Skip to main content
SOC 2 CC9.2 · Continuous monitoring · No agents required

Your vendors are your
biggest compliance blind spot.

Gjall continuously monitors your third-party vendors for breaches, CVEs, and outages — and generates audit-ready evidence reports before your auditor asks.

See how it works

14-day free trial · No credit card required · Cancel anytime

Monitoring vendors like

  • Stripe
  • GitHub
  • Okta
  • Twilio
  • Cloudflare
  • PagerDuty
  • AWS
  • Salesforce
  • Zoom
  • Slack
Simple setup

Up and running in minutes.

Connect your tools, import your vendors, and start monitoring — no agents, no SDKs, no spreadsheets.

  1. Import your vendor inventory

    Connect Okta and your full SaaS inventory imports automatically. Or upload a CSV. Gjall auto-classifies each vendor by criticality using AI.

  2. We monitor everything, 24/7

    Status pages, NVD CVEs, CISA Known Exploited Vulnerabilities, breach feeds, HackerNews security incidents — six signal sources monitored continuously.

  3. Get alerted before your auditor does

    AI-prioritized alerts to Slack, Teams, email, or webhook — with plain-English context so you know exactly what to do and when.

  4. Prove it to auditors

    One-click SOC 2 CC9.2 evidence reports with full control mapping. Export on demand, share with your auditor, done.

Platform

Everything you need for third-party risk.

Built for compliance-driven startups who need real monitoring, not just a questionnaire tracker.

  • AI Triage

    Claude analyzes every alert against your vendor criticality and tells you: does this actually affect me, and what do I do about it?

  • Okta Vendor Import

    Connect Okta and your entire SaaS inventory syncs automatically — daily. No more manual vendor lists.

  • Six Signal Sources

    CVEs from NVD, CISA KEV, GitHub Advisories, breach detection via HIBP, status page monitoring, and HackerNews incident tracking — all in one feed.

  • SOC 2 Evidence Reports

    Audit-ready reports that map every alert to SOC 2 Trust Services Criteria and ISO 27001 controls. One click, ready to share.

  • EPSS Scoring

    Exploitation probability from FIRST, not just CVSS severity. Know which CVEs attackers are actually exploiting right now.

  • Team & SSO

    Invite your team, assign roles, and connect your identity provider — Okta, Google, or Microsoft. Built for teams from day one.

Compliance

Built for auditors, not just engineers.

Gjall maps every alert to the controls your auditor cares about — so evidence collection is automatic, not a fire drill.

SOC 2 Type II

  • CC9.2 — Vendor risk assessment
  • CC7.1 — Security monitoring
  • CC7.2 — Incident detection
  • CC7.3 — Incident response
  • A1.1 — System availability monitoring

ISO 27001

  • A.5.19 — Information security in supplier relationships
  • A.5.22 — Monitoring and review of supplier services
  • A.8.8 — Management of technical vulnerabilities
  • A.5.26 — Response to information security incidents
Most TPRM tools give you a questionnaire. Gjall gives you continuous monitoring evidence — the difference between checking a box and actually knowing your vendor risk.
Pricing

Simple pricing. Serious monitoring.

Every plan includes a 14-day free trial. No credit card required.

Starter

$49/month

For lean teams who need continuous vendor monitoring without the enterprise price tag.

  • CVE + status page monitoring
  • Slack + email alerts
  • Basic audit reports
  • Up to 15 vendors
  • 7-day alert history
Most popular

Pro

$149/month

For compliance-driven teams preparing for SOC 2 or ISO 27001. AI triage, audit reports, and full alert coverage included.

  • Everything in Starter
  • AI triage + EPSS scoring
  • Full SOC 2 + ISO 27001 evidence reports
  • Okta vendor import + daily sync
  • Linear integration
  • Risk scoring A–F
  • Up to 50 vendors
  • 90-day alert history

Enterprise

$499/month

For organizations with complex vendor portfolios, SSO requirements, and dedicated compliance programs.

  • Everything in Pro
  • Unlimited vendors
  • SSO (Okta, Google, Microsoft)
  • Custom webhook + signed requests
  • 1-year alert history
  • Dedicated support + SLA guarantee
Contact sales

Frequently asked questions

How does vendor import work?
Connect Okta and your full SaaS inventory imports automatically — matched against our registry of 75+ vendors with full CVE and breach monitoring. Don't use Okta? Upload a CSV or add vendors manually. Unmatched vendors get basic monitoring immediately, with full coverage added as we expand the registry.
What does Gjall actually monitor?
Six signal sources: NVD CVEs, CISA Known Exploited Vulnerabilities, GitHub Security Advisories, HaveIBeenPwned breach data, vendor status pages, and HackerNews security incidents. Alerts are AI-triaged so you only see what's relevant to your stack.
How does SOC 2 evidence work?
Gjall generates audit-ready reports that map every alert to SOC 2 Trust Services Criteria (CC9.2, CC7.1–CC7.3, A1.1) and ISO 27001 controls. Export on demand — no manual evidence collection, no spreadsheets.
Does Gjall store sensitive data?
Gjall stores your vendor list and the alerts generated for them. We never access your vendors' services on your behalf — we only monitor public feeds, status pages, and vulnerability databases. AI triage uses only vendor names and public CVE data — your company name and internal context are never sent to any AI provider.
How is this different from Vanta or Drata?
Vanta and Drata track whether you sent a vendor questionnaire. Gjall monitors whether your vendors actually have active vulnerabilities, breaches, or outages — continuously, not annually. They check the box. We watch the door.