Skip to main content
Version: Local Β· In Progress

Executive Product Overview

What ThreatWeaver Is​

ThreatWeaver is an Enterprise Exposure Management Platform β€” a single system that gives security teams and executives a unified view of every vulnerability, security gap, and exploitable weakness across an organization's infrastructure, applications, cloud environments, and identity systems. It combines the capability that most organizations currently purchase from three to five separate vendors β€” a vulnerability management platform, an application security testing tool, a cloud security posture management product, and an AI remediation layer β€” into one integrated platform with a shared data model, unified risk scoring, and centralized workflows.

The one-sentence version a CISO can use with their board: "ThreatWeaver tells us what we are exposed to, which exposures actually matter, and what we need to do to fix them β€” across everything."

The Problem ThreatWeaver Solves​

The Exposure Management Gap​

Organizations have more security tools than ever and more visibility into their environment than ever. Most enterprises running mature security programs know they have thousands of vulnerabilities. What they do not know β€” and what no single tool has historically been able to tell them β€” is:

  1. Which vulnerabilities actually matter in the context of their specific environment, asset criticality, and business risk
  2. Where they are most exposed when all exposure signals (infrastructure vulnerabilities, application weaknesses, cloud misconfigurations, identity gaps) are viewed together
  3. How to fix the right things first when engineering bandwidth is limited and every team has competing priorities

The result of this gap is not ignorance β€” it is paralysis. Security teams produce reports that no one can act on because everything appears critical. Engineering teams close tickets for low-impact findings while genuinely exploitable issues sit in the backlog for months. Executives are presented with scorecards that go up and down without a clear narrative connecting the numbers to business risk.

ThreatWeaver closes this gap by providing:

  • Unified asset inventory β€” every host, application, cloud resource, and identity system in one place
  • Prioritized findings β€” vulnerability data enriched with exploit probability, asset criticality, and business exposure so that the top 20 findings are the 20 that genuinely matter most
  • Integrated remediation workflows β€” fix planning, ticket generation, and exception management connected to the findings, not separated in a different system
  • AI-driven analysis β€” automated translation of technical findings into business narratives, engineering tickets, and remediation plans

The Cost of Getting This Wrong​

The business case for unified exposure management is not abstract. The 2024 Verizon Data Breach Investigations Report found that 14% of breaches were initiated through exploitation of vulnerabilities. The average cost of a data breach is $4.88M (IBM 2024). The common thread across most preventable breaches is not a lack of scanning β€” it is a failure to act on known vulnerabilities in a timely way.

The time between a vulnerability being discovered and being exploited by a threat actor has compressed dramatically. For vulnerabilities with public exploit code, the median exploitation time is now under 5 days. Organizations that prioritize manually and remediate slowly are operating on a timeline that does not match the threat landscape.

ThreatWeaver is built to close this time gap by making the prioritization and remediation workflow faster at every step.

Platform Modules​

ThreatWeaver is organized into modules. Customers license the modules appropriate to their environment and security program maturity. Each module solves a distinct problem, but they share a data model β€” asset records, finding records, and risk scores from one module are visible and usable in others.

Exposure Management​

What it delivers to the business: A single source of truth for every vulnerability across your infrastructure. Replaces the manual process of exporting Tenable data to spreadsheets and the resulting inconsistency in who is looking at what version of the data.

Exposure Management ingests vulnerability data from Tenable.io (and is designed to add additional scanner integrations), maintains a persistent asset inventory, and applies WeaverScore prioritization to every finding. It includes:

  • Live asset inventory with criticality tagging, environment classification, and owner assignment
  • Vulnerability findings with full Tenable metadata (CVE, CVSS, EPSS, KEV status, plugin family)
  • WeaverScore risk prioritization β€” a composite score that tells your team what to fix first
  • VFP (Vulnerability Fix Planner) β€” work packages that group related findings and assign them to engineering teams with SLA tracking
  • Compliance mapping β€” findings automatically tagged to PCI-DSS, SOC 2, ISO 27001, and OWASP frameworks
  • Remediation trend reporting β€” are you getting better or worse, and by how much?

Who uses it: Security operations, vulnerability management, IT operations, GRC.

Business outcome: Reduction in mean time to remediate (MTTR) critical vulnerabilities, improved audit readiness, elimination of the "spreadsheet of vulnerabilities" problem.

