Riskready Community
The first open-source GRC platform with an autonomous AI Agents
Ask AI about Riskready Community
Powered by Claude ยท Grounded in docs
I know everything about Riskready Community. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
RiskReady Community Edition
Open-source GRC platform. 254 AI tools. Human-approved autonomy.
Get running
git clone https://github.com/riskreadyeu/riskready-community.git
cd riskready-community
cp .env.example .env # edit: POSTGRES_PASSWORD, JWT_SECRET, ADMIN_EMAIL, ADMIN_PASSWORD
docker compose up -d # first run ~3 minutes
open http://localhost:9380 # log in as ciso@clearstream.ie / password123
Requires Docker 24+ with Compose v2. Linux, macOS, or Windows (WSL2).
What this is
9 MCP servers expose 254 tools that connect Claude directly to your compliance database โ risks, controls, policies, incidents, audits, evidence, ITSM, and organisation governance.
Every AI mutation is proposed, not executed. A human reviews and approves each action before it touches the database. This holds for interactive chat, scheduled runs, and autonomous workflows.
You: "Give me a full security posture assessment."
Agent: Convenes AI Council โ 6 specialists analyse in parallel โ CISO synthesises
โ structured report with consensus, dissents, and prioritised actions
Cost: $0.19 on Haiku. $10 on Opus. 96% token reduction via tool search.
Three ways to connect
| Mode | How it works | AI cost to you | Security |
|---|---|---|---|
| Web App | Built-in chat UI with streaming, council, scheduled workflows | You pay per token | 8.1/10 |
| MCP Proxy | Claude Desktop connects remotely via API key โ one endpoint, all 254 tools | $0 | 8.9/10 |
| Direct | 9 stdio servers on your machine for local development | $0 | 2.3/10 |
The MCP Proxy is the recommended mode for teams. Each user brings their own Claude subscription. You provide the tools and the security layer. Connection modes compared โ
GRC modules
| Module | What it covers |
|---|---|
| Risk Management | Risk register, scenarios, KRIs, tolerance statements, treatment plans |
| Controls | Control library, assessments, Statement of Applicability, gap analysis |
| Policies | Document lifecycle, version control, change requests, reviews, exceptions |
| Incidents | Tracking, classification, response workflows, lessons learned |
| Audits | Internal audit planning, nonconformity tracking, corrective actions |
| Evidence | Collection, file storage, linking to controls, risks, and incidents |
| ITSM | IT asset register, change management, capacity planning |
| Organisation | Structure, departments, locations, committees, key personnel |
Screenshots (click to expand)
AI Agents Council
Complex questions convene 6 specialist agents:
| Agent | Domain |
|---|---|
| Risk Analyst | Risk register, scenarios, KRIs, tolerance, treatments |
| Controls Auditor | Control effectiveness, SOA, assessments, gap analysis |
| Compliance Officer | Policies, frameworks (ISO 27001, DORA, NIS2), governance |
| Incident Commander | Incident patterns, response metrics, lessons learned |
| Evidence Auditor | Evidence coverage, audit readiness, nonconformities |
| CISO Strategist | Cross-domain synthesis โ produces the final report |
Each member queries the database independently, then the CISO synthesises. All reasoning is preserved for audit. Benchmarks โ
Security
Every AI mutation goes through human approval. No exceptions, no auto-approve, not even for scheduled runs.
The 8-point agent security audit covers:
- Identity & Authorization โ per-user API keys with per-tool permission scoping
- Memory โ 90-day TTL, injection scanning, org-scoped recall
- Tool Trust โ 254 first-party tools, Zod-validated, no third-party MCP servers
- Blast Radius โ zero HTTP outbound, rate limiting, scoped API keys
- Human Checkpoints โ tiered severity (low/medium/high/critical) on all mutations
- Output Validation โ credential scanning, PII redaction, grounding guard
- Cost Controls โ token budgets, turn caps, council rate limits
- Observability โ tool call logging, behavioral anomaly detection, source tracking
Demo data
First deploy auto-seeds ClearStream Payments Ltd โ a fictional European fintech regulated under DORA and NIS2: 15 risks, 30 scenarios, 40 controls, 12 policies, 8 incidents, 20 assets, 5 nonconformities, 20 evidence records, and 6 months of trend data.
Log in as ciso@clearstream.ie / password123 for the most complete view.
Documentation
| Guide | |
|---|---|
| AI Platform Guide | MCP servers, gateway, council, scheduler, workflows, approval pipeline |
| Deployment | Docker setup, env vars, production TLS, troubleshooting |
| User Guide | Web app walkthrough for all 8 GRC modules |
| Connection Modes | Web App vs MCP Proxy vs Direct โ feature comparison |
| Agent Security Audit | 8-point framework with per-mode scoring and code references |
| MCP Server Reference | All 254 tools with parameters and examples |
| API Reference | REST endpoints, request/response formats |
| Administration | Backup, monitoring, updates, security hardening |
Development
docker compose up db -d
cd apps/server && npm install && cp .env.example .env
npx prisma db push --schema=prisma/schema && npm run prisma:seed
npm run dev # backend :4000
cd ../web && npm install && npm run dev # frontend :5173