Tools GRC

Tools, GRC / Governance & Compliance

5 tools for risk management, multi-framework compliance (ISO 27001, NIS2, DORA, GDPR), system hardening and phishing simulation.

Deploy with ./medusa.sh deploy <name> or the interactive menu (option 2).

Tool	Type	Role
eramba	docker	GRC, policies, risks, compliance
ciso-assistant	docker	Lightweight multi-framework GRC
simplerisk	docker	Risk management, registers and scoring
openscap	cli	Compliance evaluation and hardening
gophish	docker	Phishing simulation and awareness

---

eramba

Full GRC platform, policies, risk registers, compliance.

• URL: https://localhost:8443 — user admin@eramba.org, password admin (change it immediately)
• Upstream: eramba/docker

ciso-assistant

Lightweight GRC covering NIS2, DORA, ISO 27001 and other frameworks.

• URL: http://localhost:8443
• ⚠️ Port collision: CISO Assistant and Eramba both publish on 8443. Do not run both at once in the same environment, or remap one. See Ports-Reference.
• Upstream: intuitem/ciso-assistant-community

simplerisk

Risk management with registers and scoring. Image pinned to simplerisk/simplerisk:20260519-001.

• URL: https://localhost:8445 — admin account is created during the initial web setup wizard
• The database password is randomly generated and saved to credentials.txt

openscap

cli. SCAP-based compliance evaluation and system hardening.

• Command: oscap (the binary name differs from the tool name)
• A guided sub-menu (run_openscap) helps pick a profile from the installed datastream and run an evaluation.

gophish

Phishing simulation and security-awareness campaigns. Image pinned to gophish/gophish:0.12.1.

• Admin UI: https://localhost:3333 — user admin, initial password generated and saved to credentials.txt
• Phishing landing server: http://localhost:8083

---

Generated credentials live in credentials.txt (chmod 600). Upstream defaults (eramba admin) must be rotated. See Security.

Next: Tools-Integration · Ports-Reference