compliance is broken in three specific ways. we are fixing all three.
We are a student and a small team. We do not have a billion-dollar war chest. We do not have a sales org. We do not have a booth at RSA.
What we have is a clear view of a problem that has been dressed up and sold back to the people it was supposed to solve it for.
SOC 2 should be a proof of trustworthiness. A technical team showing an auditor, clearly and verifiably, that their infrastructure is secure. That their access is controlled. That their data is protected. That they did what they said they would do.
Instead it became a product category.
A $15,000 platform that gates the audit behind a sales call. A dashboard that shows pass and fail without letting you see how the number was reached, or whether you can trust the source. A workflow designed for a company that is not you. Months of back-and-forth arguing over screenshots nobody can independently verify. Engineering hours pulled from product to paste findings into spreadsheets. A market that profits from complexity it could reduce but chooses not to.
This is the status quo. We are launching three wars against it.
The war on the black box.
Let us say something plainly: automation is a commodity.
Any reasonably well-built tool can connect to your AWS account, run API calls, and return a list of what passed and what failed. That is table stakes. The incumbents do it. Prowler does it for free. We do it. The automation itself is not the differentiator.
Verifiability is the bottleneck. And nobody has solved it.
That is why we open-sourced the scan. Anyone can connect our agent to their AWS account, map evidence to 12 SOC 2 controls, and get a gap score. No sales call. No contract. Free. Because if the scan is not the moat, there is no reason to lock it behind one.
What the open-source version does not give you: the analysis, the custom controls, the deterministic evidence pipeline, Gideon. The things that take you from "here is a list of findings" to "here is a verifiable record your auditor can independently confirm."
In 2024, a compliance platform called Delve was found to have generated fraudulent SOC 2 reports. The reports looked legitimate. The dashboards showed green. The certifications were issued. None of it was real.
This was not a bug. It was a structural failure. When evidence lives inside a vendor's platform, when the only way to verify a finding is to trust the vendor's own output, when there is no chain of custody an auditor can independently trace, the entire system depends on a single point of trust that was never audited itself.
Every finding Loxe produces is tied to the exact AWS API call that generated it. Every evidence item carries a SHA-256 hash. An auditor can take our open-source scan logic, run the same calls against your AWS account, and confirm independently that our output matches what they collect themselves.
This is not a feature. It is an architectural commitment.
"You should not have to trust us.
You should be able to verify us."
The war on price as a moat.
The incumbents charge $15,000 to $40,000 a year for a first SOC 2.
We are not going to pretend those platforms are bad products. They are not. They are built for companies with compliance teams, procurement processes, and budget lines with commas in them.
But the 12-person AWS-native startup that needs to close their first enterprise deal is not that company. They are being asked to pay for questionnaire automation they will not use, risk registers they do not need yet, and trust centers that are a year away from mattering, because the pricing model assumes everyone is the same customer.
We do not believe price should be the moat. We believe the moat is the product.
$349. One-time. Design partner pricing. Not because we are giving it away. Because we believe that if you build something that genuinely works, the price should not be the reason someone does not use it.
Affordability and rigor are not in conflict. We intend to prove that.
The war on heteronomy.
Heteronomy: operating under rules imposed from outside. Following someone else's framework, someone else's template, someone else's idea of what your compliance program should look like.
Every compliance platform on the market will give you a template. A pre-built control library written for a generalized company. A policy document used by thousands of customers before you. A workflow designed to get everyone to the same finish line by the same route.
We think that is the wrong model.
Your AWS environment is not the same as anyone else's. Your auditor has specific requirements. Your contractual obligations have specific thresholds. Your risk tolerance has specific edges. Your team has a specific way of working.
Loxe is built to be yours from the first scan. Custom controls you write in plain English, translated into deterministic checks that run on your infrastructure automatically, on every scan. A SOC 2 catalog you rename and configure to reflect your actual program. A compliance co-pilot named Gideon trained on your data and your findings, so when you ask it to draft your incident response policy, it reads what your scan found first and then it writes.
The hero on our homepage says "done your way." That is not a tagline. It is a design principle held from the architecture up.
Compliance autonomy is not a premium feature. It is the baseline.
what we are actually building
Loxe starts here: one agent, one scan, one AWS-native evidence layer that makes your first SOC 2 fast, verifiable, and yours.
That is the entry point. Not the destination.
The problem we are solving is not "SOC 2 evidence collection." The problem is that every high-stakes financial and security review, from SOC 2 to ISO 27001 to a Series B financial audit to an IPO readiness review, runs on a broken manual process. One that treats humans as evidence-gathering machines and treats trust as something you purchase rather than something you prove.
We are building the AI preparation layer for all of it.
The Evidence Tracer
Collects, maps, and cryptographically signs AWS infrastructure evidence. This is where the flywheel starts.
The Smart Document Hub
Connects to Slack, Notion, and Google Drive. Finds, extracts, and tags your policy documents to their controls automatically.
The PBC Tracker
Ingests the Provided by Client list from your auditor, auto-assigns items to teammates, and tracks deadlines without a spreadsheet.
Variance Analysis Agent
Analyzes period-over-period fluctuations in financial data and drafts the narrative justifications auditors require. The ones engineers spend three days writing from scratch.
Audit Package Generator
Compiles everything into a cross-linked, tamper-proof binder your auditor can actually use.
The Feedback Digester
Watches every human correction, every auditor comment, every rejected piece of evidence. It learns. Every audit makes the next one faster. Every edit sharpens the models.
When hundreds of audits have run through this system, Loxe will not just collect evidence. It will know what breaks.
It will know that 83% of SaaS companies on AWS fail CC6.1 before their first audit and warn you three months before yours. It will know the CloudTrail configurations auditors in your vertical always flag. It will know the vendor your auditor is going to ask about before they ask.
This is not automation. This is institutional knowledge at scale, surfaced at exactly the moment it is useful.
Right now, our wedge is AWS Evidence for SOC 2 audits. This was chosen deliberatley. We want to go deep on being the best at one thing before expanding. The founders who run their first scan on Loxe are not just customers. They are the ones shaping what this becomes. Every audit, every finding, every piece of feedback is a data point in something bigger. The flywheel does not spin without them.
We are building this carefully, in public, and from the evidence up. If that sounds like something worth being part of, you are exactly who we built this for.
Compliance should be something you prove.
We are building the tools to prove it.
If you are building something on AWS and your first audit is in front of you:
If you are a VC, an auditor, or someone thinking about where this space is going: