Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Vendor Management

The vendor command group manages vendor entities and their evidence documents. Vendors represent external providers (CSPs, SaaS, managed services) or internal teams whose controls your system inherits.

List Vendors

pretorin vendor list
pretorin vendor list --search aws --risk-tier critical --assessment-status submitted

vendor list follows the paginated public API and fetches all matching vendors by default. Filters include --search, --type, --risk-tier, --owner-user-id, --assessment-status, --sort-by, and --sort-dir.

Create a Vendor

pretorin vendor create "AWS" --type csp --description "Primary cloud provider" \
  --authorization-level "FedRAMP High P-ATO" \
  --inherent-risk high

Vendor Types

TypeDescription
cspCloud Service Provider
saasSoftware as a Service
managed_serviceManaged service provider
internalInternal team or shared service

Vendor Risk Bands

inherent_risk and residual risk_tier use the shared risk-band vocabulary: low, moderate, high, critical.

medium is accepted as a deprecated input alias for moderate during the platform migration window. CLI create/update commands normalize it to moderate and print a warning in human-readable output.

Get Vendor Details

pretorin vendor get <vendor_id>

Update a Vendor

pretorin vendor update <vendor_id> --name "AWS GovCloud" --authorization-level "FedRAMP High"
pretorin vendor update <vendor_id> --inherent-risk critical --owner-user-id <user_id>

Delete a Vendor

pretorin vendor delete <vendor_id>
pretorin vendor delete <vendor_id> --force  # skip confirmation

Vendor History

pretorin vendor history <vendor_id>
pretorin vendor history <vendor_id> --limit 25

Upload Vendor Documents

Upload SOC 2 reports, Customer Responsibility Matrices (CRMs), FedRAMP packages, or other vendor evidence:

pretorin vendor upload-doc <vendor_id> ./aws-soc2-report.pdf \
  --name "AWS SOC 2 Type II" \
  --description "Annual SOC 2 report covering 2025" \
  --attestation-type third_party_attestation

Attestation Types

TypeDescription
self_attestedVendor’s own assertion
third_party_attestationIndependent auditor report (SOC 2, FedRAMP)
vendor_providedDocumentation provided by vendor

List Vendor Documents

pretorin vendor list-docs <vendor_id>

Once vendors are created and documents uploaded, use the MCP tools or platform to set control responsibility edges:

  • set_control_responsibility — Mark controls as inherited/shared
  • generate_inheritance_narrative — AI-draft inheritance narratives from vendor docs
  • get_stale_edges / sync_stale_edges — Monitor and sync inheritance