What a Cyber Risk Assessment Tool actually does
Automates SOC 2/ISO 27001/NIST CSF gap analysis, vendor-questionnaire response drafting, and board-level risk reports by running policy documents through RAG-powered LLM pipelines — under the consultant's own brand.
A white-label AI cyber risk assessment tool ingests a client's policy documents (security policies, incident response plans, vendor agreements) into a RAG pipeline — Voyage-3-large embeddings ($0.18/M) index the content in pgvector, then Claude Sonnet 4.6 ($3/$15 per M, 1M context) answers NIST CSF/CIS Controls/ISO 27001 control questions directly from the policy corpus. The highest-value feature is vendor-questionnaire auto-response: when a client receives a 200-question security questionnaire from a prospect, the platform drafts answers by mapping each question against the indexed policy library and generating appropriately hedged responses with citation references. Executive risk summaries are generated by Sonnet 4.6 multi-document synthesis and delivered as PDF-ready reports. DeepSeek V4 Flash ($0.14/$0.28 per M) handles high-volume threat-intel feed categorization (AlienVault OTX, MISP) for the risk-register auto-population feature.
The market signal in mid-2026 is the convergence of three demand drivers: EU AI Act high-risk conformity assessments (in force Aug 2, 2026) are net-new compliance work with no entrenched WL SaaS competitor; the SEC cybersecurity disclosure rule (effective 2024) requires material cyber incidents to be disclosed within 4 days, creating ongoing documentation pressure; and the talent shortage in cyber risk means vCISO consultants are managing 8–15 clients simultaneously — any tool that drafts questionnaire responses, generates gap reports, and produces board decks in minutes rather than days directly expands their billable capacity.
AI capabilities involved
Vendor-questionnaire auto-response from policy document RAG
NIST CSF / CIS Controls / ISO 27001 gap analysis
Executive risk summary generation
Threat-intel feed categorization for risk-register auto-population
EU AI Act conformity-assessment drafting
Who uses this
- vCISO consultants managing 5–20 mid-market clients ($10M–$500M revenue) preparing for SOC 2 Type II or ISO 27001 audits
- Cyber-risk advisory firms that provide quarterly risk assessments and want to automate the evidence-gathering and report-drafting workload
- Compliance consultancies bundling GRC tooling with their audit-prep services for SMB clients
- GRC-as-a-service vendors serving regulated-industry clients (healthcare, finance, SaaS) who need continuous compliance monitoring
SaaS alternatives on the market
Real products you can sign up for today — with current 2026 pricing, honest pros and cons.
Vanta
vCISO consultants managing 5+ SOC 2 audits simultaneously who want automated evidence collection and can accept Vanta branding
Demo available
$4,000/yr (Startup)
$25,000+/yr (Enterprise, custom controls)
Pros
- +Native integrations with 200+ cloud services for automated evidence collection (AWS, GCP, Azure, GitHub, Okta, etc.)
