Platform overview
Draxis is not a GRC tool. It is a cyber risk intelligence platform — it reads signals directly from your controls, ties them to business outcomes, and surfaces the picture through an expert panel that remembers every conversation.
The five primitives
Everything Draxis does is built from five first-class objects:
| Primitive | What it is | Where it comes from |
|---|---|---|
| KRI | A numeric risk signal with a threshold. | Written by an integration connector (or entered manually). |
| Control | A policy or technical control the org operates. | Authored in-app, often during onboarding. |
| Risk | A thing that could happen that would hurt. | Authored; KRIs and controls link to it. |
| Outcome | A business outcome a risk threatens. | Authored; risks roll up here. |
| Vendor | A third party you depend on. | Inventory; optionally assessed with a structured assessment. |
Data flow
- Integration connectors (one per vendor per tenant) pull data from your tools on a schedule and write values into KRI rows by slug.
- KRIs evaluate their thresholds and show up on the dashboard green / amber / red.
- Risks aggregate KRIs and controls to compute a current risk level.
- Outcomes roll up the risks that threaten each business outcome.
- The expert panel (AI vCISO + specialists) reads all of the above plus institutional memory and answers questions in context.
The expert panel
Rather than one generic chatbot, Draxis runs a small panel of specialists. The AI vCISO is the moderator; specialists are called into the conversation when their domain applies.
AI vCISO
Executive view. Prioritises, frames for the board, drives decisions.
Privacy expert
GDPR, CCPA, DORA, HIPAA — interprets privacy obligations against your data.
TPRM expert
Third-party risk: due diligence, continuous monitoring, blast-radius.
Cyber insurance
Coverage posture, carrier expectations, renewal preparation.
Workflows & CRSE
Two engines sit on top of the primitives:
- Workflows fire when KRIs cross thresholds (or other triggers) and route work to owners. See Workflows.
- CRSE (Cyber Risk Simulation Engine) runs Monte-Carlo-style simulations over your control posture to estimate annual loss exposure, toxic combinations, and MITRE ATT&CK coverage. See CRSE.
What Draxis does NOT do
- It is not a vulnerability scanner. It reads from your scanner.
- It is not a SIEM. It reads KRIs, not raw events.
- It is not a GRC policy-approval workflow. It is a risk intelligence layer that sits above (and talks to) your policy tooling.