URIP.
The cockpit for your security stack - not another tool in it. One dashboard for risk, one for compliance, on the same data.
Published April 2026 · Last verified April 2026
Live connectors
61
Bring-any-tool
[ A ] · The problem
Eleven security tools. Three compliance spreadsheets. Zero shared truth.
A modern enterprise pays for Tenable, CrowdStrike, SentinelOne, Zscaler, MS Entra, ManageEngine, Armis, Burp, GTB, CloudSEK, and a SIEM. Each tool ships its own dashboard, its own severity scale, its own ticket flow, and its own duplicate finding for the same CVE on the same asset. The CISO juggles eleven tabs to answer one question.
The compliance officer maintains a parallel universe - a spreadsheet per framework, a control mapping per audit, an evidence folder per quarter - that drifts from the live posture inside a week. When the auditor lands, the reconciliation costs days the team didn’t budget.
URIP refuses to be tool number twelve. It is the cockpit that orchestrates whatever stack the customer already owns - bring API keys, see one score, drill to one CVE, fix one ticket, watch the compliance dashboard recompute on the same data layer.
[ B ] · The argument
Bring your stack. Plug in API keys. See one score.
URIP is vendor-neutral by design - there is no adjacent product line, no scanner to upsell, no agent to prefer. Every dollar saved by tooling rationalisation goes into URIP because there is nothing else to sell. Sprinto cannot say this. Wiz cannot say this. URIP can.
[ C ] · Architecture
Two dashboards. One data layer. One audit log.
Every connector writes to the same tenant-scoped store. Every read - Risk Intelligence, Compliance, Trust Center, the external auditor invite - reads from the same store. The control failure on the SOC 2 dashboard and the CVE on the risk register are the same row of data, viewed twice.
Connectors
30+ live · 4-method contract · per-tenant Fernet vault · 15-min poll cadence
Intelligence Engine
Severity normaliser · asset fingerprint · advisory applicability · remediation fetcher · runner
Risk Formula
CVSS·0.55 + EPSS·2.5 + KEV·2.0 + asset tier · clamp[0,10]
Threat Intel
FIRST.org EPSS · CISA KEV · MITRE ATT&CK CVE→APT · AlienVault OTX
Compliance Engine
15 frameworks · ~895 controls · root-cause-risks drill-through
CSPM Engine
AWS Config + Azure Policy + GCP SCC · rule pack · zero cloud agent
Ticketing
Jira + ServiceNow bidirectional · HMAC webhooks · close-loop sync
Auto-Remediation
RTR / Ansible / Fortinet / CyberArk · implication-check → approval → retest
VAPT + Bug Bounty
Vendor portal · structured submission · auto-enrichment · retest workflow
Trust Center
Public posture · NDA e-sign · time-bound access tokens · auditor invites
On-prem Agent
Hybrid-SaaS · connector container · zero-data-exfil · hash-fingerprinted records
Audit log
Tenant-scoped · per-write · queryable · exportable for safety-case reviews
[ D ] · The numbers
Connectors
61
Tenable · CrowdStrike · Wiz · Okta · Splunk · …
Frameworks
20
SOC 2 · ISO 27001 · PCI · CMMC 2.0 · SEC · …
Controls
~1,476
Audit-grade + scaffold-grade catalogues
Tests
~2,000
pytest across services + connectors
Intel feeds
4
EPSS · KEV · MITRE ATT&CK · OTX
Deploy modes
3
SaaS · On-Prem · Hybrid-SaaS
[ E ] · The sources
Bring any tool. One contract.
Every connector ships as a directory under connectors/ with one file (connector.py) honouring four methods. The Tool Catalog wizard auto-discovers anything that meets the contract. There is no ‘we don’t support that tool’ answer - every category is supported, every new tool lands one file at a time.