- +SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR — all in one platform with shared evidence reuse
- +MSP partner program with multi-customer management and consolidated reporting
- +Questionnaire automation (Vanta AI) is available but limited to pre-mapped control answers, not free-form policy RAG
Cons
- −Vanta branding remains in all client-facing interfaces — MSP program is co-branded, not fully rebrandable
- −Questionnaire automation quality is limited — answers are pre-written by Vanta, not generated from the client's actual policy library
- −Annual contract with minimum seats is inflexible for consultancies with variable client counts
- −No EU AI Act conformity-assessment support — the newest compliance requirement is absent
Drata
Compliance consultancies serving enterprise clients with multiple simultaneous framework requirements who want continuous monitoring rather than point-in-time assessments
$7,500+/yr
Custom (unlimited frameworks)
Pros
- +Best-in-class monitoring agent with continuous control testing — policies aren't just documented, they're continuously verified
- +Partner program with multi-customer management and white-glove onboarding support for MSPs
- +AI-powered gap analysis against 20+ frameworks including NIST CSF 2.0 and new EU AI Act controls
- +Automated security review workflows that streamline vendor questionnaire intake (not auto-response)
Cons
- −No true white-label — partner program co-brands dashboards but Drata branding remains in email notifications and system URLs
- −$7,500+/yr entry price is higher than Vanta — harder to justify for clients with simple single-framework needs
- −Questionnaire response drafting is still manual — Drata helps you collect evidence but doesn't auto-generate the answers
- −Complex multi-framework organizations can create confusing overlap in control mappings requiring significant configuration
SecurityScorecard
Risk consultants who need continuous third-party vendor risk monitoring as an add-on to their GRC-lite platform rather than a standalone product
$9,500+/yr
Pros
- +Outside-in risk scoring based on observable threat intelligence rather than self-attestation — credible to boards and auditors
- +Continuous monitoring of vendor ecosystems — useful for risk consultants managing supply-chain risk for clients
- +Rated A–F grades are instantly understandable to non-technical executives without training
- +Integration with popular GRC tools for importing scores into risk registers
Cons
- −No white-label resell tier — SecurityScorecard brand is central to the product's credibility proposition
- −Outside-in only — does not review internal policies or generate compliance documentation
- −Scores can flag false positives that require manual remediation guidance — creates client management overhead
- −No questionnaire automation — purely a risk-scoring and monitoring product
The AI stack
The core AI stack for cyber risk assessment is a RAG pipeline over policy documents, not a generative-first architecture. The quality of the embeddings (Voyage-3-large is best-in-class for legal/compliance document retrieval) determines 80% of output quality. The LLM layer (Sonnet 4.6) handles reasoning and citation — but if the retrieval misses the relevant policy clause, no amount of reasoning recovers it.
Policy document embeddings
Index client policy documents (SOC 2 policies, incident response plans, vendor agreements) into a per-tenant vector store for retrieval
Voyage-3-large
$0.18/M tokens (embedding ingest)All compliance and policy document RAG — the quality difference is material for questionnaire response accuracy
text-embedding-3-small
$0.02/M tokensCost-sensitive use cases where questionnaire accuracy is less critical than cost (e.g., internal documentation search, not client-facing compliance output)
Our pick: Voyage-3-large for all client-facing policy RAG. text-embedding-3-small only for internal search features where accuracy tolerance is higher.
Questionnaire response and gap analysis
Answer NIST CSF / CIS Controls / ISO 27001 / SOC 2 TSC questions and vendor questionnaire items using retrieved policy context
Claude Sonnet 4.6
$3/$15 per M; ~$0.014 per questionnaire section (T1 row 17: 2,600 in + 400 out)All questionnaire response drafting and gap analysis — this is the highest-stakes output and quality cannot be compromised
Mistral Large 3
$0.50/$1.50 per MEU clients with data residency requirements where Sonnet's US routing is unacceptable
Our pick: Sonnet 4.6 as default. Mistral Large 3 for EU clients with data residency requirements in GDPR-sensitive contexts.
Threat-intel categorization
Process AlienVault OTX and MISP threat-intel feeds to auto-populate the risk register with relevant threat categories and severity scores
DeepSeek V4 Flash
$0.14/$0.28 per M tokens; ~$0.0001 per threat-intel itemHigh-volume threat-intel processing for commercial clients where data residency is not a requirement
Claude Haiku 4.5
$1/$5 per MGovernment, defense-adjacent, or healthcare clients where US-only data residency is required
Our pick: DeepSeek V4 Flash for commercial clients. Haiku 4.5 for any client with government, HIPAA, or FedRAMP requirements.
Executive risk summary and board reporting
Generate board-level risk summaries from gap analysis results, control status, and threat-intel feed aggregates
Claude Sonnet 4.6
$3/$15 per M; ~$0.022 per executive summary (T1 row 16: 12,000 in + 400 out)All board-level and C-suite risk reports where language quality and framing matter
Gemini 3.5 Flash
$1.50/$9 per MHigh-frequency operational summaries (weekly KRI dashboards) where board-quality prose is not required
Our pick: Sonnet 4.6 for quarterly board reports. Gemini 3.5 Flash for weekly operational risk dashboards and KRI summaries.
