{"api":{"name":"api.sb","description":"Business-as-Code surface for Startups.Studio","home":"https://api.sb","docs":"https://api.sb/docs","version":"1.0.0"},"$context":"https://api.sb/$context","$type":"FoundingHypothesis","$id":"https://api.sb/founding-hypotheses/fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-low%3Av1","links":{"self":"https://api.sb/v1/founding-hypotheses/fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-low%3Av1","canonical":"https://api.sb/founding-hypotheses/fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-low%3Av1","pool":"https://api.sb/v1/founding-hypotheses"},"foundingHypothesis":{"id":"fh:computer-and-information-systems-managers-it-risk-assessment:t-low:v1","lens":"HeadlessSaaS","type":"founding-hypothesis","click":{"rubricScores":{"C8_lensFit":0,"C7_magicLensFit":1,"C4_competitorHonesty":1,"C6_crossSlotCoherence":1,"C1_customerSpecificity":1,"C2_problemFrictionRealism":1,"C9_killCriteriaAttestability":1,"C3_approachEngineCoverability":1,"C5_differentiationLoservilleEscape":1},"upperRightLoserville":true},"cellRef":{"id":"work-contexts.org.ai/computer-and-information-systems-managers-it-risk-assessment","stableHash":"wcc:computer-and-information-systems-managers:it-risk-assessment:document:v1"},"problem":{"slotStatement":"IT risk analysts spend 3–5 weeks hand-copying control evidence from Jira, ServiceNow CMDB, Tenable, and vendor SIG questionnaires into a Word/Excel risk register, then defending every residual-risk rating line-by-line to examiners who demand a traceable record from finding to treatment owner to due date."},"approach":{"oneSentence":"A headless risk-register engine that continuously reconciles CMDB assets, vulnerability scans, and control-test results into an examiner-ready IT risk assessment and treatment plan, with every residual-risk score carrying a clickable traceable record back to its primary-source evidence."},"customer":{"icpShape":"US mid-market regional banks and credit unions ($2B–$20B assets) where the buyer is the CISO or VP of Information Security (signs the security-tooling PO) and the daily user is the IT Risk Analyst who authors the FFIEC/NIST-aligned risk assessment and treatment plan","beachheadShape":"EarlyAdopterJTBD: regional banks facing an imminent FFIEC CAT/NIST 800-53 exam cycle who need the next IT risk assessment and treatment plan delivered in under 6 weeks"},"archetype":"startup-archetypes.org.ai/HeadlessSaaS-MoneyOnDelivery","beachhead":"EarlyAdopterJTBD: regional banks facing an imminent FFIEC CAT/NIST 800-53 exam cycle who need the next IT risk assessment and treatment plan delivered in under 6 weeks","competitors":{"substitutes":[{"name":"Archer IRM / ServiceNow IRM","category":"incumbent"},{"name":"LogicGate and Hyperproof GRC platforms","category":"adjacent vertical"},{"name":"Excel risk register maintained by the IT risk analyst with Big-4 advisory review","category":"status-quo"},{"name":"ChatGPT Enterprise used ad-hoc to draft risk narratives","category":"AI-native horizontal"}]},"studioThesis":"T-LOW","killThreshold":{"K":8,"M":30,"N":7,"rubricItemSet":["C1_customerSpecificity","C2_problemFrictionRealism","C3_approachEngineCoverability","C4_competitorHonesty","C5_differentiationLoservilleEscape","C6_crossSlotCoherence","C7_magicLensFit","C8_lensFit","C9_killCriteriaAttestability"],"verdictPolicy":"all-load-bearing-pass-and-overall-ge-X","loadBearingItemSet":["C1_customerSpecificity","C2_problemFrictionRealism","C3_approachEngineCoverability","C4_competitorHonesty","C5_differentiationLoservilleEscape","C6_crossSlotCoherence","C9_killCriteriaAttestability"],"verdictPolicyVerbatim":"KILL unless every load-bearing rubric item passes per workbook AND overall pass-rate ≥ 7/9 (CASCADE.md §4 Stage 9 commit threshold)."},"lifecycleState":"Active","differentiation":{"twoByTwo":{"xAxis":"Evidence provenance (analyst-typed narrative ↔ each risk score cites the exact Tenable scan ID, CMDB CI, and control-test ticket)","yAxis":"Deployment posture (multi-tenant SaaS that cannot touch the core banking VPC ↔ headless service embedded behind the bank's firewall reading CMDB/SIEM directly)","winningQuadrant":"in-VPC headless engine where every residual-risk rating is click-through citable to the originating CMDB CI and scan finding — examiners accept the register without sampling","loservilleEscape":true,"loservilleQuadrant":"Archer/ServiceNow IRM multi-tenant SaaS where analysts still paste in narratives by hand and examiners must re-sample evidence because the risk ratings have no traceable link to source systems"}},"unmetRequirements":[],"pricingArchitecture":"usage-meter"},"actions":{},"options":{},"relationships":{"runtimeUnit":"https://api.sb/v1/runtime-units?startupRef=startup%3Afh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-low%3Av1","brand":"https://api.sb/v1/brands?startupId=startup%3Afh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-low%3Av1","listing":"https://api.services/listings?foundingHypothesisRef=fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-low%3Av1","cell":"https://api.sb/v1/cells/work-contexts.org.ai/computer-and-information-systems-managers-it-risk-assessment","thesis":"https://api.sb/v1/theses/T-LOW"},"meta":{"level":"L0","scopes":[]},"user":{"requestId":"a057bb5d0d261ec6","edgeLocation":"a057bb5d0d261ec6","geo":{"country":"US"},"ua":{"browser":"Claude"}},"references":{"total":0,"limit":25,"page":1,"links":{"self":"https://api.sb/v1/founding-hypotheses/fh%3Acomputer-and-information-systems-managers-it-risk-assessment%3At-low%3Av1/references"},"items":[]}}