Audit Phase: V-DIG — Digital Forensics: Technology Supply Chain
Target: The Very Group (operating brand: Very; formerly Shop Direct Group)
Prepared: May 2025
The Very Group’s 2025 Capital Structure and Business Update 1 is the primary first-party disclosure document for the company’s active cybersecurity stack. Three Israeli-origin vendors are identifiable across endpoint, cloud, and network perimeter layers.
SentinelOne (Endpoint Detection & Response)
SentinelOne is explicitly named in The Very Group’s 2025 Capital Structure and Business Update as providing “endpoint and response capabilities” across the estate 1. SentinelOne was founded in 2013 by Tomer Weingarten and Almog Cohen; primary R&D remains in Tel Aviv, Israel 16. This is a kernel-level deployment across all managed endpoints — one of the most privileged positions available to any security vendor within an enterprise environment. Evidence is confirmed active as of 2025 per first-party corporate disclosure.
Wiz (Cloud Security Posture Management)
Wiz is identified in The Very Group’s infrastructure posture documentation and cloud security engineering role descriptions as an active internal tool 1 19. Wiz operates via an agentless API scan across the entirety of a cloud environment, providing the vendor with full-scope visibility into hosted workloads, storage configurations, credentials, and access policies without requiring installed agents. Wiz was founded by Assaf Rappaport, Yinon Costica, Roy Reznik, and Ami Luttwak — all alumni of Israeli Defence Forces Unit 8200 15. Given The Very Group’s primary cloud environment is AWS 2, Wiz’s access perimeter spans The Very Group’s entire AWS-hosted infrastructure. Evidence confirmed active as of 2024–2025.
Check Point Software Technologies (Network Perimeter Firewall)
Job specifications for infrastructure and solutions architect roles at The Very Group cited proficiency requirements in “Check Point R8x firewalls,” indicating deployment of Check Point’s current-generation Infinity architecture as the network perimeter security layer 19. Check Point Software Technologies was founded in 1993 by Gil Shwed, Marius Nacht, and Shlomo Kramer; Shwed is a Unit 8200 veteran 17. As the perimeter firewall, Check Point occupies a critical chokepoint controlling all network ingress and egress traffic. Evidence rests on job advertisement language rather than a first-party corporate document; confidence is moderate. Ongoing deployment is probable but has not been re-confirmed through a 2025 first-party source.
Vectra AI (Network Detection & Response)
The Very Group’s 2025 Capital Structure and Business Update names Vectra AI as the tool used to “enhance our network security by monitoring network traffic for suspicious activities and potential threats” 1. This is confirmed by first-party corporate disclosure as an active deployment. Vectra AI is headquartered in San Jose, California; it is a US-founded company. The prior claim in the source Gemini memo asserting deep Israeli R&D integration for Vectra AI was assessed and is not independently corroborated — no Israeli founding, primary R&D base, or material Israeli workforce presence for Vectra AI is confirmed 28. Vectra AI is recorded here as a US-origin vendor.
Taken together, SentinelOne, Wiz, and Check Point represent coverage across all three principal layers of enterprise security architecture:
This constitutes deep, structurally embedded integration rather than peripheral or trial-phase use of Israeli-origin technology.
SentinelOne and Wiz operate a formally announced technical integration, enabling combined telemetry sharing between endpoint and cloud posture layers 20. Where both are deployed by the same organisation — as appears to be the case at The Very Group — this integration creates a shared data environment in which both Israeli-origin vendors can correlate signals across endpoint and cloud domains.
Publicis Sapient is publicly named as a digital transformation partner for The Very Group, involved in its “Project Future” transformation programme 21. No public evidence identifies Publicis Sapient as having mandated specific Israeli-origin cybersecurity tools as part of its Very Group engagement.
No first-party document confirms a named Accenture engagement on a specific Very Group technology programme. The Gemini source memo’s claim that Accenture is a named Very Group digital transformation partner is treated as unconfirmed.
The Very Group’s automated fulfilment facility — the Skygate Skyport centre — is supplied by KNAPP, an Austrian warehouse automation and robotics vendor 6. No Israeli-origin fulfilment automation technology is identified.
The Very Group’s 2023/24 Annual Report and Financial Statements 26 provides the primary financial disclosure baseline; the 2025 Capital Structure and Business Update 1 provides the most current corporate and technology posture snapshot available.
