Open-source security questionnaire automation.
300-row spreadsheets, answered in minutes.
Run it on your own infrastructure. Pick the compliance mode that fits the engagement — from AI-assisted drafting with full audit trail, all the way to a fully air-gapped library-only deployment with no neural models loaded.
Every questionnaire costs you time, momentum, and margin
Deals stall
A prospect is ready to move, then the questionnaire lands and the timeline slips.
Security gets dragged in late
The same people stop what they're doing to dig through old answers, policies, and spreadsheets.
Responses become inconsistent
Different people answer similar questions differently, which creates friction and follow-up.
It's not a compliance problem. It's a time problem.
Upload. Map. Generate.
Upload
Your questionnaire and your existing security docs. Excel, Word, PDF.
Map
Each question is matched to relevant sections of your documents. No manual tagging.
Generate
Draft answers linked back to your source material, ready for human review before anything goes out.
Your infra. Your data. Your rules.
MIT-licensed, self-hosted
One Docker image. Single volume mount. Your cloud or your laptop — your choice. Source is open, so what runs in your environment is exactly what you can read.
Runs anywhere
AWS, Azure, GCP, on-prem, or a laptop in a SCIF. No phone-home. No telemetry. In air-gapped mode it runs under --network none.
Multi-provider AI
Anthropic, OpenAI, Azure OpenAI, Gemini, or local via Ollama, vLLM, or LM Studio. Swap providers without code changes.
Public repo coming at alpha. For now, request access below for a private preview.
Five modes, enforced at the process boundary
Pick the mode that fits the engagement. Enforcement is structural, not advisory — in air-gapped mode, the AI libraries are never imported at boot.
| Mode | LLM | Embeddings | What it's for |
|---|---|---|---|
| standard | ✓ | ✓ | Default. AI drafts, humans review. |
| disclosure | ✓ | ✓ | Same as standard, every export stamped "AI-assisted" — UK PPN 02/24 tender compliance. |
| human_authored | reference only | ✓ | Reviewer writes from scratch. UI blocks paste on the answer field. |
| library_only_semantic | — | ✓ | No AI generation. Retrieval over your approved-answers library only. |
| library_only_lexical | — | — | Fully air-gapped. SQLite FTS5, no neural models. Runs under --network none. |
What those terms mean
- LLM
- Large language model — Claude, GPT, Gemini, or a local equivalent. Drafts answers or reference-checks them, depending on the mode.
- Embeddings
- Numerical vectors that capture the meaning of text, generated by a small neural model. Required for semantic search.
- Semantic search
- Finds matches by meaning. A question about "multi-factor authentication" will find your approved answer that talks about "MFA."
- Lexical search
- Finds matches by exact words — same idea as Ctrl-F, but indexed across your whole answer library. Fast, deterministic, no AI involved.
- SQLite FTS5
- The full-text search engine built into SQLite (the single-file database RepliSec uses). Local, lexical-only, zero network calls. It's what
library_only_lexicalmode runs on. - --network none
- A Docker flag meaning "no network access at all" — not even DNS. Enforces the air-gap at the container boundary, so isolation is structural rather than a config promise.
Every answer carries provenance — source citations, confidence score, and an audit trail of every edit. Exports in disclosure mode include an AI-assistance report for tender submissions.
Who it's for
- MSSPs handling vendor assessments across multiple clients
- Fractional and virtual CISOs managing questionnaire volume
- Security consultancies accelerating bid responses
- SMEs passing enterprise security reviews
Join the alpha cohort
A handful of teams helping shape v1. Self-hosters and managed-trial folks both welcome — we'll reach out with install instructions or a walkthrough depending on how you want to run it.