MVP 04On the roadmap
Vendor Risk Tier-and-Track
One vendor inventory, tiered by risk, with automatic re-attestation cycles and breach-feed monitoring — replaces three spreadsheets and a hopeful prayer.
The pain
Most SMB and mid-market companies cannot answer two basic vendor questions: "Which vendors would hurt us most if breached?" and "When did we last review them?" Procurement has a list, IT has a list, finance has a list — none reconcile.
What gets built
- Unified vendor master record (pulled from accounts payable + IT inventory + procurement)
- Risk tiering engine: data sensitivity × business criticality × access type → Tier 1/2/3
- Per-tier attestation cycles: Tier 1 annual SOC 2 + cyber questionnaire, Tier 2 every two years, Tier 3 self-attest
- SBOM ingest with OSV (Open Source Vulnerability) database checking
- Public breach feed monitor (Have I Been Pwned API, CISA KEV catalog) — auto-flags affected vendors
- FAR 52.204-21 / DFARS 252.204-7012 / 7020 compliance documentation generators
Stack
- Python (FastAPI rules engine)
- Airbyte connectors
- OSV.dev / CISA KEV / NVD
- Syft + Grype
Pricing
$10K–$20K implementation + $500–$2,500/mo ongoing
Effort to ship
4–5 weeks for v1
Vendor Risk Tier-and-Track demo is on the roadmap
Want a guided walk-through of what this tool will do, or to be the first pilot client when it ships?
Get in touch