In Development - Join the Waitlist

PandaGRC

by InfoSecPanda

A lightweight SaaS GRC platform for risk management, controls, compliance tracking, and executive reporting - built for practitioners who want clarity without enterprise overhead.

Join PandaGRC Waitlist Try Free Dashboards

Why PandaGRC

Most teams don't struggle with "knowing frameworks exist." They struggle with making them usable:

  • Mapping controls to real operations
  • Defining what evidence actually proves
  • Scoring risk consistently
  • Reporting progress to leadership

Who It's For

  • GRC and compliance practitioners
  • Security governance and risk teams
  • Consultants needing repeatable reporting
  • Builders who want clarity without overhead
  • Organizations of all sizes

What Waitlist Members Get

  • First access when V1 launches
  • 10-risk ISRM onboarding + analysis
  • Product updates (major milestones only)
  • A chance to influence what ships first
  • Founder pricing / early adopter perks
// What ships in V1

Four core capabilities, day one

Everything a security team needs to run risk assessments, manage controls, and produce reporting - from the first login

ISRM Module

Information Security Risk Management

The core of PandaGRC. A full risk lifecycle engine - log risks, create findings, assign tasks, attach evidence, manage exceptions, and track everything from identification through closure. Each risk scores on a 5x5 matrix with clear ownership and status tracking.

Risk RegisterFindingsTasksEvidenceExceptionsReports

Controls Catalogue

Pre-seeded frameworks, customizable

Ships with pre-loaded system controls from NIST 800-53, CIS Controls v8, ISO 27001, and PCI DSS. Base controls are read-only for reference integrity - use the Clone button to create editable, org-specific versions you can tailor to your environment.

NIST 800-53CIS v8ISO 27001PCI DSSClone to Edit

Panda Threat Engine

Structured threat insights

For every risk, the Threat Engine generates a structured threat assessment - likely attack vectors, potential business impact, recommended controls, and a plain-English Panda verdict. Results are designed to support professional judgement, not replace it.

Attack VectorsBusiness ImpactRecommended ControlsPanda Verdict

Risk Assessments (PRAF)

Panda Risk Assessment Framework

PRAF is a guided 7-step risk assessment methodology built into PandaGRC, derived from NIST 800-30, ISO 27005, and CIS RAM. It walks assessors through context, threats, controls, impact scoring (including CIA Triad analysis with a 5x5 risk matrix), evidence collection, risk response, and formal sign-off.

7-Step WorkflowCIA Triad5x5 MatrixInline EvidenceSign-off
// See it in action

What PandaGRC looks like inside

Click each tab to preview the actual interface for each V1 module
Risk register12 open
12
Open risks
4
Critical
8
Tasks
2
Exceptions
CriticalUnpatched critical CVEs on production serversRA-2026-001
HighPrivileged access reviews not enforced quarterlyRA-2026-003
MediumMFA not enforced on all admin endpointsRA-2026-005
Showing 3 of 12 risksView all
Live KPIs Severity scoring
System controls1,200+
AC-2Account managementNIST 800-53
4.1Establish and maintain a secure configuration processCIS v8
A.8.1User endpoint devicesISO 27001
1.3.1Restrict inbound traffic to CDEPCI DSS
Read-only base controlsClone to customize
4 frameworks Clone to edit
Threat analysisPanda verdict
Attack vectors
Remote code execution via known CVEs
Lateral movement from compromised host
Privilege escalation through unpatched kernel
Recommended controls
Automated patch management with SLA tracking
Network segmentation of production tier
Host-based IDS with real-time alerting
Panda verdict
This risk has high exploit probability given public CVEs. Immediate patching cadence with compensating network controls is the minimum viable response.
Attack vectors Panda verdict
PRAF assessmentStep 4 of 7
1
Assessment contextDone
2
Threat analysisDone
3
Control analysisDone
4
Impact & scoringActive
5
Findings & evidence
6
Risk response
7
Review & sign-off
Current step: CIA Triad + 5x5 matrix
Rate Confidentiality, Integrity, and Availability to get a composite impact suggestion. Then confirm with the risk matrix.
7-step workflow CIA + 5x5 matrix
Live KPIs
Severity scoring
4 frameworks
Clone to edit
Attack vectors
Panda verdict
7-step workflow
CIA + 5x5 matrix
// After V1

Platform Roadmap

Additional modules planned after V1 launch. Waitlist members influence priority.
Planned

Compliance

Requirement tracking, control mapping, evidence relationships, framework coverage.

Planned

Maturity

NIST CSF and CIS Controls maturity scoring with gap analysis.

Planned

Third-Party Risk

Vendor assessments, monitoring, issue tracking, structured reporting.

Planned

Vulnerability Mgmt

Scanner data, remediation tracking, SLA compliance.

Planned

Executive Dashboards

KPIs, heatmaps, trends, decision-support for leadership.

// Early Access

Join the PandaGRC Waitlist

Be first in line when V1 launches
// FAQ

Common Questions

Quick answers about PandaGRC

Is PandaGRC available today?

Not yet. PandaGRC is in active development. Waitlist members will be the first to get access when V1 launches.

Is this affiliated with NIST / PCI SSC?

No. PandaGRC is an independent product by InfoSecPanda. Framework content is based on publicly available standards.

Will there be a free tier?

Yes. V1 will include a free tier with limited capacity. Paid plans will be available for teams needing full access.

What does the waitlist include?

First access to V1, 10-risk ISRM onboarding, founder pricing, and a direct line to influence what gets built.

Want something free right now?

While PandaGRC is in development, explore the free community dashboards.

Explore Free Dashboards