C/01
Vulnerability (VM)
Tenable · Qualys VMDR · Rapid7 InsightVM · Burp Enterprise
C/02
Endpoint / EDR
CrowdStrike Falcon · SentinelOne · MS Defender for Endpoint · Datadog
C/03
CNAPP + Cloud Posture
Wiz · Prisma Cloud · Orca Security · AWS Config · Azure Policy · GCP SCC
C/04
Identity / IDP
MS Entra ID · Okta Workforce · Workday HRIS (offboarding loop)
C/05
MDM / UEM
Microsoft Intune · Jamf Pro · ManageEngine MDM
C/06
Network / SASE / NAC
Zscaler · Netskope · Cloudflare · Forescout · Palo Alto · Cisco Meraki · Check Point · Fortiguard
C/07
SOC / SIEM / SOAR
Splunk (HEC + indexer) · MS Sentinel · Google Chronicle · Elastic · QRadar · Panther
C/08
BAS · Posture · Ratings
SafeBreach (BAS) · BitSight (board-grade ratings) · SecurityScorecard
C/09
DSPM
Varonis (unstructured / files) · BigID (structured / databases)
C/10
GRC inbound
Vanta · Drata
C/11
Code / SAST / SCA
GitHub Advanced Security · Snyk · Burp Enterprise
C/12
OT / IoT
Armis OT · CERT-In advisories
C/13
DLP / Email
GTB Endpoint Protector · Google Workspace · M365 Defender for O365
C/14
ITSM / Ticketing
Jira Cloud + DC · ServiceNow · ManageEngine SDP / EC
C/15
PAM + Secrets
CyberArk PAM · HashiCorp Vault
C/16
Threat Intel / EASM
CloudSEK XVigil/BeVigil/SVigil · Censys · Shodan · Detectify
C/17
Bug Bounty
HackerOne · Bugcrowd · custom webhook
C/18
Awareness / BGV
KnowBe4 · Hoxhunt · AuthBridge · OnGrid
[ F ] · Operations
What the operator actually touches.
No professional services engagement. No bespoke integration project. The same flow runs whether the customer is a fifty-person startup chasing first SOC 2 or a thousand-person enterprise with eleven tools and three audits.
O/01
Three-screen onboarding
Sign up → Brand the workspace → Open the Tool Catalog and click each tool you own. Per-tool wizard takes API keys, runs Test Connection in 2-4 seconds, returns either 'Connected. Found 2,847 assets' or the exact remediation step. Credentials never touch browser local storage - they go straight to a per-tenant Fernet-encrypted vault. The 15-minute poll cycle starts the moment Save fires.
O/02
Two dashboards, one data layer
URIP Risk Intelligence answers the CISO's question - where am I most exposed today. The Compliance dashboard answers the auditor's - if the audit landed next week, would we pass. Both render from the same tenant data, share the same auth, the same audit log, and the same connector mesh. When a SOC 2 control fails, you can see the exact CVEs causing it. We haven't seen many products tie these two views together end-to-end.
O/03
Bidirectional ticketing
Risk auto-creates a Jira or ServiceNow ticket on assignment. HMAC-signed webhooks close the loop - when the ticket closes in Jira, the URIP risk record updates without the operator touching either system. Auto-Remediation Phase 2 framework ships executors for CrowdStrike RTR, Ansible, Fortinet, and CyberArk with implication-check + approval-gate + retest pipeline.
O/04
Trust Center + auditor invites
Tenants publish their compliance posture publicly - SafeBase-equivalent - with NDA e-sign and time-bound access tokens. Auditor invitations are framework-scoped, read-only, and time-bound. The same auditor sees the same evidence the customer does, without a screen-share or a CSV export.
[ G ] · Under the hood
What’s actually shipped today.
Every layer below traces back to a real source path, a real test count, or a real architectural decision in the URIP Master Blueprint. Aspirational items live in the Roadmap section.
S/01
Backend
FastAPI 0.115 · SQLAlchemy 2.0 · asyncpg
Multi-tenant control plane
FastAPI 0.115.6 on Python 3.11/3.12/3.13 with SQLAlchemy 2.0.40 + asyncpg + Alembic for migrations. Multi-tenant by tenant slug with per-tenant Fernet encryption keys and a tenant-scoped audit log on every write.
Engineering twist
Replaced python-jose with PyJWT (CRIT-005 from the security audit - CVE-2024-33663 / CVE-2024-33664). Rate-limiting via slowapi survives reverse proxies (HIGH-009). The version pins read like an incident log because they are.
S/02
Connector Mesh
61 live connectors · 4-method contract
Bring-any-tool ingestion
Every directory under connectors/ ships a connector.py honouring a four-method contract - authenticate, fetch_findings, normalize, health_check. Live today: Tenable, Qualys, Rapid7, CrowdStrike, SentinelOne, MS Defender for Endpoint, MS Entra, Okta, Workday HRIS, Zscaler, Netskope, Cloudflare, Burp, GTB, Armis, Forescout, Palo Alto, Cisco Meraki, Check Point, CyberArk, HashiCorp Vault, Fortiguard, ManageEngine (SDP/EC/MDM), Jamf Pro, Microsoft Intune, M365, AWS/Azure/GCP CSPM, Wiz, Prisma Cloud, Orca, CloudSEK, CERT-In, EASM, Email Security, KnowBe4, Hoxhunt, Jira, ServiceNow, Snyk, GHAS, AuthBridge, OnGrid, Splunk (HEC + indexer), MS Sentinel, Google Chronicle, Panther, BitSight, SafeBreach, Varonis, BigID, Vanta, Drata, HackerOne, Bugcrowd.
