Risk teams who don't
have time to show their work.
Three customer stories from across financial services, healthcare, and SaaS. Each one is a structural problem that compounded for years before VigiliaRes took it apart and put it back together.
From a 14-month DORA fire drill to a quarterly export.
When DORA Article 28 came into force, Northwind's third-party register was a 600-row spreadsheet maintained by one analyst. Twelve months before the deadline, no one could agree on what counted as “ICT third-party.”
Six months in, they wired their procurement system, their cloud inventory, and their existing TPRM platform into VigiliaRes. The register now reads itself; quarterly exports run as a job.
“The thing I keep coming back to: when our regulator asked a question last quarter, we answered in the meeting. Not next week. Not after a thread of emails to the cloud team. In the meeting.”
“Twelve hospitals, one BAA library, one HIPAA risk analysis that actually rolls up. The OCR audit prep that used to take a quarter now lives as a saved view.”
One risk analysis, twelve hospitals.
Halberd's compliance org grew through acquisition. Six BAA libraries. Four ePHI inventories. Three different definitions of “significant change.” Their last OCR audit took a quarter to prepare for and three months to recover from.
We collapsed the BAAs into one tiered registry, modeled the ePHI flows as a graph against a single set of safeguards, and now their §164.308(a)(1) risk analysis updates itself.
Three frameworks.
One control set.
Parallax sells AI infrastructure to enterprise customers. Their security team is four people. They needed SOC 2 Type II, ISO 27001, and ISO 42001 (AI management) all live by the end of the year — three audits, three auditors, the same underlying engineering reality.
With the cross-mapping graph, their 87 implemented controls satisfy 278 framework clauses across the three audits. Evidence collected once, attributed everywhere.
“Our auditor opened the room, ran her own queries, downloaded her own evidence packs, and we never once forwarded an email. That, as a working state, is the thing.”