AppSec Scanner​

What it delivers to the business: Automated penetration testing capability for web applications and APIs that runs on demand, finds real vulnerabilities (not just CVE signature matches), and produces findings that developers can act on.

Traditional DAST tools run pattern-matching scans against known vulnerability signatures. ThreatWeaver's AppSec Scanner uses 59 purpose-built AI agents that understand application behavior, test business logic, and detect the authorization and workflow vulnerabilities that automated scanners have historically missed β€” specifically the OWASP API Top 10 categories (broken object-level authorization, broken function-level authorization, mass assignment) that are involved in a significant fraction of API breaches.

The scanner supports three modes:

  • Black-box: No credentials, testing from an unauthenticated attacker's perspective
  • Gray-box: Authenticated testing with a standard user account
  • White-box: Full context testing with test data hints (specific user IDs, resource IDs, admin accounts) for maximum coverage

Who uses it: Application security teams, development teams, DevSecOps, penetration testers.

Business outcome: Finds real exploitable vulnerabilities before attackers do. Replaces expensive ($15K–$30K per engagement) manual pen tests for routine application security validation.

AI Labs​

What it delivers to the business: Multiplies analyst productivity. The features in AI Labs handle the time-consuming but formulaic parts of a security analyst's job β€” writing tickets, drafting executive summaries, looking up remediation steps, writing exception justifications β€” so analysts spend their time on judgment-dependent work.

Six production features:

  1. AI Fix Planner β€” generates step-by-step remediation guidance tailored to the specific asset, technology stack, and finding. Includes code snippets where applicable.
  2. AI Ticket Writer β€” converts findings into complete Jira/ServiceNow ticket content including title, description, acceptance criteria, and priority justification.
  3. AI Executive Summary β€” produces C-suite-ready security posture narratives from dashboard data. Ready for board presentations without editing.
  4. AI Root Cause Analyzer β€” identifies WHY a cluster of vulnerabilities exists (missing validation library, misconfigured baseline, architectural flaw) not just what they are.
  5. AI Exception Handler β€” drafts audit-quality risk acceptance documentation when a vulnerability cannot be remediated immediately.
  6. AI Chat β€” conversational interface for querying vulnerability data ("which assets have the most critical findings?" "summarize the AppSec scan from last week").

Who uses it: Security analysts, security managers, CISOs, GRC teams.

Business outcome: 35–40% reduction in analyst time spent on documentation and translation tasks. Faster ticket-to-remediation cycle. Executive reports that take minutes to generate instead of hours.

Cloud Security (Active Development)​

What it delivers to the business: Visibility into misconfigurations, overly permissive access controls, and compliance gaps across AWS, Azure, and GCP environments. Answers the question that keeps security managers awake: "Are our cloud accounts configured securely?"

Cloud Security will deliver:

  • Cloud Security Posture Management (CSPM) with CIS benchmark scoring across all three major cloud providers
  • Container vulnerability scanning integrated with the asset inventory
  • Infrastructure-as-Code policy checks to catch misconfigurations before deployment
  • Cloud findings unified with infrastructure and application findings in the same WeaverScore framework

Business outcome: Single pane of glass for cloud security posture. Eliminates the need for separate CSPM tools that do not connect to the broader vulnerability management workflow.

Identity Security (Active Development)​

What it delivers to the business: Visibility into identity-based attack paths β€” the techniques attackers use to move from an initial foothold to domain admin, to steal credentials, or to escalate privileges by exploiting identity provider misconfigurations.

The majority of significant breaches in the past three years have involved compromised credentials or identity provider abuse at some stage of the attack chain. Identity Security will deliver:

  • Active Directory and Entra ID connector
  • Attack path analysis for Kerberoasting, DCSync, Golden Ticket, and privilege escalation scenarios
  • MFA gap detection β€” which privileged accounts do not have MFA enrolled?
  • Identity risk scoring unified with the WeaverScore framework

Business outcome: Identifies the identity-layer attack paths that traditional vulnerability scanners miss entirely.

AI Security (Active Development)​

What it delivers to the business: Governance and risk visibility for organizations that are deploying their own AI models and LLM applications β€” an increasingly common and largely ungoverned attack surface.

