Supergood | MetricStream API

Programmatically access MetricStream risk registers, control testing results, audit plans and findings, policies, regulatory obligations, and third‑party assessments with a stable REST API. Supergood builds and operates production‑grade, unofficial MetricStream integrations so your team can automate GRC workflows without heavy custom engineering.

Plain English: MetricStream is enterprise Governance, Risk, and Compliance (GRC) software used by risk, compliance, audit, and security teams to manage risks, controls, audits, policies, regulatory obligations, and third‑party risk across the business. An unofficial API lets you programmatically pull risks, KRIs, controls and test results, audits and findings, issues and remediation actions, policies and attestations, vendor questionnaires, and regulatory obligations—and push new records or updates back into MetricStream.

For a tech company integrating with MetricStream, this means you can ingest real‑time risk and audit data to power dashboards, sync findings and remediation tasks to ticketing (e.g., Jira, ServiceNow), automate control testing and evidence capture from your product, or enrich your platform with audit schedules, policies, and vendor assessments. You can also trigger attestations, create issues from detected events, attach evidence, and keep stakeholder systems (ERP, analytics, IAM, SIEM, ticketing) in lockstep.

What is MetricStream?

MetricStream (https://www.metricstream.com/) is a cloud platform for integrated risk management and compliance that centralizes risk assessment, control testing, audit management, policy governance, regulatory change tracking, and third‑party risk across business units and functions. Teams use MetricStream to manage enterprise risk registers and KRIs, plan and execute audits, capture findings and issues with remediation workflows, govern policies and attestations, monitor regulatory obligations, conduct vendor due diligence and questionnaires, and maintain evidence for compliance.

Core product areas include:

• Enterprise Risk Management (Risk Register, KRIs, Risk Assessments)
• Compliance & Regulatory Management (Obligations, Policies, Attestations, Regulatory Change)
• Audit Management (Audit Plans, Engagements, Workpapers, Findings, Remediation)
• IT & Cyber Risk (Controls, Control Testing, Incidents, Vulnerability/Risk Events)
• Third‑Party Risk (Vendors, Due Diligence, Questionnaires, SLAs)
• Issues & Remediation (Issues/Findings, Actions, SLAs, Exceptions)

Common data entities:

• Organizations/Business Units, Users, Roles/Permissions
• Risks (category, inherent/residual scoring, owner, KRIs, status)
• Controls (framework references, objectives, test plans, test results)
• KRIs/Indicators (thresholds, trends, breaches)
• Policies (versions, ownership, attestation status)
• Regulatory Obligations/Requirements (jurisdiction, applicability, deadlines)
• Audits & Engagements (scope, schedules, working papers, teams)
• Findings/Issues (severity, root cause, remediation plan, due dates)
• Remediation Actions/Tasks (assignment, status, SLA dates)
• Third Parties/Vendors (risk tier, questionnaires, assessments)
• Assessments/Questionnaires (responses, scoring, evidence)
• Evidence & Attachments (files, checksums, timestamps)
• Loss Events/Incidents (impact, cause, resolution)

The MetricStream Integration Challenge

Risk and compliance functions rely on MetricStream daily, but turning portal‑based workflows into API‑driven automation is non‑trivial:

• Role‑aware modules: Risk, compliance, audit, and business users each see different data, workflows, and approvals
• Workflow rigor: Assessments, control testing, audit findings, and issue remediation follow multi‑step lifecycles with gated transitions
• Evidence‑heavy processes: Attachments, workpapers, and attestations require secure uploads and checksum validation
• Authentication complexity: SSO (SAML/OAuth) and MFA complicate headless automation across tenants and environments
• Cross‑module context: Risks link to controls and audits; issues reference policies and obligations; third‑party data spans vendors, questionnaires, and corrective actions

How Supergood Creates MetricStream APIs

Supergood reverse‑engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your MetricStream tenant.

• Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
• Maintains session continuity with automated refresh and change detection
• Normalizes responses so you can integrate once and rely on consistent objects across modules
• Aligns with customer entitlements and role‑based permissions to ensure compliant access

Use Cases

Risk & Compliance Data Sync

• Mirror risk registers, KRIs, controls, policies, and obligations into your internal data warehouse
• Keep risk scores and statuses current for analytics and reporting
• Normalize business units, owners, and categories across tenants

Audit & Issue Orchestration

• Create audit engagements from your planning tools and sync schedules
• Ingest findings and push issues/remediation tasks to Jira or ServiceNow
• Track status transitions to drive SLA alerts and feed dashboards

Control Testing & Evidence Automation

• Upload evidence from your product or sensors and attach to control tests
• Record test results (design/effectiveness) with sampling details
• Trigger re‑tests or exceptions based on threshold breaches

Third‑Party Risk Assessments

• Generate and send questionnaires to vendors
• Capture responses, compute risk scores, and assign corrective actions
• Maintain an up‑to‑date vendor risk tier across your ecosystem

Regulatory Change Management

• Pull obligations and deadlines for applicable regulations
• Automate attestations and policy acknowledgments
• Drive workflow based on jurisdiction, applicability, and risk impact

Available Endpoints

Authentication

POST /sessions: Establish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short‑lived auth token maintained by the platform.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/sessions \
  --header 'Authorization: Basic <Base64 encoded token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "[email protected]",
    "password": "<password>",
    "mfa": { "type": "totp", "code": "123456" }
  }'

Example response

{
  "authToken": "eyJhbGciOi...",
  "expiresIn": 3600,
  "user": {
    "id": "u_mstrm_729c10",
    "name": "Risk Manager",
    "entitlements": ["risks", "controls", "audits", "issues", "policies", "third_parties"]
  }
}

POST /sessions/refresh: Refresh an existing token to keep sessions uninterrupted.

Risks

GET /risks: List risks with filters, scoring, KRIs, and ownership metadata.

Query parameters

• businessUnitId: string
• category: string (e.g., operational, cyber, third_party)
• status: open | monitoring | accepted | closed
• updatedFrom, updatedTo: ISO 8601 timestamps
• page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "riskId": "risk_2a91f0",
      "title": "Third-Party Data Breach",
      "category": "third_party",
      "ownerUserId": "u_mstrm_a18f21",
      "businessUnitId": "bu_emea_02",
      "inherentScore": 72.5,
      "residualScore": 48.0,
      "likelihood": "high",
      "impact": "major",
      "kris": [
        {"kriId": "kri_vendor_incidents", "name": "Vendor Security Incidents", "currentValue": 3, "threshold": 1, "status": "breached"}
      ],
      "linkedControlIds": ["ctrl_iso27001_a12", "ctrl_soc2_cc7"],
      "status": "monitoring",
      "updatedAt": "2026-01-20T13:45:00Z"
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Issues

POST /issues: Create an issue/finding with severity, root cause, and remediation details.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/issues \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Access Control Gap in Vendor Portal",
    "source": {"type": "audit", "auditId": "aud_51af80"},
    "severity": "high",
    "rootCause": "incomplete role mapping",
    "description": "Users retain elevated permissions after role changes.",
    "relatedControlIds": ["ctrl_access_mgmt_01"],
    "businessUnitId": "bu_na_01",
    "assignedToUserId": "u_mstrm_ops_9930",
    "dueDate": "2026-02-15",
    "remediationPlan": {
      "actions": [
        {"description": "Implement dynamic role revocation", "ownerUserId": "u_mstrm_ops_9930", "targetDate": "2026-02-10"},
        {"description": "Add nightly entitlement reconciler", "ownerUserId": "u_mstrm_sec_1122", "targetDate": "2026-02-12"}
      ]
    },
    "attachments": [
      {"fileName": "evidence_screenshots.zip", "uploadToken": "upl_7fa223"}
    ],
    "referenceId": "jira-SEC-2981"
  }'

Example response

{
  "issueId": "iss_90e412",
  "status": "open",
  "severity": "high",
  "createdAt": "2026-01-21T11:20:44Z",
  "workflowState": "triage"
}

Controls – Test Results

PATCH /controls/{controlId}/tests/{testId}: Update control test outcomes with sampling details and exceptions.

curl --request PATCH \
  --url https://api.supergood.ai/integrations/<integration_id>/controls/ctrl_access_mgmt_01/tests/tst_7c3d21 \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "testDate": "2026-02-01",
    "testType": "operating_effectiveness",
    "testerUserId": "u_mstrm_aud_441",
    "sampleSize": 30,
    "result": "fail",
    "exceptions": [
      {"description": "2 users retained admin after transfer", "count": 2}
    ],
    "notes": "Automated entitlement reconciler not in place.",
    "evidence": [
      {"fileName": "access_audit_log.csv", "uploadToken": "upl_08ab73"}
    ]
  }'

