runbookify
← All plans
Compliance, Quality & Risk / Vendor / Third-party Risk

Vendor Security Questionnaire Manager: Score Third-Party Risk With a Human in Charge

Send a standard security/compliance questionnaire, collect answers and evidence, let AI flag the weak and evasive responses — then a real assessor approves the risk rating before the assessment closes.

IntermediateA weekendBuilds onNext.jsSupabaseResend
What you'll build

A web tool where you send a vendor a standardized questionnaire, the vendor answers and uploads evidence, AI scores each response and flags weak or evasive answers for review, an assessor approves the final risk rating and records remediations with due dates, and it emails the outcome and exports a clean assessment CSV.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A Supabase account (free)
  • A Vercel account (free)
  • A Resend account (free)
  • Your questionnaire (questions plus expected/weighted answers) as a CSV or spreadsheet
  • Claude Code or any AI coding agent

The problem this kills

A new vendor is about to touch your data, so you send them a security questionnaire — SIG-lite, a custom security review, whatever your team uses. Weeks later a spreadsheet comes back. Half the answers are "Yes." A few are essays that never actually say yes or no. Some cite a SOC 2 report nobody attached. Now someone on your team has to read every line, decide which answers are real and which are hand-waving, chase the missing evidence, score the whole thing, and write up a risk rating — by hand, in a document, with no consistent rubric and no record of who decided what.

Multiply that by every vendor, every renewal, every tier. The reviews pile up, the scoring drifts depending on who did it, evidence gets lost in email threads, and remediation commitments are forgotten the moment the assessment is "done." The information you need is all there — in the questionnaire, the answers, and the evidence — it just needs something to collect it consistently, pre-score it, and surface the answers a human should look at hardest. You do not need to be a developer to build that something.

What you'll build

A simple internal web tool for your vendor-risk, security, or compliance team. You load your questionnaire — the questions, the expected answers, and how each is weighted. You send a vendor a private link; they answer and upload evidence (policies, certs, SOC 2 reports). The tool scores each response against your expected answers and uses AI to flag the weak, vague, or evasive ones — the "Yes" with no evidence, the non-answer, the answer that contradicts an earlier one — and explains why, in plain English. Then the part that matters: an assessor reviews the scored responses and the AI's concerns and approves the final risk rating (the AI never sets it). They record any required remediations with due dates, the tool emails the outcome to the vendor and your stakeholders via Resend, and exports the full scored assessment as a CSV. Re-assessment is scheduled by tier so nothing falls off the radar.

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — which questionnaire you use, how your questions and weights are structured, the risk tiers and rating scale you assess against, who is allowed to approve a rating, your re-assessment cadence, and the messy edge cases (partial answers, "not applicable," evidence that doesn't match the claim). It reads a short spec back to you for a thumbs-up, then builds the tool around your answers instead of a generic template. From there it walks the agent through the data model, loading your questionnaire, the vendor response-and-evidence portal, the scoring-and-flagging engine, the assessor review-and-approve screen, remediation tracking, the outcome email, and the assessment CSV export. Every step ends with a ready-to-copy prompt.

The governance it includes (this is the point)

This isn't a toy. The plan builds in the controls a real risk function needs: login so only your team can use it, row-level security so people only see their own organization's assessments, a complete audit trail of every score, flag, override, and approval (who, what, when, and why), and a hard human-approval gate — AI flags concerns but never sets the final rating; an assessor reviews and approves before the assessment is closed. Remediation commitments are tracked with owners and due dates, and a duplicate guard on the vendor-plus-assessment-cycle key means the same review can't be opened or closed twice. The whole tool exists to make a careful human judgment fast and consistent — the AI raises the concern, a person makes the call.

Who it's for

Vendor-risk, security, and compliance teams who assess third parties with questionnaires and are tired of inconsistent scoring, lost evidence, and remediation promises that evaporate. If you can describe your questionnaire and what a "concerning" answer looks like in your world, you can build this.

You've got this — open the plan, paste the first prompt, and you'll be scoring your first real vendor questionnaire this weekend.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.