Engineering twist
Connectors are auto-discovered by the Tool Catalog wizard at boot - drop a new directory in, restart the worker, the new tile appears in the customer-facing UI without a deploy. The aim is to make “we don’t support that tool” a rare answer by keeping connectors modular and contract-bound.
S/03
Intelligence Engine
Severity normaliser · fingerprint · de-dup
Raw → unified, scored, single-record risk
Five backend services compose the engine. severity_normalizer maps every native severity (CrowdStrike ExPRT 0-100, Armis 0-10, CERT-In Critical/High/Medium, Bug Bounty P1-P4) to a single 0-10 axis. asset_fingerprint_service builds a (MAC + hostname + IP) composite key. advisory_applicability_service decides whether the customer is actually exposed. remediation_fetcher pulls the fix steps. connector_runner orchestrates the 15-minute poll.
Engineering twist
The same Log4j CVE arriving from Tenable, CrowdStrike Spotlight, a VAPT report, and a Bug Bounty submission collapses to one record at the fingerprint layer. The IT team works one ticket per real-world risk, not one ticket per tool. De-dup runs across category - VM + EDR + EASM + VAPT + Bug Bounty all flow the same fingerprint.
S/04
Risk Formula
URIP Score = CVSS·0.55 + EPSS·2.5 + KEV·2.0 + asset tier
Composite 0-10 score per finding
Every finding is scored by exploitability_service.py - clamp[0,10] of the four-input formula. EPSS carries the heaviest weight (×2.5) because it is the highest-signal predictor of actual exploitation in the next 30 days. KEV adds a flat +2.0 because it confirms exploitation today. Asset tier T1→T4 adds +1.0 → −0.5 per the tenant's keyword classifier in asset_criticality_service.py.
Engineering twist
MITRE ATT&CK CVE-to-APT mapping and AlienVault OTX IOC matches sit on top of the score as enrichment, not as numbers. Sector-specific APT prioritisation is already live via `APT_SECTOR_MAP` in `threat_intel_service.py` - APT41 targeting Manufacturing in APAC raises effective severity automatically.
S/05
Compliance Engine
20 frameworks · ~1,476 controls · same data layer
Sprinto-equivalent module on the risk register
Audit-grade: SOC 2 (Trust Services 2017+2022), ISO 27001:2022, GDPR, HIPAA, PCI DSS v4.0, India DPDP Act 2023, NIST CSF 2.0. Scaffold-grade catalogues: ISO 42001, EU AI Act, DORA, NIS2, ISO 27017, ISO 27018, ISO 27701, CIS Controls v8. Plus the latest five additions - SEC Cybersecurity Disclosure (17 CFR · 30 controls · 8-K materiality), CMMC 2.0 (151 NIST 800-171 r2 + 800-172 practices, DIB-ready), HITRUST CSF v11 (e1 + r2), SOC 1 SSAE 18 (~120 ICFR controls), and ISO 22301:2019 BCMS.
Engineering twist
When a SOC 2 control fails, the dashboard exposes a 'View root-cause risks' button that drills directly into the CVEs causing the failure. Auditor invitations are time-bound and framework-scoped. Auto-capture evidence is live: the compliance control engine writes structured evidence rows on every control run without manual upload.
S/06
Risk Quantification
FAIR · annual loss exposure in USD
Dollar-grade cyber risk quantification
Open FAIR methodology with per-tenant configurable assumptions (Threat Event Frequency, Loss Magnitude) and per-risk assessments. The aggregate endpoint returns total Annual Loss Exposure in USD alongside the top-N contributors.
Engineering twist
Every assessment is versioned and tenant-scoped. The assumptions endpoint preserves history so auditors can reconstruct the inputs that produced any prior ALE figure.
S/07
CSPM
Native AWS / Azure / GCP posture engine
Cloud findings via vendor APIs, no agent
cspm_engine.py runs against AWS Config, Azure Policy, and GCP Security Command Center via their native APIs. cspm_rules/ ships the rule pack. Findings render in cspm-{dashboard,findings,control-detail}.html with full drill-through to the underlying AWS resource ARN.
Engineering twist
URIP does not deploy a cloud-side agent. The customer keeps cloud control. Every dollar saved by tooling rationalisation goes into URIP, not into an adjacent product line - there is no adjacent product line.
S/08
Auto-Remediation
RTR · Ansible · Fortinet · CyberArk executors
Implication-check → approval → retest
auto_remediation_service.py orchestrates four executors today - CrowdStrike RTR for endpoint, Ansible for OS-level config drift, Fortinet for firewall rules, CyberArk for credential rotation. Every action runs through a three-step pipeline: implication-check (what does this break?), approval-gate (who signs off?), retest (did the fix close the finding?).
