CRAG is a sophisticated, real-time vendor risk monitoring prototype designed to automate the governance of third-party ecosystems. It leverages AI-simulated risk scoring, dynamic dashboards, and automated alert systems to provide continuous visibility into the cybersecurity posture of vendors.
- Autonomous Risk Scoring: dynamic scores (0–100) recalculated every 10 seconds using AI-simulated time-series models.
- Live Governance Dashboard: Real-time KPI cards, risk distribution charts, and auto-refreshing vendor monitor.
- Automated Alerting: Immediate notification system triggered when vendor risk crosses critical thresholds.
- Immutable Audit Trail: Append-only governance ledger tracking every administrative and system event for compliance.
- Role-Based Access Control: Secure login views for both Administrators and individual Vendors.
The CRAG engine calculates risk using a weighted dynamic model:
- Baseline Weight: Derived from the vendor's Criticality (Mission-Critical vs. Low Business Impact) and Category (Finance/Cloud vs. Marketing).
- Vulnerability Factor: Industry-specific risk coefficients are applied to the baseline.
- Dynamic Intelligence: Recalculates every 10 seconds using a weighted random-walk with mean-reversion, simulating real-world security fluctuations and anomaly detection.
- Thresholding: A score > 70 triggers a "High Risk" alert status automatically.
| Phase | Status | Focus |
|---|---|---|
| Phase 1: Prototype | ✅ Current | Core engine, automated scoring, real-time dashboards, and local audit trails. |
| Phase 2: MVP | 🏗️ Planned | Multi-tenancy, external security API integrations, and advanced reporting. |
| Phase 3: Enterprise | 🔮 Future | Blockchain-backed immutable auditing and predictive AI for proactive risk mitigation. |
As of the current Phase 1 Prototype, the following core features have been successfully implemented and validated:
- Centralized Vendor Registry: Fully functional vendor onboarding system capturing critical metadata (Category, Criticality, Domain).
- Interactive Risk Dashboard: Comprehensive UI with real-time KPI cards and risk distribution charting (Chart.js integration).
- Dynamic Risk Simulation Engine: APScheduler-driven backend recalculating scores every 10 seconds based on weighted random-walks.
- Automated Alerting Pipeline: Instant threshold detection that accurately logs High-Risk events (Score > 70).
- Append-Only Audit Logging: Tamper-evident ledger recording all state changes and system actions.
- Role-Based Views: Differentiated access and visibility between System Administrators and Vendor Partners.
- Refined SaaS UI/UX: Professional, glassmorphism-styled frontend with system architecture diagrams and technical documentation panes.
Next Steps: Preparing for Phase 2 MVP by transitioning from simulated risk scores to integrating external live security feeds and threat intelligence APIs.
- Frontend: HTML5 (Semantic Structure), Vanilla CSS (Glassmorphism UI), JavaScript (ES6+ Logic), Chart.js (Data Visualization).
- Backend: Python 3.10+, FastAPI (Asynchronous API), SQLAlchemy (ORM).
- Database: SQLite (Robust local storage).
Ensure you have Python 3.10 or higher installed.
git clone https://github.com/ganeshkrishnareddy/CRAG
cd CRAGcd backend
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r ../requirements.txt
python main.pyThe backend will start on http://localhost:8000.
You can serve the frontend directory using any static server or simply open frontend/index.html in your browser. (Alternatively, the FastAPI backend is configured to serve static files from the /frontend directory).
Distributed under the MIT License. See LICENSE for more information.
P Ganesh Krishna Reddy
Full-Stack Developer & Cybersecurity Researcher
- Email: crag.monitor@gmail.com
- Portfolio: pganeshkrishnareddy.vercel.app
- LinkedIn: in/pganeshkrishnareddy
Built with ❤️ for AI-Powered Security Governance.