Reference architecture
The platform is a document-ingest → RAG-query → structured-output pipeline with a per-tenant namespace in pgvector. The critical design decision is embedding namespace isolation: each client's policy library must be queryable only by that client's Supabase tenant, enforced at the RLS level on the embeddings table. The hardest engineering challenge is maintaining embedding freshness — when a client updates a policy, the relevant embeddings must be re-indexed before the next questionnaire response uses stale context.
Policy document upload and processing
Next.js upload UI + Supabase Storage + Edge FunctionClient uploads PDF/DOCX policy documents. Edge function extracts text, chunks documents into 512-token overlapping segments, and sends to Voyage-3-large for embedding. Vectors stored in per-tenant pgvector table with document_id, chunk_index, and metadata (doc_title, framework_tag, last_updated).
Framework mapping and control tagging
Claude Sonnet 4.6 edge functionEach uploaded policy is analyzed by Sonnet 4.6 against the selected compliance frameworks (SOC 2 TSC, NIST CSF 2.0, CIS Controls v8, ISO 27001). The model tags each document chunk with relevant control IDs and stores mappings in a control_coverage table. This creates a control-coverage heat map showing which policies cover which controls.
Questionnaire intake and question parsing
Questionnaire upload UI + GPT-5.4 mini parsing edge functionClient pastes or uploads a vendor security questionnaire (Excel, PDF, or text). GPT-5.4 mini parses the questionnaire into structured question objects (question_text, required_framework, expected_response_type) and stores in the questionnaires table.
RAG retrieval per question
Voyage-3-large similarity search (pgvector)For each question, a vector similarity search retrieves the 5 most relevant policy chunks from the client's namespace. Retrieval uses cosine similarity with a 0.75 minimum threshold — questions with no relevant policy coverage are flagged as gaps rather than hallucinated with generic responses.
Answer drafting with citation
Claude Sonnet 4.6 edge functionSonnet 4.6 receives the question, 5 retrieved policy chunks, and a structured prompt requiring it to: (1) draft a response based only on the retrieved context, (2) cite the specific policy section, (3) flag if the retrieved context is insufficient, (4) suggest a remediation action if a gap is detected. Output stored in question_responses table.
Gap analysis report generation
Claude Sonnet 4.6 multi-document synthesis edge functionAfter questionnaire processing completes, Sonnet synthesizes the flagged gaps into a prioritized remediation report with estimated effort estimates and risk severity. Report is stored as structured JSON and rendered as a PDF-ready HTML document.
Board-level executive summary
Claude Sonnet 4.6 edge function + PDF exportSonnet generates a 1–2 page executive summary from the gap analysis, KRI dashboard data, and threat-intel feed aggregates. The summary uses board-appropriate language (avoids technical jargon, leads with business risk, quantifies financial exposure where possible). Exported as a branded PDF under the consultant's logo.
Estimated cost per request
~$0.014 per questionnaire section (Sonnet 4.6, T1 row 17); ~$0.022 per executive risk summary (Sonnet 4.6, T1 row 16); ~$0.0001 per threat-intel item categorization (DeepSeek V4 Flash); a 200-question questionnaire + 1 board summary costs approximately $3 per client per cycle
Cost calculator
Drag the sliders to model your actual usage. The numbers update in real time so you can stress-test economics before writing a single line of code.
Model assumes a vCISO firm with 10 client tenants, each uploading 20 policy documents and receiving 2 vendor questionnaires (200 questions each) per month plus 1 quarterly board report. Adjust for client count and questionnaire volume.
Estimated monthly cost
$66.02
≈ $792 per year
Calculator notes
- Embedding ingest is a one-time cost per document — re-embedding only occurs when policies are updated (assumed quarterly); fixed cost shown is amortized monthly
- Questionnaire drafting cost: $0.014/section × questions_per_questionnaire × questionnaires_per_client × client_count; at 10 clients × 2 questionnaires × 200 questions = $56/mo
- Does not include Voyage-3-large query-time embedding costs (negligible at $0.18/M × 5 chunks × 200 questions = $0.18 per questionnaire cycle per client)
- SOC 2 audit for the platform itself ($30K–$50K one-time) is not included in the monthly estimate
Build it yourself with vibe-coding tools
You can have a working 50-question questionnaire-response demo with policy RAG running by Sunday night — enough to show a potential client how the platform drafts answers from their own policy library. Single-tenant, no client isolation, no SOC 2 controls — strictly a validation prototype.
