Inspiration Vendor breaches are usually discovered only after the official disclosure — by then, attackers and regulators already have a head start. We wanted to flip that: surface early public-web warning signs before they harden into headlines, while never asking companies to trust us with their sensitive report data. What it does VendorGuard AI investigates a vendor in real time and produces a risk report without ever storing plaintext on our servers.
Runs a live, streamed investigation pipeline per vendor. Uses Claude to reason over evidence and generate a structured analysis. Scores risk across five dimensions, combined into a single composite score:
Rtotal=w1Rsec+w2Rcomp+w3Rexp+w4Rops+w5RrepR_{total} = w_1 R_{sec} + w_2 R_{comp} + w_3 R_{exp} + w_4 R_{ops} + w_5 R_{rep}Rtotal=w1Rsec+w2Rcomp+w3Rexp+w4Rops+w5Rrep
Attaches an evidence confidence score C∈[0,1]C \in [0,1] C∈[0,1] to every signal. Plots a Breach Horizon timeline estimating proximity to a public incident. Encrypts every report client-side with AES-GCM and stores it locally in an encrypted vault ("The Loom Vault") — the backend stays stateless.
How we built it Built on Next.js (App Router), React, and TypeScript, with Tailwind for styling, Framer Motion for motion, and Recharts for the risk dashboards. Investigations stream over Server-Sent Events through dedicated start/stream API routes, an analysis route hands evidence to Claude, and a report route compiles the final output. On the privacy side, encryption and key handling happen entirely in the browser via the Web Crypto API and IndexedDB — by design, there is no backend database, so sensitive report content is never persisted server-side. Challenges we ran into
Separating genuine early-warning signal from generic noise, and assigning a believable confidence score CC C. Coordinating multi-stage streamed agent progress without losing UI responsiveness. Doing real client-side cryptography without breaking the "live" feel of the product. Choosing browser-compatible key derivation and a clear, upgradeable fragmentation interface over full production-grade cryptographic hardening, given time constraints. Accepting in-memory request tracking (a deliberate tradeoff of statelessness) instead of a backend database.
Accomplishments that we're proud of
A real, working end-to-end MVP — not a mockup — with a live investigation pipeline and a functioning encrypted vault. Treating zero-knowledge as an enforced architectural constraint, not a marketing claim. The Breach Horizon visualization, which turns abstract risk signals into one intuitive timeline. Shipping a complete product surface — landing, dashboard, investigation, vault, agents, settings, vendor detail — in hackathon time.
What we learned
How to sequence an evidence-gathering stage and a reasoning stage so the output is trustworthy, not just confident-sounding. That committing to "the backend never sees plaintext" simplifies architecture decisions everywhere downstream. The practical gap between a cryptographic interface and a cryptographic guarantee — and the value of being explicit with users about which one is actually shipped.
What's next for VendorGuardAI
Upgrade key derivation to full Argon2id and fragmentation to true Reed-Solomon erasure coding. Move investigation request tracking from in-memory to a durable, still zero-knowledge-compatible store. Expand risk-signal sources and add continuous (not just on-demand) vendor monitoring with alerting. Add team/org-level vaults so multiple stakeholders can review a report without ever sharing a decryption key with us. Build out a public vendor risk score history so trends, not just snapshots, are visible over time.
Built With
- claude-api-key
- indexed-db
- javascript
- node.js
- react
- tailwindcss
- typescript
- web-crypto-api
Log in or sign up for Devpost to join the conversation.