Adaca RED

An open-source platform for managing initiatives, risks and incidents, with a structured score (RED) for how well each initiative reduces the risk it targets.

View on GitHub

RED is based on five years of monitoring and evaluation systems built for the United Nations, the World Food Programme, and the Swiss Agency for Development and Cooperation.

§01WHY RED
REV 2026.06 · 01.00

RED measures whether an initiative reduced its target risk.

Most operations tools record that a task was completed. RED also scores whether it reduced the risk it was meant to address, on a 0 to 12 composite that is updated each time the initiative is reassessed.

§02ORIGIN
REV 2026.06 · 02.00

Five years in sensitive field environments.

RED began as monitoring and evaluation infrastructure: the systems used to assess whether a field intervention was relevant to the problem, reaching enough of the affected population, and sustained long enough to have an effect.

We built these systems over five years for the United Nations, the World Food Programme, and the Swiss Agency for Development and Cooperation. Adaca RED generalises that scoring model so any operations team can apply it to initiatives, risks and incidents.

§03THE RUBRIC
REV 2026.06 · 03.00

Relevance, Extent and Duration.

RED grades one relationship, how well an initiative mitigates a risk, across three dimensions, each scored 0 to 4.

R 0–4

Relevance

Whether the initiative addresses the risk it targets. A control aimed at the wrong failure mode scores low, however well it is built.

E 0–4

Extent

Whether it reaches enough of what is exposed. Covering three of thirty affected systems is a low Extent, regardless of execution quality.

D 0–4

Duration

Whether the effect is sustained. A control that holds for a fortnight and then lapses scores low on Duration.

Try it · score a mitigation

How well does this initiative mitigate the risk?

R Relevance 0
E Extent 0
D Duration 0
0 / 12
036912

Illustrative composite. In Adaca RED, Relevance, Extent and Duration are assessed and trended per dimension, each on its own 0 to 4 scale.

Each dimension is scored independently and dated. Re-scoring an initiative over time produces a trend; across a risk's mitigating initiatives, the scores combine into an overall coverage estimate.

§04THE MODEL
REV 2026.06 · 04.00

How initiatives, risks and incidents connect.

Adaca RED holds three node types (initiatives, risks and incidents) in a single graph. RED is scored on one relationship only, where an initiative mitigates a risk. The other relationships, an incident realising a risk and an initiative remediating an incident, carry no score, which prevents a single mitigation being counted twice.

Initiative Work undertaken to reduce a risk.
Risk An exposure being managed.
Incident A risk that has occurred, recorded as a report.
Mitigates · RED The scored relationship, initiative to risk.
§05THE PROJECT
REV 2026.06 · 05.00

A methodology, an application, and a design system.

METHODOLOGY

The RED rubric

Relevance, Extent and Duration, documented as a specification you can apply with or without the application.

REFERENCE APP

A definitions-driven graph

Entity types and fields are defined as data, so the schema extends without code changes. Postgres with row-level security and full revision history.

DESIGN SYSTEM

The editorial canvas

The design system the application is built from, also used to render this page.

§06THE APPLICATION
REV 2026.06 · 06.00

Screens from the application.

Adaca RED keeps initiatives, risks and incidents in linked registers, with RED scoring and reporting built in. The screens below show the register, a RED score, the risk matrix and a RED trend.

§ INITIATIVES · REGISTER
TitleStatusRED
Vendor access review Active R3 E3 D2 8/12
MFA rollout, all staff Active R4 E3 D4 11/12
DR failover test Blocked R2 E2 D1 5/12
Data retention policy Proposed R3 E1 D2 6/12
§ REPORTS · RISK MATRIX
1
1
2
1
1
1
3
4
2
1
2

Likelihood →

§ RED · TREND

Composite (0–12, stacked)

Q1
Q2
Q3
Q4
Relevance Extent Duration
§07ARCHITECTURE
REV 2026.06 · 07.00

A definitions-driven data model.

Three node types (initiative, risk and incident) and three edges are described in a definitions registry. Adding a field or a new entity type is a change to that registry, applied as data.

01

Definitions-driven

Forms, filters and validation are generated from one definitions registry. New fields are added as data.

02

Typed graph

Containment (parent and child) and association (the graph) are modelled separately.

03

RED on the edge

RED is stored on the initiative-to-risk relationship, with its history kept per assessment.

04

Revision history

Every node and edge change is recorded. The RED trend is built from that history.

05

Row-level security

Postgres row-level security, with role-based access enforced in the database.

06

Soft delete

Deletes are reversible; any record can be restored.

Built on
vinextCloudflare WorkersSupabasePostgresTailwindMDX
§08GET STARTED
REV 2026.06 · 08.00

Running it yourself.

Adaca RED runs on Supabase (Postgres and Auth) and deploys to Cloudflare Workers. Clone the repository, point it at your own Supabase project, apply the schema, and run it.

bash 
# clone and install
$ git clone https://github.com/adacahq/adaca-red.git
$ cd adaca-red && npm install

# configure Supabase (Postgres + Auth) and Microsoft SSO
$ cp .env.example .env

# apply the database schema to your project
$ supabase db push

# run locally
$ npm run dev          # http://localhost:3000

# deploy to Cloudflare Workers
$ npm run deploy
§09ROADMAP
REV 2026.06 · 09.00

Status and what is next.

The platform is built. The current focus is proving it with a small number of lighthouse customers across distinct industries, before extending the feature set.

Methodology & schema The RED rubric and the definitions-driven graph. Complete
Design system The editorial component library and dark-first theme. Complete
Authentication Microsoft SSO, protected routes and role-based access. Complete
Registers & CRUD Initiatives, risks and incidents, with containment trees and Kanban boards. Complete
RED scoring & trends Scoring on the initiative-to-risk edge, with per-assessment history. Complete
Reports & dashboards Risk matrix, RED coverage, portfolio and incident analytics, plus custom dashboards. Complete
Lighthouse customers Onboarding three lighthouse customers across three distinct industry verticals. In progress
Email notifications Alerts on assignments, status changes and due reassessments. Planned
Scheduling Recurring reviews and scheduled reassessments. Planned
§10FAQ
REV 2026.06 · 10.00

FAQs

Is it free?

Yes. Adaca RED is open source under the MIT licence. Use it, fork it, or run it commercially. There are no paid tiers.

Can I use just the methodology?

Yes. RED is documented as a standalone specification and can be applied in any tool.

Is it production-ready?

The platform is complete and in early adoption. We are onboarding a small number of lighthouse customers before broadening availability.

What does it run on?

vinext (the Next.js App Router on Vite), Supabase (Postgres and Auth) with Microsoft SSO, and Cloudflare Workers.

Can I contribute?

Yes. Issues and pull requests are welcome on GitHub once the repository is public.

§11ABOUT THE TEAM
REV 2026.06 · 11.00

The team behind Adaca RED.

Adaca RED is built and maintained by Adaca, an Australian technology company supported by 150+ engineers across Sydney, Melbourne, Auckland and Manila.

Lambros Photios
Founder

Lambros Photios

Founded Adaca in 2015 and scaled it to a 150-person engineering firm.

Ben Pinkerton
CTO

Ben Pinkerton

20+ years in enterprise architecture and digital transformation across ANZ and ASEAN.

Fredy Lievano
Solution Architect

Fredy Lievano

AWS-certified, 16+ years across AI, cloud and software architecture.

§12OPEN SOURCE
REV 2026.06 · 12.00

Open source under MIT.

Adaca RED is released under the MIT licence. The source is available to self-host, fork, or build on. It runs on vinext, Supabase and Cloudflare Workers.

View on GitHub