After speaking with over 50+ CISOs, DevOps, pre-series A founders for months, I realized a problem in the GRC industry. SOC 2 automation exists, but people are split between trusting these black-box tools with systems that are continuously changing. As a result audits are slow mistrusted.Right now the most important thing is verifiability depth, rather than just compliance automation-because it does exist, everywhere.Here s what I did from learning this:- Created an open-source AWS Evidence Scanner Control Mapper for lean, pre-series A AWS-Native teams thinking about SOC 2 Type l or are undergoing SOC 2 Type l audit. Collects across 15+ AWS Services to 12 critical controls in the trust-service criteria.Why open-source? Accessibility for people who might have their hands tied choosing between expensive GRC tools. Its also used as a trust-mechanism. Code is right there. A CEO or auditor can read exactly what API calls we make before giving us the role ARN.- I included a paid report embedded within the tool (open-core model). Users have the option to pay for the report in which every finding traces back to the API call that produced it. SHA-256 hashed (at a fraction of the cost of bigger legacy platforms). With remediation steps a compliance-copilot to help with other parts of the Type l process beyond evidence collection (like policy writing, risk assessment, etc).Why paid report? The best way to make the auditors job as easy as possible is to give them a verifiable package where the evidence is right there in front of them, timestamped so they can see what happened, when (rooted in AWS APIs). No black-box, no way to fake it. Saving weeks of back forth between auditors and clients, with the click of a few buttons.An auditor can re-run the same API call, hash the response themselves, and verify it matches what s in the report.Value: 30 seconds to deploy. 5 mins to run the scan evidence is collected mapped. Paid report includes verifiable evidence companies can send to their auditor. Paid features include a co-pilot to help with audit-readiness beyond just evidence collection.- Understand Limitations.I understand the scope of this product is pretty limited in part because its also very new. I m not going to claim it solves all of compliance, because it doesn t. It makes a very time-consuming part of the process very accessible to be automated gives an auditor a report they can rely on.What now? Anyone who s gone through, thinking about or is in the middle of SOC 2, would love your reaction to the output, even if it s critical. Also looking for early testers/users.repo here: https://github.com/adog0822/AWS-Evidence-Layertry it here: https://loxeai.com