URIP is a multi-tenant platform that turns any company’s existing security tools into one live risk dashboard and one continuously audit-ready compliance dashboard — on the same data layer. Pick the tools you own. Enter API keys. Watch twenty-five consoles collapse into one pane.
No customer is ever told “we don’t support that tool.” They’re told “implement four methods, or we’ll build it for you.”
— The universal connector framework promisePoint solutions run one layer well — compliance, threat intel, CSPM, endpoint. URIP is the cockpit on top of whatever stack you already own — unifying risk, compliance, auto-remediation, and vendor collaboration in one pane.
URIP (Unified Risk Intelligence Platform) aggregates findings from your existing security stack, enriches every finding with live exploit and threat-actor intelligence, and renders the result as two linked dashboards on a single tenant.
“Where am I most exposed today?”
“If the audit landed next week, would we pass?”
URIP is not a point solution. It is an intelligence overlay. Here is how that changes every architectural assumption.
| Assumption | Vertically-Integrated Vendors | URIP |
|---|---|---|
| Data ownership | Findings live in the vendor’s cloud | Sensitive data stays on your network (Hybrid-SaaS) |
| Tool coverage | Only the vendor’s own agent or scanner | Any tool with an API — 25+ categories today |
| Risk × Compliance linkage | Risk and compliance are separate products with separate data | One tenant. One schema. One pane. |
| Scoring transparency | Opaque AI or black-box scoring | Deterministic formula — CVSS × 0.55 + EPSS × 2.5 + KEV + tier |
| Vendor portal | No dedicated vendor portal for external pentesters | Scoped VAPT vendor login with auto-enrichment |
| Auto-remediation | Auto-remediation limited to the vendor’s own ecosystem | CrowdStrike RTR + Ansible + CyberArk — gated by safety checks |
| Deployment flexibility | SaaS-only deployment; no on-prem or hybrid option | SaaS / On-Prem / Hybrid — same codebase |
| Threat intel depth | Proprietary threat feeds with no open-standard scoring | EPSS + KEV + MITRE ATT&CK + OTX + CloudSEK — all live |
| Pricing model | All-or-nothing platform licensing | Per-module subscription — pay only for what you turn on |
| Connector extensibility | “We don’t support that tool” — category gaps common | “Implement four methods, or we’ll build it for you” |
The same flow runs for the 50-person SaaS startup chasing SOC 2 and the 1000-person manufacturer with eleven tools.
Tenant provisioned with its own slug, encryption key and database scope. Upload logo, pick colors, set the app name. Login pages, dashboards, exports and auditor invites carry your brand.
A grid of every supported vendor — one-line description, setup difficulty, freshness target, and a status pill. Click each tool you own. Universal framework means every category is selectable.
Per-tool guided wizard with inline help and the vendor’s API doc link. Click Test Connection — in 2–4 seconds you see “Connected. Found 2,847 assets.” or the exact remediation step.
Credentials saved to a per-tenant Fernet vault. The 15-minute poll cycle starts. Risk dashboard fills within minutes; compliance dashboard within an hour. Auditor invite can go out the same day.
URIP is a vendor-agnostic orchestration layer. It sits above your existing security stack — aggregating findings, normalising into one schema, scoring with the 5-lens engine, and routing to the consumers that matter.
URIPRiskRecord schemaA typical 7,000-endpoint enterprise rollout runs through six neutral waves — outcomes per wave, not calendar dates. A 50-person SaaS startup with 5 connectors completes Waves A–D in a fraction of the time.
First two connectors stood up (typically VM + EDR). OT access pattern decided. Asset fingerprinting active. Managed / Unmanaged / Unknown classification engaged.
Risk register populated. Composite scoring computing on every finding. Pending Days counters running. Remediation steps auto-fetched from NVD. VAPT Vendor Portal stood up.
Risk Acceptance Workflow with HoD digital sign-off. Jira / ServiceNow bidirectional ticketing wired. Advisory Applicability Engine classifying every advisory.
Executive Security Posture Dashboard. Board + CERT-In compliance reports. APT tagging + IOC matching active on every applicable risk. Role-based access tightened.
Long-tail tools connected (PAM, NAC, DLP, DAST). UAT cycle with the IT team. Auto-Remediation script library piloted on a controlled set of CVE classes.
Auto-Remediation pipeline goes live (gated by Implication Check + Approval Gate). Performance testing under load. Ops handover documentation.
Every finding moves through the same six-stage pipeline — deterministic, auditable, and re-runnable. No black boxes.
Pull live feeds from 25 disparate risk sources via read-only APIs and webhooks.
