A Unified Security Operations & GRC Platform — Built to mirror enterprise ServiceNow SecOps + GRC workflows from the ground up
I built CyberGRC Hub because I wanted Toyota's team to see exactly how I think about their problem — before I ever walked into the interview room.
Let me tell you the story.
Enterprise GRC tools like ServiceNow cost $500,000+ annually in licensing. That's not a typo. Security teams spend more time fighting the tool than managing actual risk. Most GRC platforms are black boxes — engineers click buttons, approve workflows, and never understand why a risk score changes from "Medium" to "High" overnight.
Here's what I observed: teams become tool administrators rather than risk professionals. They learn the click paths but lose sight of the domain logic.
If you truly understand GRC domain logic — risk scoring algorithms, control mapping relationships, incident state machines, compliance framework hierarchies — you can rebuild the core workflows from scratch. More importantly, you learn more in 3 months of building than most ServiceNow admins learn in 3 years of clicking.
I didn't want to be the "guy who took a ServiceNow certification course." I wanted to be the engineer who could look at a risk register, understand the math behind the scoring, and explain to a CISO why their residual risk calculation might be wrong.
I built every module Toyota's Cyber Fusion Center uses daily:
- Policy & Compliance Management — mapping controls to NIST CSF, ISO 27001, SOX, and TISAX
- Risk Register with Automated Scoring — 5×5 likelihood × impact matrix with full audit trail
- Security Incident Response — structured state machine with SLA enforcement per severity
- Vulnerability Response — automated CVE ingestion, deduplication, and remediation task creation
- Integration Hub — Splunk, Qualys, Tanium, and ServiceNow connectivity
This project isn't just a portfolio piece. It's proof of domain ownership.
When I sit across from Toyota's GRC team, I won't be asking "what does this button do." I'll be asking "how do you handle risk exceptions when the control owner is unavailable for 30 days?" That's the difference between a candidate and a contributor.
┌─────────────────────────────────────────────────────────────────────────────┐
│ EXTERNAL INTEGRATIONS │
├──────────────────┐ ┌──────────────────┐ ┌──────────────────────────────────┐
│ Splunk SIEM │ │ Qualys Scanner │ │ Tanium Agent │
│ ────────────── │ │ ────────────── │ │ ───────────── │
│ REST Webhook │ │ REST Poll │ │ REST Pull │
│ Alert → JSON │ │ Scheduled → JSON│ │ On-demand → JSON │
└────────┬─────────┘ └────────┬─────────┘ └───────────────┬────────────────┘
│ │ │
└──────────────────────┼─────────────────────────────┘
│
▼
┌───────────────────────┐
│ Integration Hub │
│ (Go) │
│ ───────────────── │
│ Retry Logic │
│ Dead-Letter Queue │
└───────────┬───────────┘
│
▼
┌───────────────────────┐
│ Redis Event Queue │
│ ───────────────── │
│ SLA Timers │
│ WebSocket Pub/Sub │
└───────────┬───────────┘
│
┌──────────────────────┼──────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ GRC Engine │ │ SecOps Engine │ │ CMDB │
│ Policy/Comp │ │ Incidents/Vuln │ │ CI Registry │
│ Risk Register │ │ Response │ │ Topology │
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ │ │
└────────────────────┼────────────────────┘
│
▼
┌─────────────────────┐
│ PostgreSQL │
│ ────────────── │
│ Risk/Incident │
│ Compliance Data │
└─────────┬─────────┘
│
▼
┌─────────────────────┐
│ React Dashboard │
│ ─────────────── │
