Security & Intelligence Suite
Every vendor that touches sensitive data is a door someone else holds the key to. Aegis is the platform that decides whether to open it — scored, reported, and defensible — instead of a pile of emails and a gut feeling.
scroll — what it does ↓
01 — The problem
Vendor review is where risk actually enters the building — and it's the part still run on spreadsheets, inboxes, and hope. Aegis instruments it end to end.
"Seems fine" is not a control. Without a scoring model, every approval is an opinion no one can defend in an audit.
A vendor says they encrypt, patch, and meet standards. Nobody checks. Aegis checks — independently, against the wire.
When the breach review comes, "we reviewed them" needs evidence: what was asked, what was answered, what was accepted, by whom.
02 — The suite
Each does one job precisely. Together they take a vendor from first contact to a signed, scored risk decision — and keep the receipts.
The core engine. A structured review across 22 security domains — data handling, encryption, identity, offshore access, AI governance, and more. The vendor self-attests; Aegis scores every answer against defined criteria, applies risk floors and escalation triggers, and produces an executive-ready rating with the reasoning attached.
The standing record. 600+ controls mapped across nine verticals — the living ledger of what's been assessed, what's been mitigated, and what risk was formally accepted, by whom, and when. The institutional memory a security program lives or dies on.
Reconnaissance before the handshake. Aegis sweeps breach history, CVE exposure, news, and public posture, then distills it into a single pre-assessment brief — so you walk into a vendor review already knowing who you're dealing with, not learning it after signing.
Independent verification of what a vendor claims. Headers, TLS configuration, DNS, open ports, certificate health — their attack surface graded at a glance, scored against NIST and industry baselines. Trust, then verify; Aegis does the verifying.
The first question of any review: does this vendor have a history? Type a name and CVE Intel queries the National Vulnerability Database for every known CVE against them — CVSS scores, severity, and a single risk signal from CRITICAL to CLEAN — before the formal review even opens. The recon that comes before the recon.
One pane for the entire suite. Aegis v2 unifies the domain criteria, the scoring engine, the mitigation library, and a dedicated AI-Governance deep-dive into a single platform — built to assess the new shape of vendor risk, where the vendor isn't just software but an autonomous agent with access.
03 — How it thinks
The vendor answers a structured survey scoped to exactly what they touch — branching by data class, access model, and footprint. No irrelevant questions, no gaps.
→ scoped surveyClaims are checked against the wire. Surface Scanner and Dossier confirm — or contradict — what the vendor attested, independent of their word.
→ evidenceEvery domain is weighted and scored against defined criteria, with hard risk floors and escalation triggers that no high score elsewhere can override.
→ defensible ratingOut comes an executive risk summary with the reasoning attached — the rating, the conditions, the required mitigations, and the trail of who accepted what.
→ signed decisionTrust is a decision.
Aegis makes it defensible.
Aegis runs in production today, reviewing the vendors that touch real systems in a regulated clinical environment. It is an enterprise instrument — built for security teams that have to answer for their decisions, not a tool we hand out.
Enterprise inquiries →By request only · Not a public sign-up · Built at midnight, deployed in daylight