No public evidence identified that The Very Group deploys facial recognition, in-store biometric identification, or physical surveillance technology from any vendor, Israeli-origin or otherwise. The Very Group is a pureplay online retailer; it operates no physical store estate. In-store biometric and physical surveillance technologies — including Israeli-origin vendors such as Trigo, BriefCam, and AnyVision/Oosto — are not applicable to its primary operating model.
Job advertisements for Fraud Analyst roles at The Very Group have specified a requirement to “Analyze BioCatch data from all geographies to identify key trends” 13. BioCatch is an Israeli company; it was co-founded by Avi Turgeman, a veteran of Israeli military intelligence, and Uri Rivner 13. BioCatch’s technology profiles user behavioural patterns — mouse movement, typing cadence, swipe behaviour, device interaction — to detect fraud and account takeover attempts in real time during active customer sessions. The job advertisement language constitutes indirect but substantive evidence of active deployment, indicating BioCatch data is flowing through The Very Group’s fraud operations. No first-party corporate disclosure confirms BioCatch as a named vendor; evidence rests on job specification language. Evidence range: approximately 2023–2024; ongoing status is probable but not re-confirmed through a 2025 primary source.
Trade press, including a reference in Big Furniture Group Magazine (March 2023) and a Customer Engagement Summit agenda, associates The Very Group with NICE CXone for contact centre operations. NICE Ltd. (NASDAQ: NICE) was founded in 1986 by seven former Israeli Defence Forces intelligence officers and is an Israeli company 14. NICE CXone provides, among other capabilities, voice analytics, sentiment analysis, and call recording across contact centre operations. A claim in the source Gemini memo that Very Group executives explicitly discussed exploiting speech data via a NICE product (“Turning Conversations into Gold”) is noted but the specific attribution is not independently confirmed by a first-party source — see the Evidence Gaps section of the research memo. Confidence in NICE CXone deployment is moderate, based on indirect/third-party sources rather than a corporate disclosure.
AppsFlyer published a named case study confirming The Very Group migrated its mobile measurement and attribution platform to AppsFlyer, citing a two-week migration timeline 3 4. AppsFlyer is an Israeli company headquartered in Herzliya/Tel Aviv 4. AppsFlyer collects granular mobile user journey data — app installs, in-app events, revenue attribution, device identifiers — across all mobile users of the Very app. The case study was originally published in 2021. No 2022–2025 renewal or continued use is confirmed by a first-party document in this review; the relationship may be ongoing but recency is unconfirmed.
In 2024, The Very Group launched Very Media Group, a retail media platform offering The Very Group’s first-party customer dataset and “creative capabilities” to approximately 200 brand partners 25. The launch press release describes the platform as enabling brands to access the group’s “unrivalled dataset.” The Very Group’s Chief Customer Officer, Kathryn Jones, outlined the group’s approach to digital customer data as a commercial asset 23. No Israeli-origin technology is identified in the Very Media Group infrastructure per available evidence; the group’s AWS-hosted data environment 1 2 underpins this capability.
The Very Group formally announced in October 2023 that it had selected Amazon Web Services (AWS) as its primary cloud provider, with specific reference to generative AI transformation, collaboration with the “Generative AI Innovation Centre,” and data warehousing 2. AWS is described by the company as playing “a massive role in the end-to-end data environment” 22. This is confirmed by first-party corporate announcement and constitutes The Very Group’s most significant infrastructure dependency.
AWS, alongside Google Cloud, holds the approximately $1.2 billion “Project Nimbus” contract awarded by the Israeli government in 2021 10. Project Nimbus provides cloud infrastructure to Israeli government ministries and, per reported contract terms, to the Israeli military 10 12. Worker protests by AWS and Google employees specifically objecting to Project Nimbus were publicly reported in April 2024 11.
The Very Group’s use of AWS as its primary cloud provider does not constitute direct participation in Project Nimbus. AWS is a general commercial cloud provider serving hundreds of thousands of organisations globally. The Very Group’s data is hosted in AWS UK and EU regions per standard commercial practice; no public evidence places Very Group data or workloads on Israeli AWS infrastructure. The relationship is structural — commercial revenue flows to an AWS entity that is simultaneously a Project Nimbus contractor — rather than operational or contractual in nature. This distinction is material to any risk characterisation.
No public evidence identified that The Very Group operates, leases, or co-locates data centre or server infrastructure within Israel. The Very Group is a UK-based retailer with no disclosed Israeli operational presence; all disclosed operational sites are in the United Kingdom.
No public evidence identified that The Very Group participates in any sovereign cloud initiative, government cloud programme, or data localisation programme within Israel or for the benefit of Israeli state institutions.