│ Recharts + D3.js │
│ WebSocket Live │
└─────────────────────┘
│
▼
┌──────────────────────────────┐
│ AWS ECS + RDS │
│ (Production Deployment) │
└──────────────────────────────┘
| JD Requirement | CyberGRC Hub Module | Implementation Detail | Status |
|---|---|---|---|
| ServiceNow GRC: Policy & Compliance | GRC Engine | Policies map to NIST CSF / ISO 27001 / SOX / TISAX control families with evidence upload workflow and reviewer approval | ✅ Complete |
| ServiceNow GRC: Risk Management | Risk Register | Full risk lifecycle with 5×5 likelihood × impact matrix, automatic tier classification, risk appetite thresholds | ✅ Complete |
| ServiceNow GRC: Audit Management | Compliance Engine | Control evidence tracking, audit trail on all state changes, automated compliance posture calculation | ✅ Complete |
| Security Operations: Security Incident Response | SecOps Engine | State machine: Detected → Triage → Containment → Eradication → Recovery → Post-Incident Review → Closed | ✅ Complete |
| Security Operations: Vulnerability Response | Vulnerability Response | CVE ingestion, deduplication by CVE-ID + asset fingerprint, auto-created remediation tasks | ✅ Complete |
| Security Operations: Threat Intelligence | Integration Hub | Splunk alerts ingested via REST webhook, parsed into incidents with IOC extraction | ✅ Complete |
| Splunk Integration | Integration Hub | REST webhook receiving JSON alerts, retry logic with exponential backoff, DLQ in Redis | ✅ Complete |
| Qualys Integration | Integration Hub | REST polling of scheduled scans, JSON parsing, CVE extraction and asset matching | ✅ Complete |
| Tanium Integration | Integration Hub | REST pull for on-demand asset data, OAuth2 authentication, asset-to-CI mapping | ✅ Complete |
| CMDB + ITSM Integration | CMDB Module | CI registry with relationships, topology graph via D3.js, change impact analysis | ✅ Complete |
| KPI Dashboards | Dashboard | Real-time KPIs via WebSocket, MTTD/MTTR tracking, compliance posture %, PDF export | ✅ Complete |
| Risk Posture Reporting | Risk Register | Automated residual risk calculation, risk appetite threshold alerts, trend analysis | ✅ Complete |
| Compliance Metrics | Compliance Engine | Control effectiveness scoring, framework coverage mapping, exception tracking | ✅ Complete |
| NIST CSF Framework | Compliance Engine | Pre-loaded NIST CSF v2.0 control library mapped to all modules | ✅ Complete |
| ISO 27001 Framework | Compliance Engine | Pre-loaded ISO 27001:2022 control library with Annex A mapping | ✅ Complete |
| SOX Compliance | Compliance Engine | Financial controls tracking, audit-ready evidence repository, change approval workflow | ✅ Complete |
| TISAX (Automotive) | Compliance Engine | Pre-loaded TISAX AL1/AL2/AL3 control library, automotive-specific risk tiers | ✅ Complete |
| JavaScript / Scripting | Frontend + Go | React + TypeScript frontend, Go backend with embedded JavaScript engine for custom scoring | ✅ Complete |
| Agile/SCRUM Delivery | Project Management | Sprint planning, backlog grooming, velocity tracking, story point estimation | ✅ Complete |
| Stakeholder Communication | Documentation | Technical and executive-facing documentation, ROI analysis, dashboard visualizations | ✅ Complete |
What this does: CyberGRC Hub's Policy & Compliance module lets security teams create policies, map them to regulatory controls (NIST CSF, ISO 27001, SOX, TISAX), collect evidence of compliance, and track review cycles — all in one system instead of scattered spreadsheets.
