Vendor Management
The vendor command group manages vendor entities and their evidence documents. Vendors represent external providers (CSPs, SaaS, managed services) or internal teams whose controls your system inherits.
List Vendors
pretorin vendor list
pretorin vendor list --search aws --risk-tier critical --assessment-status submitted
vendor list follows the paginated public API and fetches all matching vendors by
default. Filters include --search, --type, --risk-tier, --owner-user-id,
--assessment-status, --sort-by, and --sort-dir.
Create a Vendor
pretorin vendor create "AWS" --type csp --description "Primary cloud provider" \
--authorization-level "FedRAMP High P-ATO" \
--inherent-risk high
Vendor Types
| Type | Description |
|---|---|
csp | Cloud Service Provider |
saas | Software as a Service |
managed_service | Managed service provider |
internal | Internal team or shared service |
Vendor Risk Bands
inherent_risk and residual risk_tier use the shared risk-band vocabulary:
low, moderate, high, critical.
medium is accepted as a deprecated input alias for moderate during the
platform migration window. CLI create/update commands normalize it to
moderate and print a warning in human-readable output.
Get Vendor Details
pretorin vendor get <vendor_id>
Update a Vendor
pretorin vendor update <vendor_id> --name "AWS GovCloud" --authorization-level "FedRAMP High"
pretorin vendor update <vendor_id> --inherent-risk critical --owner-user-id <user_id>
Delete a Vendor
pretorin vendor delete <vendor_id>
pretorin vendor delete <vendor_id> --force # skip confirmation
Vendor History
pretorin vendor history <vendor_id>
pretorin vendor history <vendor_id> --limit 25
Upload Vendor Documents
Upload SOC 2 reports, Customer Responsibility Matrices (CRMs), FedRAMP packages, or other vendor evidence:
pretorin vendor upload-doc <vendor_id> ./aws-soc2-report.pdf \
--name "AWS SOC 2 Type II" \
--description "Annual SOC 2 report covering 2025" \
--attestation-type third_party_attestation
Attestation Types
| Type | Description |
|---|---|
self_attested | Vendor’s own assertion |
third_party_attestation | Independent auditor report (SOC 2, FedRAMP) |
vendor_provided | Documentation provided by vendor |
List Vendor Documents
pretorin vendor list-docs <vendor_id>
Assessment Templates
Vendor assessment templates are shared across the public API, CLI, MCP, and platform UI. Seed templates are read-only; org-scoped custom or imported templates can be deleted.
pretorin vendor template list
pretorin vendor template get <template_id>
pretorin vendor template delete <template_id> --force
Import SIG-Lite or CAIQ-Lite workbooks in two steps. The default is a dry-run
preview; pass --apply and --acknowledge-license-rights to persist the
template.
pretorin vendor template import ./sig-lite.xlsx --source-format sig_lite
pretorin vendor template import ./sig-lite.xlsx --source-format sig_lite \
--apply --acknowledge-license-rights
--source-format accepts sig_lite or caiq_lite.
Vendor Assessments
Launch, fill, submit, score, and review assessments against a vendor:
pretorin vendor assessment launch <vendor_id> --template-id <template_id>
pretorin vendor assessment list <vendor_id>
pretorin vendor assessment get <vendor_id> <assessment_id>
Save responses from JSON. The payload can be a list of answer objects or an
object with an answers list:
pretorin vendor assessment save-responses <vendor_id> <assessment_id> \
--answers-file ./answers.json
pretorin vendor assessment submit <vendor_id> <assessment_id>
pretorin vendor assessment score <vendor_id> <assessment_id>
Each answer includes question_ref plus optional answer, comment, and
evidence_item_id.
[
{
"question_ref": "q-1",
"answer": true,
"comment": "Confirmed in the vendor SOC 2 report.",
"evidence_item_id": "ev-123"
}
]
Finalize the assessment with the NIST 800-30 five-point residual
likelihood/impact scale: very_low, low, moderate, high, very_high.
If AI advisory scoring was unavailable, pass --acknowledge-no-ai-review.
pretorin vendor assessment review <vendor_id> <assessment_id> \
--residual-likelihood low \
--residual-impact moderate \
--acknowledge-no-ai-review
Related: Control Inheritance
Once vendors are created and documents uploaded, use the MCP tools or platform to set control responsibility edges:
set_control_responsibility— Mark controls as inherited/sharedgenerate_inheritance_narrative— AI-draft inheritance narratives from vendor docsget_stale_edges/sync_stale_edges— Monitor and sync inheritance