DEV Community

Cover image for I built an open-source AWS SOC 2 readiness scanner because SOC 2 prep is still too manual
Raphael
Raphael

Posted on

I built an open-source AWS SOC 2 readiness scanner because SOC 2 prep is still too manual

#security #opensource #aws #devops

Most startups don’t fail SOC 2 because they lack security.

They fail because they don’t know what “audit-ready” actually looks like until it’s too late.

I kept seeing the same pattern over and over:

  • Teams already use AWS securely
  • They pass internal security reviews
  • Then SOC 2 happens… and everything breaks

Not because of major security flaws, but because of missing evidence, unclear control mapping, and manual checklist chaos.

So I built something to fix that.

The problem: SOC 2 is still an evidence problem, not a security problem

If you’ve gone through SOC 2, you probably recognize this workflow:

  • Pull IAM configs manually
  • Screenshot AWS settings
  • Export CloudTrail logs
  • Map everything into a spreadsheet
  • Try to match it to SOC 2 controls
  • Repeat across dozens of checks

And somehow this still takes weeks of engineering time.

Most of the data already exists in AWS. It’s just not structured in a way auditors can use.

That gap is where most teams get stuck.

Introducing TrailScan

TrailScan is a free, open-source AWS SOC 2 readiness scanner.

It runs locally against your AWS account and tells you:

  • What SOC 2 controls you’re failing
  • Why it matters
  • How severe it is
  • How ready you are for audit

What it does

TrailScan runs 35 automated AWS checks across:

  • IAM
  • S3
  • EC2
  • RDS
  • CloudTrail
  • GuardDuty
  • VPC
  • KMS
  • CloudWatch

Each check is mapped directly to SOC 2 Trust Services Criteria.

What makes TrailScan different

1. SOC 2-specific focus (not generic cloud security)

Most tools scan for “security best practices.”

TrailScan focuses specifically on SOC 2 audit readiness, which is a different problem.

2. Readiness score you can actually understand

You don’t just get findings.

You get a 0–100% SOC 2 readiness score, plus:

  • Pass / Fail / Warning breakdown
  • Control mapping
  • Exportable reports (JSON / CSV)

3. CI-friendly design

TrailScan is built for engineers:

  • Exit codes for CI pipelines
  • Fast execution (~2 minutes)
  • No SaaS lock-in
  • No data sent externally

4. Fully open-source

You can inspect every check.

No black box. No hidden logic.

TrailScan vs Prowler and similar tools

There are already strong AWS security tools in the ecosystem, especially open-source projects like Prowler, as well as cloud-native services like AWS Security Hub.

Here’s how TrailScan is different:

1. Purpose: SOC 2 readiness vs general security posture

  • Prowler / Security tools: Broad AWS security benchmarking (CIS, NIST, general best practices)
  • TrailScan: Narrow focus on SOC 2 Trust Services Criteria mapping

Instead of asking:

“Is your AWS secure?”

TrailScan asks:

“Are you audit-ready for SOC 2?”

2. Output: compliance narrative vs security findings

  • Prowler-style tools: Security findings, misconfigurations, compliance checks
  • TrailScan: Readiness scoring + SOC 2 control mapping

Each finding is designed to answer:

  • Which SOC 2 control is impacted
  • Why it matters in audit context
  • Whether it blocks certification readiness

3. Audience: security engineers vs audit-bound startups

  • Prowler: Security teams, cloud engineers, SecOps
  • TrailScan: Founders, startups, DevOps teams preparing for SOC 2

It’s optimized for a very specific moment:

“We need SOC 2 in the next few months and don’t know where we stand.”

4. Signal-to-noise ratio

Generic security tools often return hundreds of findings.

TrailScan intentionally limits scope to SOC 2-relevant checks only, reducing noise and focusing attention on audit blockers.

Why I built this as open-source first

SOC 2 tooling has a trust problem.

Security teams don’t like black boxes touching their infrastructure.

So TrailScan is intentionally:

  • Local-first
  • Read-only
  • Transparent
  • Inspectable

The idea is simple:

If you don’t trust it, you should still be able to verify it.

Who this is for

TrailScan is useful if you are:

  • A startup preparing for SOC 2 Type I or II
  • A DevOps engineer responsible for AWS security
  • A founder dealing with enterprise security reviews
  • A team that wants a quick readiness snapshot without adopting a full GRC platform

What TrailScan is NOT

It is not:

  • A full compliance platform
  • A policy generator
  • A continuous monitoring system
  • A replacement for auditors or GRC tools

It’s intentionally narrow:

A fast way to understand where you stand before SOC 2 becomes painful.

Try it out

GitHub: https://github.com/1amplant/trailscan

It takes about 2 minutes to run, and you’ll get a SOC 2 readiness report from your AWS environment.

Feedback welcome

I’m actively improving the checks and mapping.

If you’ve gone through SOC 2 before, I’d love feedback on:

  • Missing checks
  • False positives
  • Real audit gaps
  • Useful improvements

Open issues on the repo anytime.

TL;DR

TrailScan is an open-source AWS scanner that:

  • Runs 35 SOC 2-focused checks
  • Maps results to SOC 2 controls
  • Gives a readiness score
  • Exports audit-friendly reports
  • Runs locally in ~2 minutes

It’s built to answer one question:

“Are we actually ready for SOC 2, or about to find out the hard way?”

Top comments (0)