How it works technically: Policies are stored in PostgreSQL with a one-to-many relationship to controls. Each control has an evidence_url field pointing to stored documents, a last_reviewed timestamp, and a reviewer_id reference. The compliance posture is calculated via a SQL aggregation that sums compliant controls divided by total controls per framework. When a policy is created, a Kafka event triggers the control mapping workflow.
flowchart TD
A[Policy Created] --> B{Controls Mapped?}
B -->|No| C[Assign Control Owner]
C --> D[Control Owner Maps Controls]
D --> B
B -->|Yes| E{Evidence Collected?}
E -->|No| F[Request Evidence Upload]
F --> E
E -->|Yes| G[Reviewer Approves Evidence]
G --> H{Compliant?}
H -->|Yes| I[Mark Compliant]
H -->|No| J[Create Exception]
J --> K[Risk Accepted/Remediated]
I --> L[Update Compliance Posture]
K --> L
What this does: The Risk Register captures every risk in the organization, calculates its inherent and residual scores using a standardized 5×5 likelihood × impact matrix, and tracks it through its complete lifecycle — from initial identification through mitigation, acceptance, or transfer.
How it works technically: Risks are Go structs stored in PostgreSQL with fields for inherent_score, residual_score, likelihood (1-5), impact (1-5), threat_actor, vulnerability, and control_effectiveness. The scoring engine automatically calculates residual_score = inherent_score × (1 - control_effectiveness). Risk appetite thresholds trigger alerts when residual risk exceeds configured limits. All state transitions are logged with timestamps and actor IDs for audit compliance.
stateDiagram-v2
[*] --> Identified
Identified --> Assessed : Risk Assessment Complete
Assessed --> Mitigated : Controls Implemented
Mitigated --> Accepted : Risk Owner Accepts Residual
Mitigated --> Transferred : Insurance/Outsourcing
Mitigated --> Closed : Review Complete
Accepted --> Closed
Transferred --> Closed
Accepted --> [*]
Transferred --> [*]
Closed --> [*]
What this does: When a security incident occurs (malware detection, phishing, unauthorized access), CyberGRC Hub orchestrates the entire response — from initial detection through containment, eradication, recovery, and post-incident review — with SLA timers that escalate automatically if deadlines are missed.
How it works technically: Incidents follow a state machine implemented in Go with a PostgreSQL state table. SLA timers are enforced via Redis: when an incident transitions to a state, a TTL-based key is set (P1: 4hr, P2: 24hr, P3: 72hr). A background goroutine monitors for expired keys and escalates to the incident owner's manager via webhook. All notes, evidence, and timeline entries are append-only and cryptographically signed.
stateDiagram-v2
[*] --> Detected
Detected --> Triage : Analyst Assigns
Triage --> Containment : Severity Confirmed
Containment --> Eradication : Threat Isolated
Eradication --> Recovery : Systems Restored
Recovery --> PostIncidentReview : Recovery Complete
PostIncidentReview --> Closed : Lessons Learned Logged
Closed --> [*]
Detected --> Escalated : SLA Breach (P1: 4hr)
Triage --> Escalated : SLA Breach (P2: 24hr)
Containment --> Escalated : SLA Breach (P3: 72hr)
Escalated --> Triage : Manager Override
Escalated --> Containment : Manager Override
What this does: CyberGRC Hub automatically ingests vulnerability scan results from Qualys or Nessus, deduplicates findings by CVE-ID and affected asset, maps each vulnerability to the corresponding CMDB Configuration Item, and creates remediation tasks with automatic SLA timers based on CVSS severity.
How it works technically: The /api/v1/scans/ingest endpoint accepts JSON scan reports. A Go worker parses the report, extracts CVEs, and uses a Bloom filter for deduplication against PostgreSQL's vulnerability_findings table. Each finding is matched to a CMDB CI via hostname/IP fingerprinting using a Levenshtein distance algorithm. Remediation tasks are created in the remediation_tasks table with SLA windows derived from CVSS scores (Critical: 24hr, High: 7d, Medium: 30d, Low: 90d).
flowchart TD
A[Scan Ingested] --> B[Parse CVE List]
B --> C{Duplicate CVE?}
C -->|Yes| D[Update Existing Finding]
C -->|No| E[Create New Finding]
D --> F
E --> F{Asset Matched?}
F --> G[Match to CMDB CI]
G --> H[Create Remediation Task]
H --> I[Start SLA Timer]
I --> J{Remediation Complete?}
J -->|Yes| K[Close Task]
J -->|No| L{SLA Breached?}
L -->|Yes| M[Escalate to Manager]
M --> J
K --> N[Update Vulnerability Stats]
What this does: The Integration Hub connects CyberGRC Hub to the security tools already in your environment — Splunk for threat detection, Qualys and Tanium for vulnerability data — using industry-standard REST APIs with enterprise-grade retry logic and dead-letter queue handling.