As organizations deploy LLMs in production, new risk categories emerge: prompt injection vulnerabilities, model poisoning, training data exposure, and compliance gaps in AI governance frameworks. AI Security will deliver:

  • AI model and LLM application inventory
  • Risk classification for AI-specific vulnerability categories
  • Governance policy engine for organizations that need documented AI use policies

Business outcome: Supports emerging AI governance requirements and provides visibility into an attack surface that no existing vulnerability management tool covers.

WeaverScore Explained for Executives​

WeaverScore is ThreatWeaver's proprietary risk prioritization metric. It is a single number from 0 to 100 that represents the security posture of a specific asset or of the organization as a whole.

Why a single number matters: Most vulnerability management products give you counts (how many critical, how many high) and scores (CVSS). These are useful for analysts but not for executive decision-making. A CISO presenting to a board does not want to explain what CVSS 9.8 means relative to CVSS 7.2. They want to say "our security posture improved by 8 points this quarter because we addressed the most exposed systems."

What Goes Into WeaverScore​

WeaverScore combines five signals:

SignalWhat It MeasuresWhy It Matters
CVSS SeverityTechnical severity of the vulnerabilityBase measure of how bad the vulnerability is
EPSS ScoreProbability the vulnerability will be exploited in the wild within 30 daysSeparates theoretical risk from real-world threat
Asset CriticalityHow important is this specific asset to the businessA critical CVE on a test server is lower priority than the same CVE on the payments database
Vulnerability AgeHow long has this been openOld critical findings are a SLA and compliance concern beyond the raw technical risk
Network ExposureIs the asset internet-facing or isolatedSame vulnerability is higher risk on an exposed asset

A vulnerability with CVSS 7.0 on an isolated development server may have a lower WeaverScore than a vulnerability with CVSS 5.0 on an internet-facing customer-facing application with a high EPSS score.

What Moves WeaverScore Up​

  • Remediating critical and high findings, especially on high-criticality assets
  • Remediating findings with high EPSS scores (active exploitation risk)
  • Improving remediation velocity (finding-to-close time)
  • Reducing the count of findings older than 30/60/90 days

What Moves WeaverScore Down​

  • New critical findings being discovered (expected during active scanning)
  • Existing findings aging past SLA thresholds
  • High EPSS vulnerabilities remaining open after 30 days
  • New assets being added that have existing vulnerabilities

A stable or improving WeaverScore in the face of regular scanning is evidence of a healthy, functioning remediation program. A declining WeaverScore despite remediation activity indicates that discovery is outpacing remediation β€” which is a resource and process problem, not just a technical one.

ROI Narrative​

ThreatWeaver's return on investment operates at three levels.

Tool Consolidation​

The capabilities in ThreatWeaver replace multiple point tools:

Replaced Tool CategoryTypical CostThreatWeaver Coverage
Vulnerability Management Platform (Tenable.sc/similar)$20K–$80K/yearExposure Management module
Application DAST Scanner (Invicti, Qualys WAS)$15K–$40K/yearAppSec Scanner module
Pen Test Engagement (annual or semi-annual)$15K–$30K/engagementAppSec Scanner module
AI Remediation Layer (standalone tools)$10K–$25K/yearAI Labs module
CSPM (individual cloud security tool)$10K–$30K/yearCloud Security module (in dev)

Organizations replacing three or more of these tools with ThreatWeaver typically see direct cost savings of $50K–$150K annually depending on their current tool stack.

Analyst Productivity​

Industry research consistently finds that security analysts spend 35–40% of their time on tasks that are repetitive, formulaic, or primarily translational β€” writing tickets, drafting summaries, looking up remediation steps, writing exception documentation. AI Labs automates this category of work.

For a team of 5 analysts at $120K fully-loaded cost, 35% of their time is approximately $210K of annual labor applied to tasks AI can handle in seconds. Even capturing 50% of that efficiency gain represents $105K in annual productivity value.

The more practical measure is what analysts do with the recovered time: more thorough review of AI outputs, deeper investigation of complex findings, proactive threat hunting, and strategic security program work.

MTTR Reduction​

The mean time to remediate (MTTR) a critical vulnerability determines the window of exposure. Reducing MTTR by 50% roughly halves the expected exposure window for any given critical finding.