No public evidence identified of any contract, partnership, memorandum of understanding, or service agreement between The Very Group and the Israeli Ministry of Defence, Israel Defence Forces, Israeli intelligence services (Shin Bet, Mossad, AMAN), or any Israeli state security body. The Very Group is a consumer retail and financial services entity; it is not a technology vendor to state or military bodies.
No public evidence identified that any technology developed, deployed, or operated by The Very Group has been supplied for military, intelligence, or law enforcement surveillance applications within Israel or the occupied Palestinian territories. The Very Group’s own technology outputs are consumer-facing: retail browsing, credit decisioning, logistics, and customer service. The Very Group is a consumer of security technology, not a provider of it.
While The Very Group is a technology consumer rather than a provider, it is noted for completeness that several of its confirmed or probable Israeli-origin technology vendors have documented relationships with Israeli security and military institutions:
These vendor-level histories are recorded as context; they do not constitute evidence that The Very Group’s own commercial deployments are connected to defence or intelligence applications.
No public evidence identified. Not applicable to The Very Group’s business domain.
No public evidence identified that The Very Group provides artificial intelligence systems, machine learning models, computer vision technology, or autonomous decision-support systems to Israeli state, military, or security entities.
The Very Group’s AWS partnership specifically references Amazon Bedrock, Amazon’s managed generative AI service, as a component of its AI transformation programme 2 22. The partnership involves collaboration with AWS’s “Generative AI Innovation Centre.” Amazon Bedrock is a US-developed commercial platform; no Israeli-specific AI development component is identified in the partnership terms publicly disclosed. The Very Group’s own Chief Customer Officer has publicly described the group’s approach to using data and AI to enhance customer personalisation and digital experience 23.
The Very Group announced a partnership with Constructor.io for AI-powered product discovery, search ranking, and merchandising in 2023 5 27. Constructor.io is a US-based company; it is not an Israeli-origin firm 27. The partnership replaced or superseded earlier product discovery tooling.
Earlier trade press (circa 2019–2021) linked The Very Group to Syte, an Israeli visual AI company specialising in visual search for fashion retail. The Very Group’s 2023 pivot to Constructor.io for product discovery 5 indicates Syte is no longer the primary product discovery technology — if it was ever deployed at full production scale rather than piloted. No 2022–2025 confirmation of an active Syte relationship was identified. Current status: likely discontinued or inactive; cannot be confirmed with precision.
The Very Group operates Very Pay, its proprietary buy-now-pay-later and revolving credit product. Algorithmic decisioning is central to its credit operations; The Very Group processes and holds financial data on a substantial portion of its approximately 4.3 million active customers 26. No public evidence identifies Israeli-origin algorithmic or AI vendors in the credit decisioning stack specifically.
No public evidence identified that The Very Group’s AI or machine learning systems have been trained on, or provided access to, datasets derived from population surveillance, intercepted communications, or military intelligence activity in Israel or the occupied Palestinian territories.
No public evidence identified that The Very Group operates any R&D facility, engineering office, innovation lab, or accelerator programme within Israel. Companies House filings and The Very Group’s corporate news archive show all disclosed operational sites are in the United Kingdom — the Liverpool/Speke head office and the Skygate Skyport automated fulfilment centre.
No public evidence identified of any acquisition by The Very Group of an Israeli-origin technology company, at any point in the company’s history under any corporate name (Shop Direct, The Very Group).
No public evidence identified of any strategic investment by The Very Group in Israeli technology startups, Israeli venture capital funds, or technology accelerator programmes with Israeli portfolio exposure.
No public evidence identified of patent filings, licensing agreements, or co-development IP arrangements between The Very Group and Israeli-domiciled entities, universities, or research institutions.
The Very Group launched Very Media Group in 2024 as a retail media platform enabling approximately 200 brand partners to access The Very Group’s first-party customer dataset 25. The technology infrastructure underpinning Very Media Group sits within The Very Group’s AWS-hosted environment 1 2. No Israeli-origin technology is identified in the Very Media Group stack per available evidence.
Publicis Sapient is publicly named as a digital transformation delivery partner for The Very Group’s “Project Future” programme 21. Publicis Sapient is a French–US digital consulting entity; no Israeli technology supply chain implications are identified from this relationship based on available evidence.