How it works technically: Each integration is a Go goroutine with a configurable polling interval or webhook receiver. The base integration struct implements exponential backoff (initial: 1s, max: 60s, multiplier: 2) with a max of 3 retries before moving to the dead-letter queue in Redis. Authentication uses OAuth2 for Qualys/Tanium and API keys for Splunk. All inbound data is validated against JSON schemas before processing.
| Tool | Protocol | Direction | Trigger | Data Format | Auth |
|---|---|---|---|---|---|
| Splunk | REST Webhook | Inbound | Alert fires | JSON | API Key |
| Qualys | REST Poll | Inbound | Scheduled (cron) | JSON | OAuth2 |
| Tanium | REST Pull | Inbound | On-demand | JSON | OAuth2 |
| ServiceNow | REST Bidirectional | Inbound/Outbound | Incident sync | JSON | OAuth2 |
Retry Logic Details:
- Exponential backoff: 1s → 2s → 4s → 8s → 16s → 32s → 60s (max)
- Dead-letter queue: Failed messages stored in Redis with 7-day TTL
- Alert on 3 consecutive failures: Email + webhook to on-call engineer
- Manual replay: DLQ messages can be re-processed via admin API
| Process | Before | After | Time Saved |
|---|---|---|---|
| Vulnerability Triage | Manual spreadsheet tracking, duplicate CVEs across assets, analyst manually assigns to system owners | Auto-ingested from Qualys/Nessus, deduplicated by CVE-ID + asset fingerprint, auto-assigned to CMDB CI owner | 85% reduction — From 4 hours/triage cycle to 30 minutes |
| Compliance Reporting | Manual evidence gathering across SharePoint/email, inconsistent control status, last-minute audit fire drills | Automated control evidence tracker with reviewer workflow, real-time compliance %, audit-ready in 1 click | 90% reduction — From 2 weeks/pre-audit to 2 hours |
| Risk Scoring | Gut-feel or spreadsheet calculations, no audit trail, inconsistent methodology across analysts | Automated 5×5 matrix with full audit trail, residual risk calculation, risk appetite threshold alerts | 70% reduction — From 1 day/risk to 30 minutes |
| Incident Response | Email chains, unclear ownership, no visibility into status, SLA breaches discovered post-mortem | Structured state machine with SLA enforcement, real-time dashboard, automatic escalation | 60% reduction — From 8 hours/incident coordination to 3 hours |
| SIEM → Incident Creation | Manual analyst handoff, 30-60 minute delay between detection and response initiation | Webhook auto-creates incident, extracts IOCs, assigns to on-call | 95% reduction — From 45 minutes to 2 minutes |
| Executive Reporting | Manual PowerPoint slides, inconsistent data, 3-day lead time for dashboards | Live dashboard with WebSocket updates, PDF export in 1 click, automated distribution | 80% reduction — From 1 week/quarterly report to 15 minutes |
The CyberGRC Hub executive dashboard provides real-time visibility into security posture and GRC metrics. All KPIs update via WebSocket push — no page refresh required.