ThreatWeaver's contribution to MTTR reduction:

  • Faster triage: WeaverScore prioritization reduces the time analysts spend deciding what to work on
  • Faster ticket creation: AI Ticket Writer reduces ticket creation from 30–60 minutes to under 2 minutes
  • Clearer remediation steps: AI Fix Planner reduces the back-and-forth between security and engineering teams
  • Better SLA tracking: VFP work packages with built-in SLA policies create accountability and escalation triggers

Organizations that have implemented similar AI-assisted remediation workflows report 40–60% reductions in MTTR for critical findings. The primary driver is not automation replacing humans β€” it is reducing friction at each handoff in the remediation chain.

Your First 30 Days​

Days 1–5: Platform Setup and Asset Ingestion​

The fastest path to value is connecting ThreatWeaver to your existing Tenable.io instance and synchronizing your current vulnerability data. On day one, you see your entire Tenable vulnerability inventory in ThreatWeaver with WeaverScore applied, giving you immediate prioritized visibility that Tenable's native UI does not provide.

During this phase: configure asset tags (criticality, environment, business unit, compliance scope), set up user accounts and roles, and configure email notifications for critical finding alerts.

Days 6–14: Baseline and Prioritization​

With data flowing, the focus shifts to establishing your baseline. Your WeaverScore on day 7 is your starting point. Review the top 25 WeaverScore findings β€” these are the vulnerabilities that a risk-based analysis says represent the most important remediations.

During this phase: assign findings to teams using the VFP work package system, generate fix plans for the top 10 findings, and configure SLA policies appropriate to your organization's risk tolerance.

Days 15–22: First AppSec Scan​

If your license includes the AppSec Scanner, configure your first assessment during this phase. Start with gray-box scanning of your highest-criticality web application. The scanner typically takes 2–6 hours to complete for a moderately complex application.

Review the AppSec findings together with your Exposure Management findings β€” this is where the unified platform shows its value. An application vulnerability found by the AppSec scanner on the same asset as an infrastructure vulnerability found by Tenable gives you a much clearer picture of that asset's total exposure than either tool shows independently.

Days 23–30: AI Labs Activation and Executive Reporting​

Enable AI Labs and generate your first AI Executive Summary. This gives you the end-to-end workflow: ingestion β†’ prioritization β†’ analysis β†’ reporting. Distribute the summary to your CISO or executive stakeholder as a demonstration of what the platform can produce on an ongoing basis.

During this phase: configure AI Labs with your preferred LLM provider, run the AI Chat through your most common status-check queries, and schedule a weekly or monthly executive summary report.

How ThreatWeaver Fits in Your Security Stack​

ThreatWeaver is not a replacement for your SIEM, SOAR, EDR, or firewall. It is the correlation and prioritization layer that sits between your scanner data and your remediation workflow.

[Tenable.io / Nessus]     β†’   ThreatWeaver   β†’   [Jira / ServiceNow]
[AppSec Scanner]          β†’   (Exposure Mgmt      [SIEM / SOAR]
[Cloud CSPM]              β†’    + WeaverScore   β†’   [Engineering Teams]
[Identity Providers]      β†’    + AI Analysis)  β†’   [Executive Reporting]

What ThreatWeaver receives from your stack:

  • Vulnerability scan data from Tenable (and future scanner integrations)
  • Asset metadata from your CMDB or cloud inventory (manual tagging or API sync)
  • Identity data from Active Directory, Entra ID, Okta (Identity Security module)

What ThreatWeaver sends back:

  • Prioritized finding lists to SIEM for alert enrichment (planned integration)
  • Tickets and work packages to Jira/ServiceNow (current integration)
  • PDF and API-accessible reports for GRC and compliance tools
  • API access to WeaverScore data for dashboard integration

What ThreatWeaver does not do: ThreatWeaver does not replace your scanner β€” it requires scanner data as input. It does not perform incident response, log analysis, network detection, or endpoint protection. Those capabilities remain with your existing SIEM/SOAR and EDR investments.

Security and Compliance​

Multi-Tenant Isolation​

ThreatWeaver is built on a schema-per-tenant isolation model. Each tenant's data is stored in a separate PostgreSQL schema that is physically isolated from other tenants' schemas. Queries from one tenant's users cannot access another tenant's data at the database level β€” not just at the application permission level. This architecture is relevant for MSSPs managing multiple client environments and for enterprise organizations with strict data separation requirements between business units.