Engineering twist
Auto-remediation never fires without an explicit approval state on the risk record. The implication-check is half the value - the customer sees 'this rotation will invalidate four service-account tokens' before they click Approve, not after.
S/09
VAPT + Bug Bounty
Vendor Portal · structured submission · re-test
External testers feed the same risk register
Separate VAPT vendor login (vapt_vendor_auth middleware), structured submission form with auto-enrichment, retest workflow that closes the loop when the original finding is fixed. Bug Bounty connectors ingest HackerOne, Bugcrowd, and a custom webhook - all flow through the same severity normaliser and fingerprint pipeline.
Engineering twist
VAPT findings carry the testing vendor's identity through to the audit log. When the auditor asks 'who tested?' the answer is one click away, not a separate evidence chase.
S/10
Hybrid Agent
On-prem connector container · zero data exfil
Sensitive identifiers stay on customer network
agent/agent_main.py runs as a Docker container on the customer's network. Connectors execute locally; only normalised, redacted, hash-fingerprinted records cross the boundary to URIP SaaS. Heartbeat + drilldown_responder + reporter form the on-prem trio.
Engineering twist
In Hybrid-SaaS mode, zero sensitive data leaves the customer network. Hostnames, IPs, and credential fragments are hash-fingerprinted before they cross. The cockpit still works - pivots back through the agent for any record that needs the raw identifier.
S/11
Verification
~2,000 pytest collected · 155 test files · audit-traced
Pytest across services + connectors
pytest collects ~2,030 across parametrised cases - URIP backend, Compliance backend, connectors, CSPM engine, ticketing, VAPT pipeline, Trust Center, Auto-Remediation. Every named CRIT-/HIGH- audit finding (CRIT-005 PyJWT migration, HIGH-009 rate limiting behind reverse proxy, NEW-3 SQLAlchemy 2.0.40 for Python 3.14) has a permanent regression test attached and a comment with the audit ID.
Engineering twist
The version pin comments in requirements.txt double as the test naming convention. When you grep for CRIT-005 you find the dependency change, the test that asserts the old library is absent, and the changelog entry in the same diff.
[ H ] · Roadmap
What ships next.
Each item is named, scoped, and traceable to a decision in the URIP master blueprint or the issues inventory - not aspiration, planned work.
R/01 · Scaffold modules
DSPM · AI Security · ZTNA · Attack Path - deeper engine build
Four MVP-scaffold license modules ship with full router/model/schema surfaces (`backend/routers/dspm.py`, `ai_security.py`, `ztna.py`, `attack_path.py`). The deeper engines - DSPM scan discovery, AI model governance, ZTNA posture scoring, and Attack Path graph analysis - are still scaffold depth awaiting analytics back-fill.
R/02 · Connector roadmap
Slack · Snyk DAST · ServiceNow Vuln-Mod
Slack has no directory under `connectors/`. The Snyk connector (`connectors/snyk/`) covers SCA, Container, IaC and SAST scan types; DAST runtime scanning is not implemented. ServiceNow connector (`connectors/servicenow/`) is ITSM-ticketing; the Vulnerability Module connector is missing.
R/03 · Compliance
SEBI CSCRF · CERT-In advisories framework
SEBI Cybersecurity & Cyber Resilience Framework is absent from the compliance framework seeders. CERT-In connector (`connectors/cert_in/`) ingests advisories as findings, but there is no dedicated CERT-In compliance framework for audit-grade control mapping yet.
[ I ] · In production
Three customers. Three deployment modes. Same cockpit.
U/01
Eleven-tool consolidation - one cockpit, one audit, no migration.
A 1,000-person robotics manufacturer with Tenable, CrowdStrike, SentinelOne, Zscaler, Netskope, MS Entra, ManageEngine, Armis, Burp, GTB, and CloudSEK. URIP installed in three screens, ingested all eleven sources within an hour, surfaced 2,847 deduplicated assets and a single composite-scored risk register on day one. SOC 2 dashboard populated within an hour of the first poll.
U/02
Hybrid-SaaS for regulated workloads - sensitive identifiers stay on-prem.
Healthcare customer required PII / PHI never leave the network. URIP deployed in Hybrid-SaaS mode - connector containers run on customer infrastructure, only hash-fingerprinted findings flow to the SaaS dashboard. Auditors see a unified posture; the data stays where regulation requires it.
U/03
First-time SOC 2 - auditor invited within 48 hours.
50-person SaaS startup chasing first SOC 2. URIP onboarded eight tools across endpoint, identity, cloud, and ticketing. The Compliance dashboard scored against Trust Services 2022 within an hour of the first poll. Auditor was invited the next day with a framework-scoped, time-bound, read-only token. No professional services engagement.
Argument · URIP
We don’t sell security.
We sell visibility on the security you already bought.