Deduplicate via asset fingerprinting (MAC + Hostname + IP) and normalize to a 0–10 scale.
Apply the 5-layer filter — CVSS, EPSS, CISA KEV, Asset Tier, MITRE ATT&CK / OTX.
Auto-route to the named domain owner (Network / Cloud / Identity) and trigger SLA timers.
Attach mitigation steps. Push automated playbooks via CrowdStrike RTR / Ansible / CyberArk API.
Generate clean CISO dashboards, framework score snapshots and audit-ready board packs.
Behind every scored risk is a deterministic engine that normalises, fingerprints, matches, fetches and orchestrates — no black boxes, no opaque ML.
Maps every vendor’s severity vocabulary — Tenable’s CVSS, SentinelOne’s threat level, CrowdStrike’s criticality — into one unified 0–10 scale before scoring begins.
Correlates MAC + hostname + IP + cloud instance ID to deduplicate findings across overlapping tools. One asset, one truth — no phantom duplicates inflating your register.
Classifies every CERT-In / US-CERT / ENISA advisory against your live asset inventory. “Does this advisory apply to anything we actually own?” Answered automatically.
Auto-fetches vendor patches, workarounds and configuration steps from NVD and vendor KBs for every scored CVE. Remediation steps arrive with the risk, not two days later.
Orchestrates the poll cycle, health checks, drift detection and credential rotation for all 25+ connectors. If a connector goes silent, the engine escalates — never hides.
A theoretical CVSS 9.8 means nothing if no exploit exists. URIP layers exploit probability, federal exploitation status, business-asset criticality, and threat-actor context. The output is one ranked priority score per finding — ACT NOW / ACT / ATTEND / TRACK.
Every CVE that lands in URIP is run through a four-input formula plus an enrichment layer, producing a single 0–10 composite score.
APT attribution — MITRE ATT&CK CVE-to-group mapping. “This CVE is exploited by APT41 (T1190 Exploit Public-Facing Application). You are in their target sector. Treat as Critical.”
IOC matches — AlienVault OTX pulses. “This C2 IP from your Zscaler logs matches an active OTX pulse from yesterday.”
Who is attacking, how, and are they targeting your specific sector? URIP joins live geo-cluster activity, APT actor mapping, and industry-vertical filtering against the CVEs already alive in your environment.
Live visualisation of global attack clusters
Actor groups mapped to active CVEs in your environment
Threats actively targeting your industry vertical
Every input maps into one of two layers — 9 Core Risk Inputs that produce findings, and 5 Contextual Security Connectors that enrich them with business context. The universal four-method framework + simulator means every category is selectable today — even before the real connector is configured.
Primary findings · CVEs, exploits, attacker activity
Context that turns CVEs into composite scores
Every tool’s raw output — a Tenable scan blob, a SentinelOne threat record, a Zscaler URL block, an Entra riskEventType — maps to one internal URIPRiskRecord schema before scoring. The risk register, the dashboard, the workflow, the SLA service, the audit log all consume the same shape.
This is the difference between “we built 29 connectors” and “we built one connector the same way — and 25+ source categories ride the same rails.”
class Connector: def authenticate() -> AuthState def fetch_findings(since: datetime) -> list[RawFinding] def normalize(raw: RawFinding) -> URIPRiskRecord def health_check() -> ConnectorHealth
Implement four methods. Provide a severity mapping. Register in the catalog. Ship. The plumbing — encrypted credentials, scheduling, normalization, scoring, audit logging — is already done.
The Compliance dashboard runs as a separate FastAPI service on port 8001 with its own database — and can also run standalone for prospects who want only audit-readiness.
Stop receiving 60-page PDFs. External VAPT vendors log in to a sandboxed portal, submit findings via a structured form, and URIP enriches every finding with EPSS / KEV / asset-tier context before it lands in your SPOC’s queue.
Vendor emails a PDF report. Internal team manually parses every finding. Re-keyed into Excel with formatting errors. Two-week lag before the CISO sees the first risk — by which point the EPSS score has already shifted.
Your vendor logs in to a sandboxed portal at vapt-portal-login.html. Submits findings through a real-time validated form. URIP auto-enriches and assigns to the right internal SPOC within seconds.
External pentester logs in to a sandboxed environment with time-bound access tied to the engagement window.
Real-time validated fields. Vendor inputs the finding once — URIP captures every field needed for scoring.
Submission triggers the URIP scoring engine instantly — same formula, same enrichment as native connector findings.
The full vendor lifecycle — invite to closure — lives inside the URIP admin console.