Data Handling​

ThreatWeaver stores vulnerability data, asset inventory, and AI-generated content in your PostgreSQL database (Supabase in the SaaS deployment). Sensitive fields (API keys, credentials found in scan evidence) are encrypted at rest. API keys for LLM providers are stored with select: false in the ORM β€” they are never returned to the frontend.

When AI Labs is used with a cloud LLM provider (Anthropic or OpenAI), vulnerability data is sent to that provider as described in the AI Labs privacy documentation. Sensitive fields (IP addresses, credentials in scan evidence, tenant identity) are stripped before transmission.

SOC 2 Readiness​

ThreatWeaver's architecture supports SOC 2 Type II audit requirements in several areas:

  • CC6 (Logical Access): RBAC v2 with fine-grained permissions, SSO support (Entra ID, Okta, Google Workspace), session management with token expiry
  • CC7 (System Operations): Comprehensive audit logging for all data access and mutation operations via the VFP audit service
  • CC8 (Change Management): Deployment pipeline with environment separation (local β†’ dev β†’ production)
  • A1 (Availability): Health check endpoints, Redis caching for performance, horizontal scaling capability

ThreatWeaver is not itself SOC 2 certified at this stage. Organizations requiring a SOC 2 report for their vendor should confirm the current certification status with the sales team.

Authentication and Access Control​

  • SSO: Entra ID (Azure AD), Okta, and Google Workspace SAML integration
  • RBAC: Role-based access control with fine-grained permissions. Predefined roles (Admin, Security Analyst, Read-Only Viewer, AppSec Engineer) and custom role creation
  • MFA: Enforced via SSO provider (ThreatWeaver delegates MFA to the identity provider)
  • Session management: JWT with configurable expiry, refresh token rotation, and forced logout capability

Deployment Options​

ThreatWeaver is designed as a SaaS product but supports three deployment models.

The platform runs on Render (backend) and Vercel (frontend) with Supabase PostgreSQL. No infrastructure to manage. Updates are deployed automatically. The SaaS deployment is the fastest path to value and the lowest total cost of ownership.

Best for: Organizations that do not have regulatory or contractual restrictions on cloud data processing. Fastest deployment (hours, not days).

On-Premises​

The backend, frontend, and database can be deployed in your own infrastructure using Docker Compose (development/small-scale) or Kubernetes (production at scale). The backend requires Node.js 18+, PostgreSQL 14+, and optional Redis for caching.

On-premises deployment requires managing your own infrastructure, database backups, and platform updates.

Best for: Organizations with strict data residency requirements, classified environments, or contractual restrictions that prohibit sending data to third-party cloud providers. Also the only option that supports local LLM deployment for AI Labs features.

Trade-off: Higher operational overhead. Updates require manual deployment. AI Labs quality is reduced if using local models instead of cloud LLMs.

Hybrid​

Backend deployed on-premises or in your private cloud VPC. Frontend hosted on Vercel (or your own CDN). Database in your own PostgreSQL instance. Scan sensors deployed into private network segments with WebSocket tunneling back to the central backend.

Best for: Organizations that want to keep scan traffic and vulnerability data on-premises but are comfortable with the frontend (which contains no sensitive data) hosted externally.

Distributed Scan Sensors​

For all deployment models, ThreatWeaver supports distributed scan sensors β€” Docker containers deployed inside private network segments that cannot be reached directly by the central backend. The sensor communicates outbound via an encrypted WebSocket tunnel, enabling internal application scanning without requiring inbound network access or VPN configuration changes.

This is relevant for organizations that want to scan internal applications, staging environments, or air-gapped network segments with the AppSec scanner.

What ThreatWeaver Is NOT​

Managing expectations matters for deployment success. ThreatWeaver explicitly does not aim to be:

Not a SIEM. ThreatWeaver does not ingest logs, analyze events in real time, or support security operations center workflows built around alert triage from network and endpoint telemetry. It ingests structured vulnerability and posture data, not raw event streams.

Not an EDR. ThreatWeaver does not provide endpoint detection and response, behavioral analysis of running processes, or incident containment capabilities. It knows about vulnerabilities on endpoints β€” not about active threats executing on them.

Not a firewall or WAF. ThreatWeaver identifies web application vulnerabilities. It does not protect them at runtime. The distinction matters: ThreatWeaver tells you the application has a SQL injection vulnerability; your WAF (if configured) may block exploitation of that vulnerability as a compensating control.

