I built an open-source AWS SOC 2 readiness scanner because SOC 2 prep is still too manual

Raphael — Mon, 01 Jun 2026 11:45:18 +0000

Most startups don’t fail SOC 2 because they lack security.

They fail because they don’t know what “audit-ready” actually looks like until it’s too late.

I kept seeing the same pattern over and over:

Teams already use AWS securely
They pass internal security reviews
Then SOC 2 happens… and everything breaks

Not because of major security flaws, but because of missing evidence, unclear control mapping, and manual checklist chaos.

So I built something to fix that.

The problem: SOC 2 is still an evidence problem, not a security problem

If you’ve gone through SOC 2, you probably recognize this workflow:

Pull IAM configs manually
Screenshot AWS settings
Export CloudTrail logs
Map everything into a spreadsheet
Try to match it to SOC 2 controls
Repeat across dozens of checks

And somehow this still takes weeks of engineering time.

Most of the data already exists in AWS. It’s just not structured in a way auditors can use.

That gap is where most teams get stuck.

Introducing TrailScan

TrailScan is a free, open-source AWS SOC 2 readiness scanner.

It runs locally against your AWS account and tells you:

What SOC 2 controls you’re failing
Why it matters
How severe it is
How ready you are for audit

What it does

TrailScan runs 35 automated AWS checks across:

IAM
S3
EC2
RDS
CloudTrail
GuardDuty
VPC
KMS
CloudWatch

Each check is mapped directly to SOC 2 Trust Services Criteria.

What makes TrailScan different

1. SOC 2-specific focus (not generic cloud security)

Most tools scan for “security best practices.”

TrailScan focuses specifically on SOC 2 audit readiness, which is a different problem.

2. Readiness score you can actually understand

You don’t just get findings.

You get a 0–100% SOC 2 readiness score, plus:

Pass / Fail / Warning breakdown
Control mapping
Exportable reports (JSON / CSV)

3. CI-friendly design

TrailScan is built for engineers:

Exit codes for CI pipelines
Fast execution (~2 minutes)
No SaaS lock-in
No data sent externally

4. Fully open-source

You can inspect every check.

No black box. No hidden logic.

TrailScan vs Prowler and similar tools

There are already strong AWS security tools in the ecosystem, especially open-source projects like Prowler, as well as cloud-native services like AWS Security Hub.

Here’s how TrailScan is different:

1. Purpose: SOC 2 readiness vs general security posture

Prowler / Security tools: Broad AWS security benchmarking (CIS, NIST, general best practices)
TrailScan: Narrow focus on SOC 2 Trust Services Criteria mapping

Instead of asking:

“Is your AWS secure?”

TrailScan asks:

“Are you audit-ready for SOC 2?”

2. Output: compliance narrative vs security findings

Prowler-style tools: Security findings, misconfigurations, compliance checks
TrailScan: Readiness scoring + SOC 2 control mapping

Each finding is designed to answer:

Which SOC 2 control is impacted
Why it matters in audit context
Whether it blocks certification readiness

3. Audience: security engineers vs audit-bound startups

Prowler: Security teams, cloud engineers, SecOps
TrailScan: Founders, startups, DevOps teams preparing for SOC 2

It’s optimized for a very specific moment:

“We need SOC 2 in the next few months and don’t know where we stand.”

4. Signal-to-noise ratio

Generic security tools often return hundreds of findings.

TrailScan intentionally limits scope to SOC 2-relevant checks only, reducing noise and focusing attention on audit blockers.

Why I built this as open-source first

SOC 2 tooling has a trust problem.

Security teams don’t like black boxes touching their infrastructure.

So TrailScan is intentionally:

Local-first
Read-only
Transparent
Inspectable

The idea is simple:

If you don’t trust it, you should still be able to verify it.

Who this is for

TrailScan is useful if you are:

A startup preparing for SOC 2 Type I or II
A DevOps engineer responsible for AWS security
A founder dealing with enterprise security reviews
A team that wants a quick readiness snapshot without adopting a full GRC platform

What TrailScan is NOT

It is not:

A full compliance platform
A policy generator
A continuous monitoring system
A replacement for auditors or GRC tools

It’s intentionally narrow:

A fast way to understand where you stand before SOC 2 becomes painful.

Try it out

GitHub: https://github.com/1amplant/trailscan

It takes about 2 minutes to run, and you’ll get a SOC 2 readiness report from your AWS environment.

Feedback welcome

I’m actively improving the checks and mapping.

If you’ve gone through SOC 2 before, I’d love feedback on:

Missing checks
False positives
Real audit gaps
Useful improvements

Open issues on the repo anytime.

TL;DR

TrailScan is an open-source AWS scanner that:

Runs 35 SOC 2-focused checks
Maps results to SOC 2 controls
Gives a readiness score
Exports audit-friendly reports
Runs locally in ~2 minutes

It’s built to answer one question:

“Are we actually ready for SOC 2, or about to find out the hard way?”

DEV Community: Raphael