Settings → Vendor Access → Invite VAPT Vendor. Enter the vendor’s name and contact email.
Pick the asset tiers in scope, the engagement window (start / end), permitted CVE classes, and re-test allowance.
Vendor receives a signed email link. Sets a password. Lands in the sandboxed vendor portal — nothing else of yours visible.
Each submission is enriched and routed. Your SPOC sees a normal Risk Register row. Vendor sees only the closure status.
Sign in to the scoped vendor sandbox — you’ll see only your own submissions and re-test requests.
Weaponised risks with available patches don’t sit in queues. URIP’s gated automation checks implications, gets approval, executes the fix, and re-tests — closing the loop without manual handoff.
Real-time response patching endpoints remotely. Isolates, patches, and releases without agent re-deployment.
Server configuration fixes and firewall rule adjustments pushed through your existing automation mesh.
Auto-resetting compromised admin credentials and rotating secrets the moment a PAM breach is detected.
The ‘Implication Check’ ensures expected downtime and rollback plans are verified before any script executes. Low-impact assets auto-execute. Tier-1 assets trigger a “Require SPOC Approval” button.
The same multi-tenant isolation that keeps Customer A invisible to Customer B keeps your VAPT vendor invisible to your network internals.
Full unrestricted access within their own tenant boundary.
Domain-scoped operator who owns remediation for their assigned slice.
External pentester or auditor with sandboxed access — cannot see the network they’re testing.
Posture-level visibility for governance reporting — no operational raw data.
Enterprise buyers no longer email security@ with 80-question worksheets. Your Trust Center publishes live posture evidence, compliance certifications, penetration-test summaries and data-processing agreements — all kept current by URIP itself.
Real-time control-pass rates, open-critical-risk counts and framework grades update automatically as your URIP tenant evolves. No stale PDFs.
SOC 2 Type 2, ISO 27001, PCI DSS and HIPAA attestation documents with expiry tracking and automatic re-validation reminders.
Scoped, anonymised VAPT results with remediation status and re-test closure. Buyers see proof, not promises.
Auto-generated DPA / BAA documents mapped to the actual sub-processors and data flows in your deployment mode.
Complete list of every third-party service URIP touches, with geo-location, data-classification and opt-out paths where applicable.
Prospects sign an e-NDA and get time-bounded, read-only access to your Trust Center — zero sales-engineer friction.
Disabled modules are dark in the UI (route guards) and inactive in the backend (decorator checks). Three-layer enforcement: UI, API, connector data plane.
Risk register, scoring engine, dashboard, workflow, audit log, reports, EPSS + KEV + MITRE + OTX enrichment, multi-tenancy, white-label theming.
Tenable + Qualys + Rapid7 + CrowdStrike Spotlight connectors for full vulnerability scan ingestion.
SentinelOne + CrowdStrike Falcon + Defender for Endpoint + ManageEngine EC + MDM.
Zscaler + Netskope + Palo Alto + Fortigate + CloudSEK external threat surface.
Microsoft Entra + Okta + Google Workspace identity-risk telemetry.
SharePoint + OneDrive + Teams + Slack + Confluence sharing & data-loss signals.
ServiceNow + Jira + ManageEngine SDP — bidirectional ticketing for active remediation.
Burp Suite Enterprise + OWASP ZAP + Acunetix — dynamic application security testing.
GTB + Forcepoint + Symantec DLP — data-exfiltration and insider-risk telemetry.
AWS CSPM + Azure CSPM + GCP CSPM connectors live in production. Continuous misconfig detection across every cloud account.
7-framework engine, control monitoring, evidence automation, policy management, access reviews, vendor risk, incident lifecycle, asset inventory, auditor portal, framework-specific reports.
Pure SaaS for fastest time-to-value. On-Premise for maximum sovereignty. Hybrid-SaaS for the best of both.
We host everything. The customer logs in to their tenant.urip.io subdomain. Fastest time-to-value, standard SaaS commercial model.
Quickest deploymentCloud portal for UI & intelligence. A Docker agent inside your network for connectors and raw storage. Sensitive identifiers never leave your network.
Procurement-clearing for regulated buyersThe customer hosts everything. Maximum data sovereignty. Same codebase, same UX. Zero operational burden on us.
Air-gap compatibleThe only thing crossing from your network to our cloud is a tiny JSON envelope of summary metrics — risk scores, control pass/fail counts, compliance percentages, connector heartbeats. Same architectural pattern CrowdStrike Falcon, Tenable Nessus Agent and Splunk Forwarder use to clear procurement at regulated buyers.