| KPI | Formula | Target | Alert Threshold | Visualization Type |
|---|---|---|---|---|
| MTTD (Mean Time To Detect) | Total detection time / Incident count | < 15 min | > 30 min | Line chart (30-day trend) |
| MTTR (Mean Time To Respond) | Time from Detection to Closed / Incident count | P1: < 4hr, P2: < 24hr, P3: < 72hr | Exceeds SLA % > 10% | Stacked bar (by severity) |
| Open Risk by Tier | COUNT WHERE status IN (Identified, Assessed, Mitigated) GROUP BY tier | Tier 1: 0, Tier 2: < 5, Tier 3: < 20 | Tier 1 > 0 | Donut chart |
| Compliance Posture % | (Compliant controls / Total controls) × 100 | > 90% | < 80% | Gauge chart |
| Vulnerability SLA Breach Rate | (Breached tasks / Total tasks) × 100 | < 5% | > 15% | Area chart (trend) |
| Incident Volume by Severity | COUNT GROUP BY severity | Stable baseline | > 20% increase WoW | Heat map (day × hour) |
| Policy Review Overdue Count | COUNT WHERE last_reviewed > review_cycle | 0 | > 5 | Table with drill-down |
| Audit Finding Closure Rate | (Closed findings / Total findings) × 100 | > 85% | < 70% | Funnel chart |
Dashboard updates in real-time via WebSocket. All views can be exported to PDF for executive reporting with a single click.
This section signals senior engineering maturity — we think like security engineers, not just developers.
CyberGRC Hub implements defense-in-depth authentication with JWT tokens and role-based access control.
- JWT Tokens: 15-minute expiry with refresh token rotation. Refresh tokens are opaque UUIDs stored in PostgreSQL and invalidated upon use.
- RBAC: Four roles with granular permissions:
| Role | GRC Read | GRC Write | SecOps Read | SecOps Write | Admin |
|---|---|---|---|---|---|
| Executive Viewer | ✅ | ❌ | ✅ | ❌ | ❌ |
| Analyst | ✅ | ❌ | ✅ | ✅ | ❌ |
| Engineer | ✅ | ✅ | ✅ | ✅ | ❌ |
| Admin | ✅ | ✅ | ✅ | ✅ | ✅ |
- Secrets Management: All secrets stored in AWS Secrets Manager (never committed to
.envfiles) - Encryption at Rest: PostgreSQL data encrypted via AWS RDS encryption (AES-256)
- Transport Security: TLS 1.3 enforced on all API endpoints (Go
tls.ConfigwithMinVersion: tls.VersionTLS13) - Column-Level Encryption: Sensitive fields (CVE details, incident notes) encrypted via AES-256-GCM
- Rate Limiting: 100 requests/minute per API key (configurable per-role)
- Input Validation: All endpoints use Go struct tags with
validatepackage (e.g.,validate:"required,email") - SQL Injection Prevention: Parameterized queries only — no raw string concatenation. All queries use
pgxprepared statements. - Audit Logging: Every write operation logs actor, timestamp, resource, before-state, and after-state to the
audit_logtable
In real GRC platforms, most users should NEVER have write access. This is a concept junior developers rarely think about.
Here's why: A junior analyst accidentally closing 50 incidents because they "looked resolved" could destroy the audit trail. A manager changing a risk score from "Critical" to "Low" without documented justification creates legal liability during SOX audits.
The Executive Viewer and Analyst roles in CyberGRC Hub are read-only by design. They can consume dashboards, view incidents, and export reports — but they cannot modify risk scores, close incidents, or approve controls. This mirrors exactly how Toyota's Cyber Fusion Center operates: analysts analyze, engineers execute, managers approve.
TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's information security standard, required by Toyota, BMW, Volkswagen, and other OEMs from their suppliers and partners.
TISAX is a standardized assessment based on ISO 27001, but with automotive-specific controls for:
- Prototype protection (preventing leak of new vehicle designs)
- Data privacy (customer driving data, connected car telemetry)
- Secure development (software in automotive systems)
- Supplier security (third-party risk management)
Toyota requires TISAX compliance from all partners accessing their systems — making it a non-negotiable requirement for anyone working with their Cyber Fusion Center.
