Your security program exists. It's in your head, in informal conversations, in ad-hoc decisions your team makes every day. The problem isn't that you don't do security — it's that you can't prove it when someone asks.
And people keep asking.
A prospect sends a 200-question security questionnaire. A customer wants evidence of your vendor management process. Your insurer asks for documented policies. Your board wants to know where the gaps are. An auditor needs a control mapping to ISO 27001.
Every one of these requests is the same question in different clothes: can you demonstrate that your security program is real?
For 20–200 person companies, the answer is usually "give me two weeks." Sometimes it's "we're working on it." Occasionally it's the truth: "we don't have that documented."
The deals that stall because of slow questionnaire responses. The audit findings that could have been avoided. The insurance premiums that are higher than they need to be. The board meetings where the CISO says "I feel confident" instead of showing data. This is the cost of an undocumented security program — and it compounds every quarter.
The five problems
After building security documentation and tools for organizations across six industries, we kept seeing the same five gaps. Not occasionally — in almost every engagement.
1. Questionnaire response is a recurring crisis. The same 80% of questions come up every time — encryption, access control, incident response, vendor management — and your team rewrites the answers from scratch for each new questionnaire. A senior engineer gets pulled off project work. The prospect waits. The deal stalls. Your competitor, who has their answers organized, sends theirs back in a day.
2. Vendor risk management is a spreadsheet of names. Your auditor or customer asks "how do you assess your vendors?" and you show them a list. No risk tiers. No assessment history. No certification tracking. No evidence that you've evaluated whether your critical suppliers are secure. The auditor writes a finding. The customer raises it in the next review.
3. Policies exist but nobody governs them. Your Information Security Policy is in a shared drive. It was last updated in 2023. Nobody acknowledged it. There's no review cycle, no evidence linking, no version history. When the auditor asks for your policy register, you scramble to assemble one from scattered documents — and half of them are out of date.
4. Gap assessment happens when someone forces it. You don't know where your program is strong and where it's exposed — not because you don't care, but because you haven't measured. When the board asks "how secure are we?", you give a qualitative answer because you don't have a quantitative one. The first time you discover your gaps is during an audit, when the cost of fixing them is highest.
5. Security posture is invisible to prospects. Every new customer relationship starts with the same email: "Can you tell us about your security program?" You answer individually, every time, by email. There's no public page a prospect can check before deciding whether to send a full questionnaire. Companies with published Trust Centers receive shorter, less invasive assessments — some prospects skip the questionnaire entirely.
What we built to solve them
Today we're launching Ridgeguard — a desktop application that puts all five in one place.
Not a questionnaire tool with extras bolted on. Not a lightweight GRC platform. A security posture management application purpose-built for the 20–200 person company that needs to prove its program exists without spending $30,000/year on a SaaS platform or $50,000 on a consultant.
Here's what it does, and more importantly, what changes for your organization when you use it.
Questionnaire response: same-day instead of same-month
Import an XLSX or DOCX questionnaire. A TF-IDF matching engine with synonym expansion (MFA, SSO, SIEM, WAF, EDR all expand automatically) auto-fills 60–80% from 790 pre-written answers across 25 security categories. Each answer has three maturity tiers — Early Stage, Established, and Mature — so you match the response to where your program actually is, not where you wish it was.
For the questions the engine can't match, AI generates tailored answers using your company profile — your industry, framework alignment, cloud providers, and technology stack. Pause, resume, or cancel at any time.
Export in the original format. The prospect gets their spreadsheet back with your answers filled in. The deal doesn't stall.
Vendor risk register: the one auditors take seriously
Every vendor has a risk tier (Critical, High, Medium, Low), assessment history, certification tracking, contract dates, and risk event logging. 22 assessment templates covering 505 questions across different vendor categories. Send assessments, score responses, and generate board-ready AI risk summaries with strengths, risks, and recommended actions.
When the auditor asks "how do you manage third-party risk?", you open the register. Not a spreadsheet. Not an email thread. A register with evidence.
Policy governance: lifecycle, evidence, acknowledgements
15 built-in templates from Information Security Policy to Vulnerability Management. Full lifecycle tracking: Draft → In Review → Approved → Expired → Retired. Evidence linking from gap assessments, vendor assessments, audits, and training records. Staff acknowledgement tracking. Review cycle management with due-date alerts on the dashboard.
Approved policies automatically appear in your Trust Center. Your public posture always reflects your current policy set.
Gap assessment: a number, not a feeling
Standard (40 questions) or Comprehensive (80 questions) across 11 categories. Colour-coded risk bands: 80%+ Low Risk, 60–79% Medium, 40–59% High, below 40% Critical. AI generates prioritized remediation plans sorted by effort and impact — quick wins this week, projects this quarter, strategic initiatives this year.
When the board asks, you answer with a percentage and a plan. Not a promise.
Trust Center: prove your posture before anyone asks
Six industry presets (SaaS, Financial Services, Healthcare, Government, Professional Services, General). Pick your frameworks, domains, policies, and common questions. Export standalone HTML with no external dependencies. Host it at trust.yourcompany.com.
Prospects check your posture before they send a questionnaire. Some skip the questionnaire entirely. That's the highest-leverage security investment a small company can make.
Your data stays yours
Ridgeguard is a desktop application. Not SaaS. Not cloud-hosted.
Your security posture data — every questionnaire answer, every vendor assessment, every policy, every gap analysis result — stays in an encrypted database on your machine. Nothing is sent to Ridgeline servers. If you use the optional AI features, calls go directly from your machine to your chosen provider using your own API key. Ridgeline is never in the middle.
No telemetry. No analytics. No phone-home. The irony of uploading your security posture to a SaaS platform you haven't assessed shouldn't need explaining.
What it costs — and what it costs to not have it
Ridgeguard Professional is $299/year. Every new install gets a 30-day free trial with full Professional features. No credit card. No Ridgeline account.
For context: a single questionnaire response done manually costs 40–80 hours of staff time per quarter. A questionnaire automation SaaS charges $3,000–$12,000/year for questionnaire response alone — no vendor register, no policy governance, no gap assessment. A GRC platform charges $15,000–$50,000/year and stores your data on their cloud.
The 30-day trial is enough time to answer questionnaires, assess vendors, set up policies, run a gap assessment, and publish a Trust Center. If the tool earns its keep in those 30 days, the $299/year is the simplest purchase decision you'll make all year.
If Ridgeguard reveals that the underlying documentation doesn't exist — you don't have formal policies, a risk register, or an incident response plan — the questionnaire answers have nothing to reference. The Security Program Foundation ($497) gives you the 35 core documents. The Information Security Policy Suite ($1,497) gives you 100. Not sure where to start? The free assessment tools score your readiness in 20 minutes. Or if you need them customized to your organization, the customization service delivers in 7–10 business days.
What to do this week
- Download Ridgeguard — install, create your account, fill in your Company Profile. Ten minutes.
- Import the questionnaire that's sitting in your inbox right now. See how much of it fills automatically.
- Run the Gap Assessment — 40 questions (standard) takes 20 minutes. You'll know where you stand by lunch.
- Add your top 5 vendors to the register. Assign risk tiers. Send one assessment.
- Build your Trust Center — pick an industry preset, select your frameworks, export the HTML. Publish it.
By Friday, your security program will be documented, evidenced, and ready to prove.
Next week: How to build a Trust Center that actually reduces the number of questionnaires you receive — and what to put in each section.