Map assets, threats, and vulnerabilities, score risk with a transparent model, assign treatments, and track residual risk with live dashboards and audit-ready logs.
From discovery to treatment to evidence, everything stays linked and auditable.
Link assets to relevant threats and vulnerabilities, with deduping and criticality inherited from asset CIA scoring.
Combine Asset Value (CIA), CVSS/Vuln severity, Threat Impact, Likelihood, and Control Effectiveness to compute inherent and residual risk.
Accept, Avoid, Transfer, or Mitigate with controls, owners, due dates, SLAs, and escalation paths.
Custom fields, status transitions, evidence attachments, and immutable activity logs.
Portfolio heatmaps, trend lines, overdue treatments, and top risks by asset, owner, or control gap.
Auto-recalculate on changes, notify owners, and push tasks to tickets or chat when thresholds are breached.
Everything you need to run a living risk program.
Import CSV/JSON or use the API. Auto-map CVSS, dedupe findings, and link to affected assets.
Maintain a reusable threat catalogue per sector, with default impacts/likelihood presets you can tune.
Adjust weightings for CIA, CVSS, Likelihood, and Control Effectiveness. Toggle uncertainty buffers and caps.
Link primary and secondary controls, effectiveness levels, and test results to compute residual risk.
Cascade risk via asset relationships (e.g., shared services) to avoid blind spots and concentration risk.
Time-stamped actions, e-sign approvals, and exportable registers for boards, customers, and regulators.
Opinionated defaults; fully configurable for your risk methodology.
Sync or import assets with owners and CIA. Classify and tag for reporting and access control.
Pull in findings and attach relevant threats. Auto-suggest linkages based on asset type and tags.
Compute using CIA + CVSS + Likelihood + Impact with tunable weights and ranges.
Choose Accept/Avoid/Transfer/Mitigate; assign controls, owners, due dates, and success criteria.
Recalculate automatically as controls land. Monitor deltas and escalate on missed SLAs.
Meet teams where they work; keep evidence centralized.
Same hardened, multi-tenant foundation as the rest of PurpleWASP.
Per-org databases with least-privilege DB users and strict query boundaries.
Fine-grained permissions, SSO/SAML/SCIM, optional MFA, and session hardening.
TLS in transit; at-rest encryption; optional field-level encryption for sensitive fields.
Every change is attributed and time-stamped. Exportable for audits and customers.
Aligned to ISO 27001 controls and common frameworks; easy evidence capture.
Configurable retention, undelete windows, and legal hold for investigations.
Faster cycles, consistent scoring, and provable outcomes.
| Capability | Manual / Ad-hoc | PurpleWASP Risk Management |
|---|---|---|
| Data freshness | Static sheets; stale quickly | Auto-recalc on changes; live heatmaps |
| Scoring consistency | Subjective; variable formulas | Governed model with tunable weights and audit trail |
| Accountability | Unclear owners & SLAs | Named owners, due dates, escalations, immutable logs |
| Reporting | Manual collation | Dashboards, exports, board-ready summaries |
| Controls linkage | Decoupled from risk items | Primary/secondary controls with effectiveness → residual risk |
Answers for risk owners and auditors.
Select an asset, link a threat & vulnerability, and publish the treatment plan with a due date.
Tune weightings, scales, and thresholds. Define risk appetite and escalation rules.
All actions are logged with timestamps and actors for full traceability.
