SOC 2 on AWS, How we built an AI Agent that Automatically Remediates SOC 2 Issues

Discover how automation can be a powerful ally in achieving and maintaining HIPAA compliance, reducing risks and administrative burdens for healthcare organizations.

Can AI Agents be used to fix or 'remediate' issues identified during a SOC 2 audit? Here's how we've built an agent that saves dozens of hours

SOC 2 on AWS, How we built an AI Agent that Automatically Remediates SOC 2 Issues
Can AI Agents be used to fix or 'remediate' issues identified during a SOC 2 audit? Here's how we've built an agent that saves dozens of hours
Easmond Tsewole
Chief Executive Officer

Companies selling to enterprise or in regulated industries, are often asked "Are you SOC 2 compliant?" For several deals, it is a deal breaker to say no. However, getting the SOC 2 certification is not trivial, particularly for smaller teams. It requires dozens to hundreds of hours of work. Identifying, then fixing findings in processes and infrastructure.

This is the story of my cofounder, David Thompson, who lived it for years. Company scan tools would surface the findings. He'd then have to provide it to the engineering team. An engineer would pick it up, but take a while to resolve. The patch itself isn't the hard part. The work around the patch is. All-the-while, the findings are still failing.

Governance, risk and compliance (GRC) platforms, like Vanta and Drata, make this process easier. They handle identification of issues, letting teams know what needs to be fixed. However, the fixes are still on the team to coordinate and implement. Ideally, while shipping new features and handling fires. However, usually one or more balls are dropped.

This is the part of SOC 2 audits that take weeks. RedSecLabs estimates between 150-300 hours per audit, and this is with a GRC platform.

As we've been going through our own SOC 2 audit, we've experimented with using an agentic framework which has saved us dozens of hours already.

What SOC 2 actually covers

SOC 2 isn't a checklist of AWS configurations. It is a statement that your team has designed, implemented, and operates securely in 5 key areas of your business. An auditor will eventually want evidence in every one of these:

  • Security
  • Availability
  • Process Integrity
  • Confidentiality
  • Privacy

How teams actually do this today

For a team going through a SOC 2 audit, the process looks like this:

  1. Readiness. An auditor or consultant runs a gap analysis. Usually a spreadsheet, or dashboard of controls with a list of missing pieces.
  2. Scan. The GRC platform's integrations enumerate technical findings. Usually 50-100 failing checks on the first run.
  3. Triage. An engineer sorts which findings are critical, which are noise, and which are scoped out.
  4. Remediation. For each finding, engineers determine what the fix will break. Then work to test & implement these fixes. This is where engineering can disappear for weeks, as they are forced to split time between fixing old problems and building new features.
  5. Evidence collection. Evidence is provided, usually as screenshots, configuration exports, ticket histories, or policy sign-offs.
  6. Attestation. A CPA firm attests whether the controls actually operated over the period. For a Type 2, that's typically a six-month window.

Each of these steps are usually calendar and process-heavy.

That's where we put the agent.

Where the agent fits

We're shipping a an open-source AI Agent which you can drop in your infrastructure repo. Clone it, run Claude Code in the directory, and provide it findings from your GRC platform. What happens next is the agent gets to work on analyzing your environment, so it has the context to write fixes.

Here's what it looks like end to end.

Phase 1: Verify. Provide the findings from your GRC environment to Claude. Then Claude will investigate your infrastructure, and identify if it can fix it.

Phase 2: Assess blast radius. Before drafting any patch, Claude investigates the AWS environment. Has there been any recent access? From where? Why? How can resolving the issue impact other services deployed in AWS? It then writes an impact analysis in markdown, detailing it's findings.

Phase 3: Ask the human. Claude will ask any follow-up questions. Claude does not proceed past this point without an answer.

Phase 4: Remediate. Once you've answered, Claude writes the CloudFormation patch, with full context. It leverages Prowler's snippets as a template, and opens a draft PR for review.

Phase 5: Document. Claude commits the findings, and documents the evidence.

Where the agent stops

The agent does not:

  • Write your security policies, code of conduct, or risk register
  • Run your vendor reviews, DPAs, or sub-processor assessments
  • Conduct your access reviews
  • Replace your auditor

What you can take

The repository is at `github.com/tudovu/soc-2-remediation-agent`

Prerequisites: AWS read-only credentials configured locally and Claude Code. Clone the repo and provide claude with your GRC platform's findings. " You'll have your first impact analysis and draft PR in about five minutes.

MIT license. Use it, fork it, open a PR if you spot something we missed.

Join the Newsletter

Get our new signals right into your email inbox. No spam, only quality content!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Book a demo and see how Tudovu turns GRC findings into reviewable CloudFormation PRs, and gates new infrastructure so posture doesn’t drift.
© Tudovu Inc. All rights reserved.