Time to MVP
12–16 hours (1 weekend)
Total cost to MVP
$25 Lovable Pro + $40 Sonnet/Voyage-3-large credits
You'll need
Starter prompt
Build a white-label AI cyber risk assessment tool. Use Vite + React + TypeScript + Tailwind CSS + Supabase. Core features: 1. Document upload: drag-and-drop PDF/text upload for security policies. On upload, call a Supabase Edge Function that extracts text (use basic text extraction for now), chunks it into 512-character overlapping segments, and embeds each chunk using Voyage-3-large API. Store vectors in a Supabase pgvector table: 'policy_chunks' with columns: id, tenant_id, document_id, chunk_text, embedding (vector(1024)), doc_title. 2. Questionnaire intake: a textarea where the user pastes questionnaire questions (one per line). A 'Process Questionnaire' button calls an edge function that: (a) embeds each question using Voyage-3-large, (b) runs pgvector similarity search to retrieve 5 most relevant policy chunks per question (cosine similarity), (c) sends question + retrieved chunks to Claude Sonnet 4.6 to draft a response with citation, (d) stores results in 'question_responses' table. 3. Results dashboard: a table showing each question, the drafted answer, the cited policy section, and a gap flag (true if Sonnet flagged insufficient policy coverage). Allow export as CSV. 4. Supabase Auth: email+password. Basic RLS on policy_chunks and question_responses by tenant_id. Use Supabase Edge Functions for all API calls (Voyage, Sonnet) — never call external APIs from the frontend. Add a banner: 'This is a proof-of-concept. Production builds require per-tenant namespace isolation and SOC 2 controls.'
Paste this into Lovable
Follow-up prompts (run in order)
- 1
Add NIST CSF 2.0 framework mapping: after document upload, call Sonnet 4.6 to tag each policy chunk with relevant NIST CSF control IDs (from a hardcoded control list). Display a coverage heat map showing which control families have policy coverage and which have gaps.
- 2
Add a gap analysis report generator: after questionnaire processing, call Sonnet 4.6 with all flagged gaps as input and generate a structured remediation report (gap description, recommended policy language, estimated effort: low/medium/high). Display as a formatted document and add a 'Download PDF' button using browser print.
- 3
Add threat-intel feed processing: a manual input where the user can paste 10–20 threat-intel items (one per line). Call DeepSeek V4 Flash to categorize each by threat type and severity and add to a simple risk register table (threat, category, severity, date_added).
- 4
Add EU AI Act conformity-assessment template: add a new questionnaire type 'EU AI Act Article 9 Assessment' with pre-populated questions from the Act's Annex IV documentation requirements. The RAG pipeline answers from the policy library; questions with no policy coverage are flagged as required new documentation.
Expected output
A working policy-upload and questionnaire-response tool that demonstrates RAG-powered answer drafting with Voyage-3-large + Sonnet 4.6. Sufficient for a client demo showing 50–100 questions answered with policy citations — not production-ready for real client data.
Known gotchas
- !pgvector in Supabase requires the extension to be manually enabled in the SQL Editor — Lovable will not enable it automatically and the edge function will fail silently if it's missing
- !Voyage-3-large produces 1024-dimensional vectors — ensure your pgvector column is created with vector(1024), not the default vector(1536) that OpenAI embeddings use
- !Sonnet 4.6's questionnaire response quality degrades sharply when the retrieved policy chunks are not directly relevant — implement a minimum similarity threshold (0.75) and return 'No policy coverage found' rather than hallucinating answers
- !PDF text extraction is the hardest part of the pipeline — Lovable will not generate a working PDF extractor out of the box; use the PDF2JS or pdf-parse npm package in the edge function
- !Per-tenant namespace isolation requires that every pgvector query includes a WHERE tenant_id = auth.uid() condition — if this is missing, clients can retrieve each other's policy chunks
- !Voyage-3-large embedding ingest is slow at scale (5–10 seconds per document) — implement a background job pattern rather than blocking the upload response
Compliance & risk reality check
A cyber risk assessment tool that handles clients' security policies, audit evidence, and questionnaire responses holds some of the most sensitive competitive-intelligence documents in a company's possession. The platform's own compliance posture directly affects whether enterprise clients will trust it with their data.