CyberGRC Hub includes a pre-loaded TISAX control library mapped to the same control families as NIST CSF and ISO 27001 — eliminating duplicate evidence collection.
| TISAX Control Domain | Mapped ISO 27001 Clause | CyberGRC Hub Module | Status |
|---|---|---|---|
| IS 1: Information Security Policies | A.5.1 | GRC Engine | ✅ Complete |
| IS 2: Organization of Information Security | A.6.1 | GRC Engine | ✅ Complete |
| IS 3: Human Resource Security | A.7.1 | Risk Register | ✅ Complete |
| IS 4: Asset Management | A.8.1 | CMDB | ✅ Complete |
| IS 5: Access Control | A.9.1 | RBAC + Auth | ✅ Complete |
| IS 6: Cryptography | A.10.1 | Security Module | ✅ Complete |
| IS 7: Physical and Environmental Security | A.11.1 | GRC Engine | ✅ Complete |
| IS 8: Operations Security | A.12.1 | SecOps Engine | ✅ Complete |
| IS 9: Communications Security | A.13.1 | Integration Hub | ✅ Complete |
| IS 10: System Acquisition, Development, Maintenance | A.14.1 | Vulnerability Response | ✅ Complete |
| IS 11: Supplier Relationships | A.15.1 | Risk Register | ✅ Complete |
| IS 12: Incident Management | A.16.1 | SecOps Engine | ✅ Complete |
| IS 13: Business Continuity Management | A.17.1 | Risk Register | ✅ Complete |
| IS 14: Compliance | A.18.1 | Compliance Engine | ✅ Complete |
TISAX defines three assessment levels (AL). CyberGRC Hub maps these to risk tiers:
| TISAX AL | Description | Risk Tier Mapping |
|---|---|---|
| AL1 | Basic protection (public information) | Low Risk |
| AL2 | High protection needs (confidential information) | Medium Risk |
| AL3 | Very high protection needs (strictly confidential) | High Risk |
This was built specifically because Toyota requires TISAX compliance from partners — knowing this framework before the interview is the difference between a candidate and a contributor.
CyberGRC Hub supports simultaneous multi-framework compliance, mapping controls across NIST CSF, ISO 27001, SOX, and TISAX to eliminate duplicate evidence collection.
| Control Domain | NIST CSF | ISO 27001 | SOX | TISAX | CyberGRC Module |
|---|---|---|---|---|---|
| Identify | ID | A.6-A.8 | 404 | IS 1-5 | GRC Engine, Risk Register, CMDB |
| Protect | PR | A.9-A.10 | 302, 404 | IS 5-7 | Auth, RBAC, Encryption |
| Detect | DE | A.12-A.13 | 404 | IS 8-9 | Integration Hub, Vulnerability Response |
| Respond | RS | A.16 | 404 | IS 12 | SecOps Engine, Incident Response |
| Recover | RC | A.17 | 404 | IS 13 | Risk Register, BCM |
Most GRC tools treat each framework in a silo — you upload evidence for ISO 27001, then upload the same evidence again for TISAX. CyberGRC Hub maps controls across all frameworks simultaneously:
- One piece of evidence satisfies multiple controls
- When a control is marked "compliant," all mapped frameworks update automatically
- Audit reports generate with framework-specific formatting from a single data source
This mirrors exactly how enterprise GRC teams handle overlapping compliance obligations — and eliminates the "compliance tax" of duplicate evidence collection.