Not a threat intelligence platform. ThreatWeaver uses EPSS and KEV data to enrich vulnerability prioritization, but it does not provide analyst-facing threat intelligence feeds, indicator of compromise (IoC) management, or adversary tracking.

Not a GRC platform. ThreatWeaver maps findings to compliance frameworks and generates compliance gap reports, but it does not manage policies, evidence collection workflows, audit tasks, or the full compliance program lifecycle. GRC platforms (Archer, ServiceNow GRC, Drata) remain the system of record for compliance management.

Not a replacement for manual penetration testing. The AppSec Scanner automates a significant portion of application security testing, but it does not replace human judgment for complex business logic vulnerabilities, physical security testing, social engineering assessments, or red team engagements requiring creativity and adversarial thinking.

12-Month Roadmap Highlights​

Q2 2026 (Current Quarter)​

  • AppSec Scanner accuracy improvements β€” targeting 95%+ true positive rate across all OWASP categories
  • CI/CD DAST integration β€” trigger scans from GitHub Actions, GitLab CI, Jenkins via API
  • Compliance report export β€” PDF and CSV reports mapped to PCI-DSS, SOC 2, ISO 27001
  • Cloud Security MVP β€” CSPM for AWS, Azure, GCP with CIS benchmark scoring
  • Identity Security MVP β€” Active Directory and Entra ID connectors

Q3 2026​

  • SAST integration β€” static analysis to complement DAST, with correlation between static and runtime findings
  • External Attack Surface Management (EASM) β€” automated discovery of internet-facing assets and shadow IT
  • Infrastructure penetration testing β€” extend scanner agents to network services beyond web applications
  • Advanced reporting β€” customizable templates, scheduled delivery, executive dashboard exports

Q4 2026​

  • Mobile application security testing
  • MSSP Partner Program launch β€” multi-tier partner portal, white-label options, usage-based billing
  • Autonomous remediation (AI Labs v2) β€” AI-driven auto-fix for common, well-understood vulnerability patterns
  • SOC integration β€” bi-directional SIEM/SOAR connectors (Splunk, Microsoft Sentinel)
  • Gartner MQ preparation β€” analyst briefings, reference customer program

For an executive who wants to evaluate ThreatWeaver:

1. Request a live demonstration against your own environment. The most effective evaluation is connecting ThreatWeaver to your existing Tenable.io instance during a demo and seeing your actual vulnerability data prioritized with WeaverScore. This takes 15 minutes to set up and immediately shows whether the platform's prioritization aligns with your team's judgment about what matters.

2. Run the AppSec scanner against a test application. If you have a staging or test application, a gray-box scan takes 2–4 hours and demonstrates the AppSec scanner's detection capability with your specific technology stack. Compare the output to your last manual pen test report.

3. Ask your CISO to generate an AI Executive Summary. Enable AI Labs with a trial API key and have your security team generate one AI Executive Summary from your current ThreatWeaver data. Evaluate whether the output is something you would use in a board meeting.

4. Define success metrics before deployment. Before committing to the platform, agree on 3–5 metrics you will use to measure success at 30, 90, and 180 days. Suggested starting metrics:

  • WeaverScore trend (target: stable or improving after initial baseline)
  • Mean time to remediate critical findings (target: 20%+ reduction in 90 days)
  • Analyst time on documentation tasks (target: 30%+ reduction)
  • Tickets created per analyst per day (target: 2x increase)
  • Compliance audit preparation time (target: measurable reduction)

5. Engage the security leadership team, not just the security operations team. ThreatWeaver's value proposition is as relevant to the CISO (executive reporting, board-ready narratives, compliance readiness) as it is to the SOC analyst (finding prioritization, ticket automation). Evaluations that only involve the analyst level often miss the executive-layer benefits that drive the business case.

Platform Scale​

For reference during due diligence:

  • 134 database entities in the data model
  • 41 API route files with 700+ total endpoints
  • 59 scanner agents covering OWASP Top 10, API Top 10, and 40+ additional vulnerability categories
  • 37 AI endpoints for intelligent analysis and automation
  • Multi-tenant architecture with schema-per-tenant PostgreSQL isolation
  • Production deployment: Render (backend, Singapore region), Vercel (frontend, global CDN), Supabase (database)