Was in a call with an auditor today. We were having an interesting convo about the future of GRC tools & automation. He mentioned something I haven't really heard of before: AI CPAs. They're coming, rapidly. They might even replace some of these tools & processes that auditors use.
Is this true? Have you heard of this AI CPA wave incoming? Should auditors be worried?
Hey y'all, I spent the past month and a half speaking with a ton of different DevOps, CISOs, & pre-series A founders and saw that SOC 2 is still stupidly stressful, expensive, & loosely automated systems can be plain inaccurate. Systems are constantly changing, so audits are slow or mistrusted.
I decided to create an AWS Infrastructure Layer, Open-source the Evidence & Control Mapping scanning part of SOC 2 (Type l) for lean, AWS-Native teams that are thinking about SOC 2 & the existing GRC tools are looking a bit scary to them, or are mid-audit. The point is to make it accessible, open, and helpful to streamline people's processes, as a pre-audit readiness tool so they don't have to be scrambling to the last minute.
To solve for the transparency issue, after the scan is complete, there's an auditor-verifiable report in which every finding traces back to the API call that produced it (SHA-256 hashed), all done with the click of a few buttons, in minutes.
Problem: Actually getting this repo out there, and getting people to trust it without a significant amount of social proof? wondering what types of communities/places should I be looking into to actually promote this repo and get the tool out there? I genuinely think it could be super helpful for people but the problem is no one knows it exists.
if you're curious, here's the repo down below:
https://github.com/adog0822/AWS-Evidence-Layer
Would love some honest feedback & ideas for pushing it out there. Thanks!
Hey y'all, im a founder. After talking to & learning from over 50 auditors, security engineers, and pre-Series A founders, I found that the hardest part of SOC 2 infrastructure reviews wasn’t “finding” the data, but proving where evidence can come from.
A screenshot (or loosely automated system) of an IAM config doesn’t tell an auditor:
So I built a read-only AWS evidence scanner that:
Takes ~30 seconds to deploy and a few minutes to run.
The goal wasn’t to “automate SOC 2", but to make infrastructure evidence reproducible and independently verifiable.
A lot of early-stage founders I spoke with were stuck between:
This is specifically for AWS-native startups trying to survive early compliance without burning engineering time.
Check out the repo here (anyone can run it): https://github.com/adog0822/AWS-Evidence-Layer
The scanner is read-only, runs inside your own AWS environment, and stores evidence locally. No write permissions, no infrastructure changes, and no credentials leave your account.
Would love to know what you guys think. If you’ve gone through SOC 2 recently, especially on a small team, I’d genuinely love to know whether this matches your experience or if I’m thinking about the problem wrong.
Hey y'all,
Im building an AI Agent built to streamline SOC 2 evidence collection for AWS-Native SaaS Startups.
Connects via AWS APIs, the SaaS agent collects 1000+ evidence items, maps it to 8 Core SOC 2 controls, generates freshness+gap detection scores, & generates an auditor-ready package all in the click of a few buttons (value prop of turning 40+ hours of engineering time-> 5 mins).
Point of it is to be a razor-focused, built specifically to be the fastest & most efficient audit automation tool for AWS-Native teams while keeping full traceability (every finding links back to the exact AWS API call).
I’m currently looking for early / paid pilots with AWS-native SaaS startups that have SOC 2 on their roadmap in the next ~90 days.
Would love to get feedback on:
Site: loxeai.com
Demo: https://www.loom.com/share/d7f9b8c7ef5c4c908f774dd2e109d929 (i've iterated some parts since this recording, but it shows the basic workflow)