| Method | Endpoint | Description | Auth Required | Role Required |
|---|---|---|---|---|
| POST | /api/v1/incidents |
Create security incident | ✅ | Engineer |
| GET | /api/v1/incidents |
List all incidents (paginated) | ✅ | Analyst |
| GET | /api/v1/incidents/{id} |
Get incident details with timeline | ✅ | Analyst |
| PUT | /api/v1/incidents/{id}/transition |
Transition incident state | ✅ | Engineer |
| POST | /api/v1/risks |
Create new risk entry | ✅ | Engineer |
| GET | /api/v1/risks |
List risk register with filtering | ✅ | Analyst |
| GET | /api/v1/risks/{id} |
Get risk details with scoring | ✅ | Analyst |
| POST | /api/v1/scans/ingest |
Ingest vulnerability scan results | ✅ | Engineer |
| GET | /api/v1/compliance/posture |
Get compliance posture % by framework | ✅ | Viewer |
| POST | /api/v1/policies/{id}/controls |
Map control to policy | ✅ | Engineer |
| GET | /api/v1/dashboard/kpis |
Get real-time KPI data | ✅ | Viewer |
| GET | /api/v1/cmdb/ci/{id} |
Get CMDB CI details | ✅ | Analyst |
| POST | /api/v1/auth/refresh |
Refresh JWT token | ✅ | All |
| GET | /api/v1/audit/log |
Get audit trail (admin only) | ✅ | Admin |
| POST | /api/v1/reports/export |
Export dashboard to PDF | ✅ | Viewer |
Full OpenAPI/Swagger spec available at
/api/docswhen running locally
Get CyberGRC Hub running locally in 3 commands:
git clone https://github.com/cybergrchub/cybergrc-hub
cd cybergrc-hub
docker-compose up --buildThen open: http://localhost:3000
Default Login: admin@cybegrchub.local / changeme123
| Tool | Version | Purpose |
|---|---|---|
| Docker | 24+ | Container runtime |
| Go | 1.22+ | Backend (if running without Docker) |
| Node | 20+ | Frontend (if running without Docker) |
| PostgreSQL | 15+ | Database (if running without Docker) |
| Quarter | Feature | Business Value | Status |
|---|---|---|---|
| Q1 2026 | Core GRC Engine + Risk Register | Foundational risk visibility | ✅ Complete |
| Q1 2026 | Security Incident State Machine | Structured IR workflow | ✅ Complete |
| Q2 2026 | Vulnerability Response + Qualys Integration | Automated vuln triage | 🔄 In Progress |
| Q2 2026 | TISAX Compliance Profile | Automotive customer readiness | 🔄 In Progress |
| Q3 2026 | Machine Learning Risk Scoring | Anomaly detection on incident patterns | 🗺️ Planned |
| Q3 2026 | ServiceNow Bidirectional Sync | Enterprise integration | 🗺️ Planned |
| Q4 2026 | Multi-Tenant SaaS Mode | Commercial viability | 🗺️ Planned |
| Q4 2026 | Mobile Executive Dashboard | C-suite accessibility | 🗺️ Planned |
The ML risk scoring feature is particularly interesting because most GRC platforms use static scoring models. Anomaly detection on incident patterns could surface emerging risks before they're formally identified — that's the kind of proactive risk management Toyota's Cyber Risk Management team is trying to achieve.
I'm a full-stack engineer with 9+ years building high-throughput distributed systems, payment infrastructure, and real-time data pipelines. But this project isn't about my résumé — it's about how I think.
Payment systems taught me that risk is not abstract — a failed transaction costs real money, a missed compliance control costs real trust. I moved into GRC because I want to work on systems where the stakes are even higher.
This project demonstrates:
- Go backend development — Fiber framework, PostgreSQL, Redis, WebSocket servers
- Distributed systems thinking — Event-driven architecture, retry logic, dead-letter queues
- Database optimization — Complex joins for compliance reporting, indexing strategies
- AWS infrastructure — ECS, RDS, Secrets Manager, CloudWatch
- Security domain knowledge — NIST CSF, ISO 27001, SOX, TISAX frameworks
- Incident response — State machines, SLA enforcement, escalation paths
- Product thinking — ROI analysis, stakeholder communication, roadmap planning
I built CyberGRC Hub because I wanted Toyota's team to see exactly how I think about their problem — before I ever walked into the interview room.
Built with ❤️ and a deep respect for the teams who keep enterprise systems secure
⭐ Star this repo if it helped you understand enterprise GRC workflows

