Compliance answers grounded in your real policies.
threep™ turns your policies, plans, and procedures into evidence-backed outputs mapped to NIST 800-53 and FedRAMP. Honest about gaps. Zero fabricated citations.
Coverage status: Evidence found in policy excerpts (may be partial — compare to control requirements).
- User Access and Privilege Management Policy — §4.12 Account Provisioning
- Account and Privilege Review Policy — §4.7 Training and Awareness
- Access Control Policy — §5 Review and Updates
Only partial/indirect evidence found. Confirm account creation approval workflow and disable-on-termination controls.
Built for real compliance work.
Not just search. Not just chat. A system that prefers your policies and cites them — honestly.
Intent-Aware Retrieval
Topic boosts and demotions keep results on-track. SDLC ≠ training ≠ retention policy.
Policy-First Answers
Coverage bullets synthesized from your top policy chunks — consistent, citeable, and traceable.
Audit-Ready Structure
Summary → Coverage → NIST Reference → Implementation checklist → Gap detection in every response.
Anti-Hallucination
No policy evidence? It reports the gap instead of guessing. Zero fabricated citations — ever.
Coverage Matrix
Browse every NIST 800-53 control family. See what's covered, what's partial, and where your gaps live.
Local-First by Default
Runs on Ollama out of the box. OpenAI optional. Your documents never leave your machine.
Answer external questionnaires directly from your policies.
Assessment Mode generates formal, third-person security questionnaire responses — the kind vendor portals and auditors actually want — backed entirely by your ingested policy documents.
The organization maintains a comprehensive account management program that governs how user accounts are created, modified, monitored, and removed across organizational systems.
- User Access and Privilege Management Policy
User access rights are subject to routine audits to ensure alignment with current job responsibilities. Discrepancies are addressed promptly and corrective action documented.
- User Access and Privilege Management Policy — §4.10 Periodic Review of Access Rights
System administrators are required to maintain two separate accounts: one for routine tasks and one exclusively for elevated administrative functions.
- Dual Account Separation of Duties Policy — §4.2 Dual Account Structure
Upload. Ingest. Ask.
Three commands and you're answering compliance questions from your real policies.
← scroll →
What threep will not do.
The rules the system enforces at inference time — not just a promise.
No compliance claims without evidence
If your policies don't cover a control, threep reports the gap clearly instead of inventing coverage. "Unknown" is an explicit output state.
No fabricated citations
Every breadcrumb label and document reference traces back to an actual ingested chunk. If it's not in the text, it's not cited.
No framework text substituted for policy
NIST 800-53 is supporting reference only. Answers always lead with your organization's real policy language.
Your docs stay local
Runs on Ollama by default. Nothing leaves your machine unless you explicitly configure an external provider.
Clone, ingest, ask.
Three commands and you're answering compliance questions from your actual policies.
git clone https://github.com/dllswbr/threep && cd threep && python ingest.py && uvicorn app:app --reload