Is Fair TPRM really free?

Yes. Fair TPRM is 100% free, open-source software. You can download the full source code from git.hackrange.com/trice/open-fairtprm and self-host it on your own infrastructure at no cost. A free 90-day hosted demo is also available.

What compliance frameworks does Fair TPRM support?

Fair TPRM supports 9 compliance frameworks: SOC 2 Type II, ISO/IEC 27001, NIST Cybersecurity Framework (CSF), PCI DSS, HIPAA Security Rule, CMMC, NIST 800-171, CIS Controls, and the NIST AI Risk Management Framework (AI RMF). 170+ unified assessment questions map to all frameworks simultaneously.

What is FAIR risk assessment?

FAIR (Factor Analysis of Information Risk) is a methodology for quantifying cyber risk in financial terms. Fair TPRM includes a built-in FAIR calculator that computes Annualized Loss Expectancy (ALE) from threat event frequency, vulnerability factors, and loss magnitude to express vendor risk as a dollar amount.

Can I self-host Fair TPRM on my own servers?

Yes. Fair TPRM is designed for on-premises deployment using Docker. Download the source code from git.hackrange.com/trice/open-fairtprm and deploy on any Linux server. No vendor lock-in, no subscription fees.

Version 2.5.8 · TPRM & GRC Platform

Free, Open-Source TPRM & GRC Platform

Fair TPRM is free, open-source software that unifies third-party risk management, GRC compliance, FAIR risk quantification, and continuous security monitoring in a single self-hosted platform. No license fees, no vendor lock-in — enterprise-grade TPRM and GRC capabilities for security teams of any size and budget. Download the source and deploy on-prem, or try the free demo.

Free Demo Download Source Code GRC Compliance FAIR Analysis

The Problem with Multi-Tool Risk and Compliance

Vendor risk and compliance programs typically stitch together five or more disconnected systems. The result is data silos, manual reconciliation, duplicate questionnaires, and gaps that auditors find.

The Typical Approach

Most organizations cobble together a patchwork of tools to manage third-party risk and GRC compliance: one platform for vendor onboarding, another for security questionnaires, a separate GRC tool for compliance tracking, spreadsheets for FAIR analysis, and email chains for annual reviews.

5–7 separate tools for TPRM and GRC with no shared data model
Manual exports between vendor risk and compliance platforms
Duplicate questionnaires across compliance frameworks
No single audit trail spanning vendor risk and internal compliance
Integration maintenance becomes a job in itself
Context switching between separate TPRM and GRC consoles

The Fair TPRM Approach

Fair TPRM was built from the ground up as one unified platform. Vendor risk management, GRC compliance, risk quantification, security monitoring, and lifecycle governance all share the same database, the same permission model, and the same audit log.

Single platform covering TPRM and GRC in one interface
One shared database — vendor risk, compliance, and controls share data
170+ unified questions map to 9 compliance frameworks simultaneously
Complete audit trail across vendor management and compliance
Zero integration overhead — everything is native
Deploy once, manage vendor risk and compliance from one console

One Platform. Every Capability.

Purpose-built for organizations that need to manage vendor risk, track compliance across multiple frameworks, and quantify cyber risk financially — without stitching together a dozen tools.

Multi-Framework GRC Compliance

Manage compliance for SOC 2, ISO 27001, PCI DSS, NIST CSF, CMMC, HIPAA, CIS Controls, NIST 800-171, and the NIST AI Risk Management Framework simultaneously. Answer once, score everywhere — no duplicate questionnaires across frameworks.

Unified Assessment Engine

170+ security questions across 14 domains map to requirements in every supported framework. Complete one assessment and automatically calculate compliance percentages for SOC 2, ISO 27001, PCI DSS, NIST AI RMF, and more.

Financial Risk Quantification

Implements the FAIR™ methodology, developed by the FAIR Institute, to convert vendor risk into Annualized Loss Expectancy (ALE) with recommended cyber insurance coverage. Every multiplier and threshold is customizable.

Dual SRS Monitoring

Built-in API integrations with UpGuard and Shodan provide continuous external scanning with admin-tunable signal weights per scoring category. You decide which security signals matter most to your organization.

Full Vendor Lifecycle

From onboarding through procurement, security assessment, continuous scoring, and annual reviews — every phase is tracked and automated in a single platform.

Evidence & Policy Management

Upload encrypted compliance evidence, manage policy lifecycles from draft to publication, and link evidence directly to controls and assessment responses. All files are AES-256-CBC encrypted at rest.

Audits, Findings & Risk Register

Plan audits, record findings with severity ratings, assign remediation tasks, and maintain a risk register with likelihood/impact scoring. Gaps in assessments automatically populate the risk registry.

Enterprise Access Control

SAML 2.0 SSO, SCIM 2.0 provisioning, TOTP two-factor authentication, 7 role-based access groups with 40+ granular permissions, and complete audit logging for every action.