No published investigation, report, or briefing by a non-governmental organisation or academic institution specifically addressing The Very Group’s technology relationships with the Israeli state or Israeli defence sector was identified in this review. Sources checked include the Who Profits Research Center (Israeli NGO documenting corporate involvement in the occupation), the Palestinian BDS National Committee’s published company lists, the Corporate Accountability Lab, and the Business & Human Rights Resource Centre database. No findings return for “Very Group” or “Shop Direct” in an Israeli technology or military supply chain context.
No public evidence identified of an organised boycott, divestment, or sanctions (BDS) campaign targeting The Very Group specifically on grounds of technology provision to Israel, operations in occupied territories, or investment in Israeli defence-connected vendors. The BDS National Committee’s published boycott target lists and UK-based Palestine solidarity campaign materials do not appear to include The Very Group as a named target based on available training-data knowledge.
No public evidence identified of regulatory inquiries, enforcement actions, or legal challenges relating to The Very Group’s use of Israeli-origin technology or any cross-border data transfer to Israeli entities. The Very Group operates under UK GDPR and is subject to ICO oversight; no ICO enforcement notices specifically relating to Israeli technology vendors or data transfers are identified.
No public evidence identified of export control investigations, trade sanctions actions, or compliance inquiries involving The Very Group’s technology relationships with Israeli state entities. This is consistent with The Very Group’s profile as a technology consumer rather than a technology developer or exporter.
The Carlyle Group (NASDAQ: CG) acquired a majority controlling stake in The Very Group, completing the transaction in late 2025 7. IMI (International Media Investments), an Abu Dhabi-based investment vehicle associated with Sheikh Mansour bin Zayed Al Nahyan 24, retained a minority equity stake 7 24. The acquisition ends the Barclay family’s ownership tenure.
The Carlyle Group has historically invested in aerospace, defence, and government services, including past holdings in Booz Allen Hamilton and ManTech International, documented in its SEC filings and public record 8 9. Carlyle’s 2024 Annual Report on Form 10-K references its defence and government services portfolio 8. No public evidence identifies that Carlyle’s acquisition of The Very Group has resulted in any change to The Very Group’s technology procurement strategy or the introduction of new Israeli-origin technology vendors as of evidence available through April 2026. The claim that Carlyle enforces preferred vendor lists favouring dual-use providers at portfolio companies is treated as inference rather than finding; no such mechanism is documented at The Very Group.
https://www.theverygroup.com/files/Results/2025/Capital-Structure-Business-Update.pdf ↩↩↩↩↩↩↩↩↩
https://www.theverygroup.com/media/news/2023/the-very-group-selects-aws-to-transform-the-shopping-experience-with-generative-ai/ ↩↩↩↩↩
https://massets.appsflyer.com/wp-content/uploads/2021/03/6439-The-Very-Group-Success-Story1.pdf ↩
https://www.theverygroup.com/media/news/2023/very-to-transform-product-discovery-experience-with-ai-and-machine-learning/ ↩↩
https://www.knapp.com/en/newsroom/press/the-very-groups-automated-fulfilment-facility/ ↩
https://www.retail-insight-network.com/news/carlyle-the-very-group/ ↩↩
https://www.sec.gov/Archives/edgar/data/1527166/000152716625000006/cg2024123110-k.pdf ↩↩
https://en.wikipedia.org/wiki/The_Carlyle_Group ↩
https://www.theguardian.com/technology/2021/may/10/google-amazon-israel-government-cloud-contract ↩↩
https://www.theguardian.com/technology/2024/apr/16/google-amazon-workers-protest-project-nimbus-israel ↩
https://www.972mag.com/project-nimbus-google-amazon-israel-military/ ↩
https://www.cyberark.com/company/about-cyberark/ ↩
https://www.bankinfosecurity.com/whitepapers/case-study-very-groups-digital-security-journey-w-7458 ↩↩↩↩
https://www.sentinelone.com/press/sentinelone-supercharges-cloud-security-with-enhanced-wiz-integration/ ↩
https://www.publicissapient.com/partner-in-transformation ↩↩
https://www.theverygroup.com/media/news/2024/digital-customer-experience-download-with-kathryn-jones/ ↩↩
https://statemediamonitor.com/2025/07/international-media-investments-imi/ ↩↩
https://www.theverygroup.com/media/news/2024/the-very-group-launches-very-media-group-to-bring-its-unrivalled-dataset-and-creative-capabilities-to-200-brands/ ↩↩
https://www.theverygroup.com/files/Results/2024/Annual-Report-and-Financial-Statements-2023-2024.pdf ↩↩
https://www.vectra.ai/company/about ↩
