviews, run the way the real ones are run.
  • Every answer scored, every weak spot named before it costs you.
  • HR, Shipping, IT, Procurement: each department rehearses its own questions.
  • By the time the validator arrives, your people have already passed.
The validation overview
The validation overview
A mock HR validation interview
A mock HR validation interview
Validation readiness, band by band
Validation readiness, band by band
XFACTOR VANTAGE

What the burden costs

Compliance has a payroll.
VANTAGE takes it back.

The 5-step already forces your departments to answer hard questions. VANTAGE reads those answers and finds the black holes: the evidence re-keyed into two systems, the questionnaire answered six times, the hours nobody counts. Then it hands each department its top three automations, with the math, as recovery you can audit.

  • Every finding cites the department’s verbatim answer. Your people said it, VANTAGE proved it.
  • Recommended, accepted, implemented, verified: a ledger finance can carry into an audit.
  • No new busywork. It mines the assessments the program already makes you run.
The vault: everything the operation scatters, pulled in and returned
The vault: everything the operation scatters, pulled in and returned
Annual internal assessment, department by department
Annual internal assessment, department by department
Monthly audits, findings and drift
Monthly audits, findings and drift

Bi-weekly supply-chain intelligence

The demands keep moving. The briefing keeps you ahead of them.

On the Hook is the intelligence briefing for the executive on the hook for their supply chain. Regulation reality, enforcement activity, and one move per issue, every two weeks.

Keep me posted.

Drop your email and I’ll tell you the moment Issue 001 lands — plus a few things worth reading in the meantime.

No spam. I reply personally.

Everyone else hands you a map of your gaps. You walk away with every one closed and signed.

The other platforms

  • The rating platforms score your supplier and walk away. A medal, not a fix.
  • The mapping tools show you where the risk sits. Knowing where the leak is does not stop the water.
  • A static PDF, filed once a year, that a validator has already seen a hundred times.

XFACTOR VERIFIED

  • You get the real CBP 5-step run on every supplier, the gap corrected, and your supplier's signature on the fix.
  • The gap does not get catalogued. It gets closed, and proven closed.
  • A living Master Risk Assessment Report, the exact evidence package validation asks for.

Built by the assessor who has run this by hand for 30 years. Not a logo wall.

Not a dashboard. A verdict.

This is what your suppliers walk and what your board sees, every supplier scored, every gap tracked to a signature.

Intelligence map: your whole chain, scored on one screen
Intelligence map: your whole chain, scored on one screen

A glimpse, not a blueprint. The full system is what your suppliers walk, not what your competitors copy.

What if one assessment handled all of it, without spending a fortune, without the manual work, and without chasing a single supplier?

From your exposure to verified.

01

Drop in your supplier list. Morpheus maps it, no spreadsheet wrangling.

STEP 1
02

Each supplier runs the assessment as cinematic scenarios, in their own language, scored against all 12 MSC areas.

STEPS 2 & 3
03

Every gap becomes a finding; every finding a corrective action plan with an owner and a deadline.

STEP 4
04

The whole process documented, refreshed annually, validator-ready.

STEP 5
05

Your supplier earns a verified CF score and designation. You get the Master Risk Assessment Report.

DONE

Found. Corrected. Signed.

Questions you would ask on a sales call

There is no sales call. So here are the answers, straight.

About C-TPAT

Who needs to be C-TPAT certified?

C-TPAT is a trusted-trader certification. Importers and the partners in their international supply chain pursue it to earn expedited border processing and fewer inspections, and increasingly because their own customers now require it. To become certified, you complete and document the 5-step risk assessment, then pass CBP's validation. If your suppliers move goods across the US border on your behalf, their security is part of what your certification stands on.

What is the November 30, 2026 deadline?

Under the June 2026 customs enforcement order, foreign importers without C-TPAT certification are barred from informal U.S. entry by November 30, 2026, and must file formal entry through a certified broker. Certification is not a form you file. You complete the 5-step risk assessment, document it, and pass CBP's validation. The clock is already moving, and if each supplier takes about two weeks to assess, most of your runway is gone before the date.

Will this actually satisfy a real C-TPAT validation?

The platform is built on CBP's own published 5-Step Risk Assessment methodology, the same framework a C-TPAT validation auditor walks through. The 5 assessment steps, the Minimum Security Criteria coverage, the corrective action documentation, the signed evidence package: every piece is designed to survive a real CBP review, not just produce a good-looking PDF. The founder has a 20-year, zero-failure record on C-TPAT and PIP validations. The F.F. Soucy 2009 CBP Tier-II validation letter is in the reference archive.

What if a supplier refuses to participate?

That is the signal. A supplier who refuses a documented security assessment is not a supplier you want crossing the border on your behalf. The platform flags non-responders, documents the outreach attempts, and surfaces them as a high-risk gap in your Master Report. For C-TPAT validation purposes, documented refusal and your response plan is evidence that you identified the risk. Refusing to assess is a finding in itself.

The free trial

Is it really free? What is the catch?

Yes. Your first 8 suppliers are completely free for 15 days. No credit card, no sales call, no contract required. We assess them with the same methodology a CBP validation uses. If we do not surface a gap worth more than the ten minutes it takes to start, you have lost nothing. We run it free because once you see what the platform finds in 15 days, the conversation about the rest of your chain is easy.

Why would you give this away?

Because showing beats telling. In 15 days you watch real gaps surface in 8 of your own chain, at no cost and no risk. If what you find is worth more than the ten minutes it takes to start, the decision on the rest is yours. No demo, no pitch, no pressure.

Do I need a credit card to start?

No card, no contract, no commitment. You drag your supplier list in, Morpheus maps it, and the assessments run. The 15-day trial clock starts the moment your first supplier receives their invite. If you decide to assess the rest of your chain after the trial, that is when pricing comes in, and it is published on the site. No sales call required.

What does the free trial include?

Every supplier in the 15-day trial goes through the full intake: email verification, address validation, and watchlist screening against the US Consolidated Screening List (OFAC, BIS, DDTC). Then each supplier receives the cinematic scenario assessment, narrated by Morpheus, behaviourally scored. You get findings, gap analysis, and a Corrective Action Plan for every gap found. The only thing gated behind a paid plan is assessing more than 8 suppliers and accessing the full Master Risk Assessment Report for your entire chain.

How long does the 8-supplier trial actually take?

For you, setup is minutes. You upload your supplier list and Morpheus handles the intake: email verification, address check, watchlist screening, and tier assignment. Suppliers typically complete their scenario assessment in 20 to 40 minutes. The trial window is 15 days, and most teams see findings well before the midpoint. You do not reformat a spreadsheet and you do not chase anything manually.

Do I have to chase my suppliers to complete the assessment?

No. The platform handles outreach automatically. Once you upload your list, Morpheus sends each supplier their assessment invitation, follows up with a Day 3 nudge and a Day 7 nudge if they have not responded, and tracks completion status in your dashboard in real time. You see who has finished, who is in progress, and who has not opened it yet, without sending a single email yourself.

8 suppliers · 15 days · free

Run your 8 highest-risk suppliers through the full C-TPAT 5-step. Free for 15 days.

  • See every gap within your 15-day trial window, not the months a consultant takes.
  • No sales call. No credit card. No contract. Trial starts when your first supplier gets their invite.
  • Drag your list in. Morpheus does the mapping. You reformat nothing.

If we don't surface a gap worth more than the ten minutes it takes to start, you've lost nothing.