Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Vendor Management

The vendor command group manages vendor entities and their evidence documents. Vendors represent external providers (CSPs, SaaS, managed services) or internal teams whose controls your system inherits.

List Vendors

pretorin vendor list
pretorin vendor list --search aws --risk-tier critical --assessment-status submitted

vendor list follows the paginated public API and fetches all matching vendors by default. Filters include --search, --type, --risk-tier, --owner-user-id, --assessment-status, --sort-by, and --sort-dir.

Create a Vendor

pretorin vendor create "AWS" --type csp --description "Primary cloud provider" \
  --authorization-level "FedRAMP High P-ATO" \
  --inherent-risk high

Vendor Types

TypeDescription
cspCloud Service Provider
saasSoftware as a Service
managed_serviceManaged service provider
internalInternal team or shared service

Vendor Risk Bands

inherent_risk and residual risk_tier use the shared risk-band vocabulary: low, moderate, high, critical.

medium is accepted as a deprecated input alias for moderate during the platform migration window. CLI create/update commands normalize it to moderate and print a warning in human-readable output.

Get Vendor Details

pretorin vendor get <vendor_id>

Update a Vendor

pretorin vendor update <vendor_id> --name "AWS GovCloud" --authorization-level "FedRAMP High"
pretorin vendor update <vendor_id> --inherent-risk critical --owner-user-id <user_id>

Delete a Vendor

pretorin vendor delete <vendor_id>
pretorin vendor delete <vendor_id> --force  # skip confirmation

Vendor History

pretorin vendor history <vendor_id>
pretorin vendor history <vendor_id> --limit 25

Upload Vendor Documents

Upload SOC 2 reports, Customer Responsibility Matrices (CRMs), FedRAMP packages, or other vendor evidence:

pretorin vendor upload-doc <vendor_id> ./aws-soc2-report.pdf \
  --name "AWS SOC 2 Type II" \
  --description "Annual SOC 2 report covering 2025" \
  --attestation-type third_party_attestation

Attestation Types

TypeDescription
self_attestedVendor’s own assertion
third_party_attestationIndependent auditor report (SOC 2, FedRAMP)
vendor_providedDocumentation provided by vendor

List Vendor Documents

pretorin vendor list-docs <vendor_id>

Assessment Templates

Vendor assessment templates are shared across the public API, CLI, MCP, and platform UI. Seed templates are read-only; org-scoped custom or imported templates can be deleted.

pretorin vendor template list
pretorin vendor template get <template_id>
pretorin vendor template delete <template_id> --force

Import SIG-Lite or CAIQ-Lite workbooks in two steps. The default is a dry-run preview; pass --apply and --acknowledge-license-rights to persist the template.

pretorin vendor template import ./sig-lite.xlsx --source-format sig_lite
pretorin vendor template import ./sig-lite.xlsx --source-format sig_lite \
  --apply --acknowledge-license-rights

--source-format accepts sig_lite or caiq_lite.

Vendor Assessments

Launch, fill, submit, score, and review assessments against a vendor:

pretorin vendor assessment launch <vendor_id> --template-id <template_id>
pretorin vendor assessment list <vendor_id>
pretorin vendor assessment get <vendor_id> <assessment_id>

Save responses from JSON. The payload can be a list of answer objects or an object with an answers list:

pretorin vendor assessment save-responses <vendor_id> <assessment_id> \
  --answers-file ./answers.json
pretorin vendor assessment submit <vendor_id> <assessment_id>
pretorin vendor assessment score <vendor_id> <assessment_id>

Each answer includes question_ref plus optional answer, comment, and evidence_item_id.

[
  {
    "question_ref": "q-1",
    "answer": true,
    "comment": "Confirmed in the vendor SOC 2 report.",
    "evidence_item_id": "ev-123"
  }
]

Finalize the assessment with the NIST 800-30 five-point residual likelihood/impact scale: very_low, low, moderate, high, very_high. If AI advisory scoring was unavailable, pass --acknowledge-no-ai-review.

pretorin vendor assessment review <vendor_id> <assessment_id> \
  --residual-likelihood low \
  --residual-impact moderate \
  --acknowledge-no-ai-review

Once vendors are created and documents uploaded, use the MCP tools or platform to set control responsibility edges:

  • set_control_responsibility — Mark controls as inherited/shared
  • generate_inheritance_narrative — AI-draft inheritance narratives from vendor docs
  • get_stale_edges / sync_stale_edges — Monitor and sync inheritance