SOC 2 Type II
Every mid-market and enterprise client RFP will ask for the platform's SOC 2 Type II report. Security policies uploaded by clients are trade secrets — the audit covers how these are stored, isolated, accessed, and retained. Without SOC 2, the sales cycle for any client above 100 employees is effectively blocked.
Mitigation: Use Vanta ($4K–$25K/yr) or Drata ($7,500+/yr) to automate evidence collection during the build phase. Vanta monitors Supabase, Vercel, and GitHub configurations continuously. Start the SOC 2 observation period (minimum 6 months) at platform launch — audit typically takes 2–3 months after observation completes.
Per-tenant data isolation on uploaded policy documents
Security policies contain competitive intelligence — undisclosed vulnerabilities, vendor negotiations, and internal risk thresholds. Cross-tenant contamination (client A's policy showing up in client B's questionnaire responses) is a material breach that ends both client relationships and potentially triggers breach notification obligations.
Mitigation: Enforce per-tenant namespace isolation at the database level via Supabase RLS: every query against the policy_chunks and question_responses tables must include a tenant_id predicate enforced by auth.uid() binding. Test isolation by creating two demo tenants with different policy libraries and verifying zero cross-retrieval using automated tests in CI.
HIPAA BAA for healthcare clients
Healthcare clients' security policies may reference PHI-adjacent systems (EHR configurations, HIPAA risk assessments). If a covered entity or business associate uploads documentation that references PHI, the platform becomes a business associate and requires a HIPAA BAA.
Mitigation: Route all LLM calls for healthcare clients through AWS Bedrock (Claude Sonnet 4.6 is available on Bedrock) where a single AWS BAA covers the model. Document the Bedrock routing in the client BAA. Alternatively, Anthropic offers direct BAA agreements — contact their enterprise team.
GDPR data processing agreement for EU clients
EU clients uploading security policies that reference employee data, system configurations with personal data, or vendor agreements with EU data subjects require a GDPR data processing agreement. The platform is a data processor under Article 28.
Mitigation: For EU clients, route LLM calls through Mistral Large 3 (native EU data residency) or AWS Bedrock EU regions (Frankfurt/Ireland). Execute a GDPR DPA with all EU clients before onboarding. Supabase offers EU-region deployment (Frankfurt) for database and storage.
EU AI Act conformity-assessment liability
From August 2, 2026, EU AI Act conformity assessments for high-risk AI systems require documented human oversight and professional review. If the platform generates conformity-assessment drafts for clients' AI systems, those outputs influence regulatory filings — outputs must be clearly marked as AI-assisted drafts requiring professional review.
Mitigation: Add mandatory AI-output disclosure to all generated compliance documents: 'This document was drafted with AI assistance and requires review by a qualified compliance professional before submission to regulatory authorities.' Implement a formal review workflow where consultants must mark documents as 'reviewed' before clients can download them.
Build vs buy: the real math
10–14 weeks
Custom build time
$30,000–$60,000
One-time investment
3–6 months
Breakeven vs buying
A vCISO firm managing 10 clients at $4,000/mo retainer ($480K ARR) pays $30K–$60K for a custom GRC-lite platform. Vanta MSP at $5K/client/yr for 10 clients = $50K/yr for a co-branded product that doesn't automate questionnaire responses. A custom build saves $50K/yr in Vanta fees while adding the highest-ROI feature Vanta doesn't have (questionnaire RAG auto-response). The platform cost recovers in 3–6 months and drops the AI COGS to $56/mo for all 10 clients' questionnaire processing. As Sonnet 4.6 pricing continues to fall (67% price reduction since Opus 4.1 in late 2025), the AI COGS portion trends toward negligible — the fixed infrastructure costs ($70–$90/mo) dominate.