Boring tech where it counts — so the smart stuff (scoring, enrichment, linkage) gets all the attention.
URIP is the only platform that says “this CVE is what’s breaking your SOC 2 control CC7.1, on this Tier-1 asset, owned by this person, with EPSS 0.92 and KEV-active.”
Bring any tool. Implement four methods. Auto-register in the catalog. The plumbing — encrypted credentials, polling, normalization, scoring, audit logging, health monitoring — is done.
Sensitive vulnerability data — IP addresses, hostnames, usernames, evidence files — stays on your network. The cloud only ever sees summary scores.
Single-vendor platforms optimise for lock-in. URIP optimises for the customer’s existing stack.
You already bought Tenable, CrowdStrike and Zscaler for a reason. URIP unifies them instead of replacing them. No rip-and-replace. No sunk-cost waste.
Hybrid-SaaS keeps IPs, hostnames and evidence on your network. Vertically-integrated vendors force everything into their cloud to train their models.
Our composite score is a formula you can audit. No opaque “AI risk rating” that changes overnight with no explanation.
Four methods. One registry. Any tool. A vendor with its own scanner has zero incentive to support competitors’ data feeds.
When a control fails, URIP shows the exact CVE, its EPSS, the APT exploiting it, and the Tier-1 asset affected. No competitor has both sides.
Subscribe to Core + Compliance only, or run all eleven modules. You are not taxed for capabilities you will never use.
Auto-remediation playbooks target CrowdStrike, Ansible and CyberArk — whichever tool the customer already owns. No forced ecosystem.
Customer security questionnaires. SOC 2 Type 2 / ISO 27001. 5–15 security tools, no dedicated SOC.
Multi-customer audit pressure, on-prem OT, procurement requirement that vendor data not leave the customer network — the Hybrid-SaaS sweet spot.
Wants ONE pane — risk register, threat intelligence, compliance status, evidence, auditor portal — without rebuilding the data layer themselves.
DPO buyer, no CISO involvement, want only audit-readiness. Buy the standalone Compliance Module without the URIP risk layer.
The same onboarding flow runs for the 50-person startup and the 1,000-person enterprise.
Read-only is fine for almost everything. ManageEngine SDP needs write for bidirectional ticketing. Vendor-published scopes only.
Configures the workspace — brand, frameworks, module subscriptions, user invitations.
Pure SaaS — allowlist our cloud IP at egress. Hybrid-SaaS — allow the Docker agent’s outbound HTTPS to our cloud.
Required if Identity / Collaboration modules are subscribed. Least-privilege scopes documented in the per-tool wizard.
If DAST module is subscribed — Burp Pro alone does not expose the full programmatic API.
Every capability listed below runs against the real upstream API in production today.
Disabled modules are dark in the UI and inactive in the backend. A startup might subscribe to Core + Compliance only. An enterprise might run all sixteen.
Each tenant subscribes to exactly the capability modules they need. Core is always-on and bundled. Compliance is the strategic upsell that moves the conversation from operational tooling to board-level GRC.
One subscription replaces a typical bundle of compliance automation, external threat intel, manual audit-prep consultants, and the operational overhead of managing multiple dashboards — while adding the Risk × Control linkage neither vendor in your existing stack offers.
A modest VPS on the customer side runs the on-prem Docker agent (a 2 vCPU / 4 GB instance is enough for most tenants). The cloud portal is included in the URIP subscription — no extra hosting line item.
URIP is a unifier and a scaffold, not a do-everything platform. Six things URIP explicitly does not do:
We integrate with CloudSEK — they run the crawler infrastructure (Tor, residential proxies, Telegram scraping, paid DNS feeds). We surface their alerts inside the unified URIP dashboard with EPSS + KEV + asset-tier prioritisation on top.
URIP surfaces and prioritises risks. It does not respond to incidents. Your security team or SOC vendor still owns response. URIP is the unified pane on which they triage.
We do not build security training content. Training-completion telemetry from KnowBe4, Hoxhunt or Cybeready can be ingested via the universal connector framework when those modules are enabled.
We do not perform background verification. BGV status from AuthBridge or OnGrid can be ingested as compliance evidence via the connector framework.
We make audits easy — automated evidence collection, control monitoring, policy tracking, reporting, the auditor portal. The customer still owns control design, policy approvals, vendor selection and the audit engagement itself.
Framework templates and policies are starting points. Your legal / compliance counsel must review and tailor them for your jurisdiction and customer contracts.
See one number. Drill to one CVE. Fix one ticket. Both dashboards on one screen.