Bank-Grade Encryption

AES-256-CBC encryption for all data at rest. TLS 1.3 with post-quantum resistant cipher suites for data in transit. Argon2id password hashing, CSRF protection, and a full security header suite.

Built from the Ground Up

Not a plugin. Not a fork. A purpose-built PHP 8.5 application backed by MariaDB — deployed on-premises in your data center or hosted and managed by us.

Architected as One System

Unlike platforms that bolt on acquired modules or rely on third-party plugins, every line of Fair TPRM was written to work together. Service layers, singleton patterns, and permission-aware queries support organizations managing hundreds of vendor relationships and multi-framework compliance programs — all from a single codebase.

PHP 8.5 with strict typing and modern patterns
MariaDB/MySQL or SQLite database support
On-prem or managed hosting — your choice
6-step setup wizard — no coding required
Theme customization with brand colors and logos
SQL migration system with preview and rollback

PHP Version 8.5

Service Classes 48+

Compliance Frameworks 9

Unified Questions 170+

Security Domains 14

ACL Permissions 40+

Encrypted Fields 40+

Role-Based Access for TPRM & GRC

One unified permission model across every module — no per-tool access configurations. Seven default groups cover the full range of TPRM and GRC responsibilities.

Group	Access Level	Typical Users
Administrator	Full System Access	IT Security leadership, system admins
Cyber TPRM	All TPRM Operations	Security analysts, risk managers
Cyber GRC	All GRC Operations	GRC analysts, compliance officers
Auditor	Read-Only Access	Internal auditors, external auditors
GRC Contributors	Assigned GRC Tasks	IT staff, compliance contributors
Procurement	Vendor & Contract Access	Procurement team, vendor managers
Stakeholder	Own/Assigned Vendors	Business unit owners, project leads

Supported Compliance Frameworks

Answer 170+ unified security questions once and automatically calculate your compliance posture across every framework below — no duplicate work required.

Framework	Version	Mapped Questions
NIST Cybersecurity Framework (CSF)	2.0	170+
ISO/IEC 27001	2022	170+
SOC 2 Type II	2017	170+
PCI DSS	4.0	132
CMMC / NIST 800-171	v2.0	97
CIS Controls	v8	95
NIST SP 800-171	Rev 2	90
HIPAA Security Rule	2013	61
NIST AI Risk Management Framework (AI RMF)	1.0	48

Application Screenshots

See Fair TPRM in action — from dashboards and risk analysis to vendor lifecycle management and administration.

Admin Dashboard

User Dashboard

Security Rating Dashboard

Company Risk View

SRS Integration

FAIR risk quantification assessment with ALE calculation

FAIR Security Assessment

FAIR Calculation Defaults

Shodan Signal Weights

Risk waiver management for accepted Shodan findings

Shodan Scan Waiver

Procurement contract tracking and case management

Procurement & Case Management

ACL group configuration with granular role-based permissions

Role-Based Access Control

Database Backup & Restore

AI integration with OpenWebUI for executive risk summaries

GenAI Integration

Complete Your Stack for Under $60/month

Fair TPRM is free to deploy, but two optional add-ons unlock even more capability. Self-host your own AI backend for executive risk summaries and add Shodan’s Security Rating Services — all for under $60 per month total. Full control, no vendor lock-in.

AI Integration — Free to Self-Host

Deploy OpenWebUI or LibreChat alongside Fair TPRM as a Docker container on the same server. These are free, open-source AI front-ends that connect to any LLM provider — including local models via Ollama.

Generate AI-powered executive risk summaries from FAIR analysis data
Auto-suggest control descriptions and assessment gap analysis
Run entirely on your own infrastructure — no data leaves your network
Connect to OpenAI, Anthropic, local Ollama models, or any OpenAI-compatible API
Single Docker container, minimal resource overhead

Cost: $0 (self-hosted, BYO API key or use local models)

Shodan API — Under $60/month

A Shodan membership gives Fair TPRM continuous external security scoring for every vendor in your portfolio. Shodan scans the entire internet and Fair TPRM pulls the results via API to generate automated Security Rating Scores.

Continuous TLS/SSL, network, and application security scanning
CVE and CVSS vulnerability detection across vendor infrastructure
Configurable signal weights — tune scoring to your risk appetite
WAF and CDN-aware scanning to avoid false positives
Tier-based auto-rescoring on your schedule

Cost: ~$59/month (Shodan Membership with API access)

Total cost of ownership: Deploy Fair TPRM for free. Add AI and Security Rating Services for under $60/month. That’s a complete TPRM and GRC platform with FAIR risk quantification, 9-framework compliance, continuous monitoring, and AI-powered analysis — for less than the price of a single SaaS seat in most commercial TPRM tools.