Answer vendor security questionnaires in hours, not weeks — without making things up.
threep reads your actual policies and past answers, drafts responses with citations, and flags anything it cannot prove. Your security team reviews instead of writes.
Batch upload. Drafted answers. Cited evidence.
Watch a CSV of 200 questions become 200 draft answers — each tied to the exact policy section that supports it.
Demo video embed
90-second walkthrough — questionnaire upload → drafted answers with citations → export.
Screenshot: questionnaire workspace
Side-by-side question, drafted answer, and the cited policy section.
Screenshot: gap flagging
Rows where evidence is missing — returned as GAP, not a confident guess.
threep vs. Loopio, Conveyor, and Whistic.
The incumbents automate the questionnaire workflow. threep grounds every answer in your actual documents — and admits when it cannot.
 |
 |
 |
 |
|
|---|---|---|---|---|
| Answer source | Your actual policies + past answers, cited inline evidence-only | Curated answer library you maintain | Shared trust-center content + library | Pre-built profiles + library |
| Missing-evidence behavior | Flags GAP — refuses to fabricate an answer | Leaves cell blank for a human to write | AI suggestion pulled from library matches | Auto-fills from closest library match |
| Where policies live | Locally on your machine via Ollama — opt-in cloud local-first | Vendor cloud (SaaS) | Vendor cloud (SaaS) | Vendor cloud (SaaS) |
| Price | Free & open source (MIT). Hosted plan optional. | Enterprise quote — typically $20k–$60k+/yr | Enterprise quote — typically $15k–$40k+/yr | Enterprise quote — typically $15k–$45k+/yr |
| Customization | Fork it. Every prompt, score, and routing rule is yours. | Config inside the product | Config inside the product | Config inside the product |
Pricing ranges are public-field estimates compiled from RFPs and review sites — your mileage will vary. Product names belong to their respective owners.
Built for the teams who sign their name at the bottom.
Three distinct workflows, one honest engine underneath.
Close the deal without becoming the bottleneck.
Sales drops a 300-question SIG-Lite into threep on Monday. By Tuesday, the security team is reviewing drafted answers with citations — not writing from scratch.
- CSV, XLSX, or SIG/CAIQ format ingestion
- Past-answer reuse with traceability
- Export to the format your buyer asked for
One engine. Many clients. Clean separation.
Keep each client’s policies in their own workspace. Reuse your client’s own language where evidence supports it — threep keeps corpora strictly separated — and let threep call out the gaps per client so you bill for remediation, not retyping.
- Per-client corpora with no cross-contamination
- Answer provenance you can show on an audit call
- Self-host or run it on a client’s private cloud
For primes and subs who can’t afford confident wrong answers.
CMMC assessors don’t grade your confidence — they grade your evidence. threep runs air-gapped via local LLMs, so policy text never leaves your boundary.
- Runs entirely on-prem via Ollama
- NIST 800-171 & 800-53 aware control routing
- GAP states give assessors the same picture you have
“We went from two weeks of questionnaire toil per deal to reviewing drafts the same afternoon. And for the first time, our drafts cite the actual policy section — so nothing goes out that we can’t defend.”
Two paths. Same honest engine.
Run the open-source build on your laptop in ten minutes, or let threep.cloud handle the hosting while you handle the questionnaires.