Skip the DIY — RapidDev builds the production version
A Lovable MVP gets you a demo. Production needs auth that doesn't leak data, AI calls that don't bankrupt you, observability when models drift, and code you can audit. That's what we ship.
Discovery call (free)
30 minWe map your exact Cyber Risk Assessment Tool use case: who uses it, target volume, AI model choice, integrations, compliance scope. You get a detailed scope document and fixed-price quote within 48 hours.
AI-accelerated build
10–14 weeksOur engineers use Claude Code, Lovable, and custom tooling to ship 3–5x faster than agencies. You see weekly progress in a staging environment — not a black box.
Launch + handoff
1 weekWe deploy to your infrastructure, transfer the GitHub repo, set up CI/CD and monitoring, and train your team. You own 100% of the source code, prompts, and model configurations.
What you get
Timeline
10–14 weeks
Investment
$30,000–$60,000
vs SaaS
ROI in 3–6 months
30-min call. Fixed-price quote within 48 hours. No commitment.
Frequently asked questions
How much does it cost to build a white-label cyber risk assessment tool?
RapidDev estimates $30,000–$60,000 for a production-grade GRC-lite platform with questionnaire RAG automation, NIST CSF gap analysis, and per-tenant isolation. This is above the standard $13K–$25K band because the compliance domain scope (SOC 2, HIPAA, EU AI Act) requires security-architecture review and the Voyage-3-large + pgvector RAG pipeline has more engineering complexity than standard LLM integrations. SOC 2 Type II audit for the platform itself is an additional $30K–$50K and 6–9 months.
How long does it take to ship a cyber risk assessment platform?
Engineering takes 10–14 weeks for a production-grade platform. The SOC 2 observation period (6 months minimum) should start at platform launch, not after — the audit itself takes 2–3 months after the observation period. Practical timeline to first enterprise client: 12–16 weeks from project kickoff; first SOC 2 certification: 9–12 months from launch.
Can RapidDev build a cyber risk assessment platform for my consulting firm?
Yes — RapidDev has shipped 600+ applications and 200+ AI implementations in production including security and compliance tooling. For cyber risk platforms, we recommend a free 30-minute consultation to scope the compliance framework coverage and per-tenant architecture before committing to a build. The framework mix (SOC 2 vs ISO 27001 vs NIST AI RMF) significantly affects the RAG corpus design and the build timeline.
How accurate is AI-generated vendor questionnaire response drafting?
Accuracy depends almost entirely on the quality of the indexed policy library. With a complete policy library (security policy, access control policy, incident response plan, vendor management policy, risk assessment), Sonnet 4.6 achieves 85–90% accuracy on standard SIG/VSAQ questionnaire items based on internal benchmarks. The remaining 10–15% are either gaps (no policy covers the control) or questions requiring human judgment about implementation specifics. Every response requires a human QA review before sending — the AI eliminates the blank-page problem, not the review step.
Does the EU AI Act require me to do anything different for EU clients?
Two things: first, data residency — EU clients' policy documents should be processed through Mistral Large 3 (native EU residency) or AWS Bedrock EU regions, not Anthropic's US-default API endpoint. Second, disclosure — any AI-generated conformity-assessment drafts for EU AI Act compliance must be marked as AI-assisted and reviewed by a qualified professional before regulatory submission. The EU AI Act (in force Aug 2, 2026) classifies AI systems used in consequential compliance decisions as high-risk, with human oversight requirements that your review workflow must enforce.
Should I start with Vanta resell or build a custom platform?
Start with Vanta resell if you have fewer than 5 clients and want to validate demand before committing to a build. Vanta's MSP program gives you multi-customer management and evidence automation in 2 weeks. Move to a custom build when: (a) you reach 8–10 clients and Vanta fees exceed $40K/yr, (b) clients are asking for questionnaire response automation that Vanta doesn't provide, or (c) you want a fully branded product that isn't co-branded with a vendor. The two paths aren't mutually exclusive — use Vanta for SOC 2 compliance tracking while the custom platform handles questionnaire automation.
Want the production version?
- Delivered in 10–14 weeks
- You own 100% of the code
- AI cost monitoring built in
30-min call. No commitment.
