Vendor Management
The vendor command group manages vendor entities and their evidence documents. Vendors represent external providers (CSPs, SaaS, managed services) or internal teams whose controls your system inherits.
List Vendors
pretorin vendor list
pretorin vendor list --search aws --risk-tier critical --assessment-status submitted
vendor list follows the paginated public API and fetches all matching vendors by
default. Filters include --search, --type, --risk-tier, --owner-user-id,
--assessment-status, --sort-by, and --sort-dir.
Create a Vendor
pretorin vendor create "AWS" --type csp --description "Primary cloud provider" \
--authorization-level "FedRAMP High P-ATO" \
--inherent-risk high
Vendor Types
| Type | Description |
|---|---|
csp | Cloud Service Provider |
saas | Software as a Service |
managed_service | Managed service provider |
internal | Internal team or shared service |
Vendor Risk Bands
inherent_risk and residual risk_tier use the shared risk-band vocabulary:
low, moderate, high, critical.
medium is accepted as a deprecated input alias for moderate during the
platform migration window. CLI create/update commands normalize it to
moderate and print a warning in human-readable output.
Get Vendor Details
pretorin vendor get <vendor_id>
Update a Vendor
pretorin vendor update <vendor_id> --name "AWS GovCloud" --authorization-level "FedRAMP High"
pretorin vendor update <vendor_id> --inherent-risk critical --owner-user-id <user_id>
Delete a Vendor
pretorin vendor delete <vendor_id>
pretorin vendor delete <vendor_id> --force # skip confirmation
Vendor History
pretorin vendor history <vendor_id>
pretorin vendor history <vendor_id> --limit 25
Upload Vendor Documents
Upload SOC 2 reports, Customer Responsibility Matrices (CRMs), FedRAMP packages, or other vendor evidence:
pretorin vendor upload-doc <vendor_id> ./aws-soc2-report.pdf \
--name "AWS SOC 2 Type II" \
--description "Annual SOC 2 report covering 2025" \
--attestation-type third_party_attestation
Attestation Types
| Type | Description |
|---|---|
self_attested | Vendor’s own assertion |
third_party_attestation | Independent auditor report (SOC 2, FedRAMP) |
vendor_provided | Documentation provided by vendor |
List Vendor Documents
pretorin vendor list-docs <vendor_id>
Related: Control Inheritance
Once vendors are created and documents uploaded, use the MCP tools or platform to set control responsibility edges:
set_control_responsibility— Mark controls as inherited/sharedgenerate_inheritance_narrative— AI-draft inheritance narratives from vendor docsget_stale_edges/sync_stale_edges— Monitor and sync inheritance