Example response

{
  "testId": "tst_7c3d21",
  "controlId": "ctrl_access_mgmt_01",
  "result": "fail",
  "exceptionsCount": 1,
  "updatedAt": "2026-01-22T08:15:12Z"
}

Audits

POST /audits: Create an audit engagement with scope, timelines, and staffing.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/audits \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Q1 Access Management Audit",
    "frameworks": ["SOC 2", "ISO 27001"],
    "scope": {
      "processes": ["User Provisioning", "Role Management"],
      "systems": ["IAM", "Vendor Portal"],
      "businessUnits": ["North America", "EMEA"]
    },
    "startDate": "2026-02-01",
    "endDate": "2026-03-15",
    "leadAuditorId": "u_mstrm_aud_001",
    "teamUserIds": ["u_mstrm_aud_002", "u_mstrm_aud_003"],
    "plannedTests": [
      {"controlId": "ctrl_access_mgmt_01", "testType": "design"},
      {"controlId": "ctrl_access_mgmt_02", "testType": "operating_effectiveness"}
    ],
    "notes": "Focus on entitlement lifecycle and admin rights."
  }'

Example response

{
  "auditId": "aud_51af80",
  "status": "planned",
  "createdAt": "2026-01-21T10:03:11Z"
}

Get full API Specs →

Technical Specifications

• Authentication: Username/password with MFA (SMS, email, TOTP) and SSO/OAuth/SAML where enabled; supports service accounts or customer‑managed credentials
• Response format: JSON with consistent resource schemas and pagination across modules
• Rate limits: Tuned for enterprise throughput while honoring customer entitlements and usage controls
• Session management: Automatic reauth and cookie/session rotation with health checks
• Data freshness: Near real‑time retrieval of risks, controls, audits, issues, policies, obligations, and third‑party objects
• Security: Encrypted transport, scoped tokens, and audit logging; respects MetricStream role‑based permissions
• Webhooks: Optional asynchronous delivery for long‑running workflows (e.g., attestations, audit approvals, vendor questionnaires)

Performance Characteristics

• Latency: Sub‑second responses for list/detail queries under normal load
• Throughput: Designed for high‑volume risk register sync and audit/issue processing
• Reliability: Retry logic, backoff, and idempotency keys minimize duplicate actions
• Adaptation: Continuous monitoring for UI/API changes with rapid adapter updates

Getting Started

1. Schedule Integration Assessment

Book a 30‑minute session to confirm your modules, licensing, and authentication model.

2. Supergood Builds and Validates Your API

We deliver a hardened MetricStream adapter tailored to your workflows and entitlements.

3. Deploy with Monitoring

Go live with continuous monitoring and automatic adjustments as MetricStream evolves.

Schedule Integration Call →

Frequently Asked Questions

Q: Which MetricStream modules can this integration cover?

Supergood supports workflows across commonly used modules such as Enterprise Risk (Risks, KRIs), Audit Management (Engagements, Findings), Compliance (Policies, Obligations, Attestations), IT & Cyber Risk (Controls, Tests), and Third‑Party Risk (Vendors, Assessments), subject to your licensing and entitlements. We scope coverage during integration assessment.

Q: How are MFA and SSO handled for automation?

We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth/SAML when enabled. Sessions are refreshed automatically with secure challenge handling.

Q: Can you sync audit findings and remediation tasks to our ticketing system?

Yes. We can normalize findings, issues, and action items to match your schema and deliver updates via webhooks or polling while complying with rate and permission constraints. We commonly integrate with Jira and ServiceNow.

Q: Are assessments and evidence uploads supported?

Yes. We support creating vendor/controls assessments, uploading attachments via signed uploads, with checksum validation and time‑limited URLs. Assessment states and scoring are modeled explicitly in our normalized responses.

Related Integrations

Intralinks API - Programmatically access the Intralinks VDR with Supergood

Ready to automate your MetricStream workflows?

Supergood can have your MetricStream integration live in days with no ongoing engineering maintenance.

Get Started →