Run a scan. Get a report. Hand it to your auditor. Done before lunch.
Product & report reviewed by practitioners at Prescient Security, Lindford & Co, BAAR Advisory, and Johanson Group
Supported by IDEA Venture Accelerator, Northeastern University
Advisor support from James Hendler, ML Researcher & Professor at RPI
5 teams running open-source scans on their AWS infrastructure
Three steps to SOC 2 clarity.
Generate your External ID
A unique identifier ties the scan to your AWS account. You can regenerate it anytime.
Launch the CloudFormation stack
Download the YAML template or launch directly in AWS. It grants only the read-only permissions we need.
Paste your Role ARN & scan
We connect via STS AssumeRole, collect evidence from 25+ services, and map it to 12 SOC 2 controls. Results in 2–3 minutes.
More than a compliance tool
Inside the Evidence Tracer — the first screen you see when you launch a scan with the agent.
Your security program, not a textbook
Define what passing looks like for your organization. Your policies, contractual commitments, and industry requirements become deterministic checks. Custom controls run on every scan with the same SHA-256 evidence pipeline as built-in controls.
- Describe your requirement in plain English
- Gideon drafts a structured control definition
- Backend validates against supported check catalog
- Runs automatically on every future scan
Every finding hashed. Every link verifiable.
Every evidence item carries the exact AWS API endpoint called, the request timestamp in ISO 8601 UTC, the raw response body, and a SHA-256 hash. An auditor can clone the open-source repo, run the same calls, and verify that our evidence matches what they collect independently.
- AWS API call → raw response stored
- SHA-256 hashed → finding cites evidence ID
- Report references finding → full chain verifiable
Meet Gideon. Your compliance co-pilot.
- Policy writing, vendor risk, HR controls, client onboarding, and more
- Gideon answers in context of your actual scan results & helps you remediate your workflow
- Ask it how to explain a finding to your auditor, and it gives you the words with the evidence attached
See what a scan looks like
Explore a SOC 2 readiness scan of AcmePay, Inc. — no AWS credentials needed.
Interactive report for AcmePay, Inc.
Run your own scan
Connect your AWS account using a read-only role to generate a complete compliance gap analysis in minutes.
Rate limited to 5 scans/day UTCGenerate your ExternalId
This secret binds the cross-account role to your scan. Copy it — you'll paste it into the CloudFormation template next.
What we touch
- •IAM users, roles, policies · Password policy · MFA status
- •S3 encryption, public access, versioning · Bucket policies
- •CloudTrail trails, event selectors · Log file validation
- •Config recorders & rules · EC2 security groups, VPCs, flow logs
- •KMS keys + rotation · GuardDuty detectors · SecurityHub standards
- •SSO / Identity Center · Secrets Manager metadata only (never values)
- •WAF Web ACLs · Lambda functions · RDS instances · SNS topics · CloudWatch alarms
Read-only · ExternalId-bound · Zero secret material accessed
5 scans / ExternalId / day · 1 concurrent
Simple, honest pricing
Start free. Upgrade when you need the full platform.
- 15+ AWS services scanned
- Mapped to 12 core SOC 2 controls
- Gap score + CSV export
- 1–2 in-depth remediation walkthroughs
- You own the data — delete anytime
- 5 scans/day
Everything in free, plus:
- 25+ AWS services, continuous scanning
- Custom controls you define yourself
- Gideon compliance co-pilot
- SHA-256 verified HTML + JSON report
- Scan history with deltas
- Direct say in product roadmap
- Grandfathered pricing, forever
- Hands-on founder support
A "seat" = one user account / login.
1 seat allows you to access your org's workspace.
Questions? Reach out at mehta.arja@northeastern.edu or Book a Call →