
Easmond Tsewole
Chief Executive Officer
Can AI Agents be used to fix or 'remediate' issues identified during a SOC 2 audit? Here's how we've built an agent that saves dozens of hours


Companies selling to enterprise or in regulated industries, are often asked "Are you SOC 2 compliant?" For several deals, it is a deal breaker to say no. However, getting the SOC 2 certification is not trivial, particularly for smaller teams. It requires dozens to hundreds of hours of work. Identifying, then fixing findings in processes and infrastructure.
This is the story of my cofounder, David Thompson, who lived it for years. Company scan tools would surface the findings. He'd then have to provide it to the engineering team. An engineer would pick it up, but take a while to resolve. The patch itself isn't the hard part. The work around the patch is. All-the-while, the findings are still failing.
Governance, risk and compliance (GRC) platforms, like Vanta and Drata, make this process easier. They handle identification of issues, letting teams know what needs to be fixed. However, the fixes are still on the team to coordinate and implement. Ideally, while shipping new features and handling fires. However, usually one or more balls are dropped.
This is the part of SOC 2 audits that take weeks. RedSecLabs estimates between 150-300 hours per audit, and this is with a GRC platform.
As we've been going through our own SOC 2 audit, we've experimented with using an agentic framework which has saved us dozens of hours already.
SOC 2 isn't a checklist of AWS configurations. It is a statement that your team has designed, implemented, and operates securely in 5 key areas of your business. An auditor will eventually want evidence in every one of these:
For a team going through a SOC 2 audit, the process looks like this:
Each of these steps are usually calendar and process-heavy.
That's where we put the agent.
We're shipping a an open-source AI Agent which you can drop in your infrastructure repo. Clone it, run Claude Code in the directory, and provide it findings from your GRC platform. What happens next is the agent gets to work on analyzing your environment, so it has the context to write fixes.
Here's what it looks like end to end.
Phase 1: Verify. Provide the findings from your GRC environment to Claude. Then Claude will investigate your infrastructure, and identify if it can fix it.
Phase 2: Assess blast radius. Before drafting any patch, Claude investigates the AWS environment. Has there been any recent access? From where? Why? How can resolving the issue impact other services deployed in AWS? It then writes an impact analysis in markdown, detailing it's findings.
Phase 3: Ask the human. Claude will ask any follow-up questions. Claude does not proceed past this point without an answer.
Phase 4: Remediate. Once you've answered, Claude writes the CloudFormation patch, with full context. It leverages Prowler's snippets as a template, and opens a draft PR for review.
Phase 5: Document. Claude commits the findings, and documents the evidence.
The agent does not:
The repository is at `github.com/tudovu/soc-2-remediation-agent`
Prerequisites: AWS read-only credentials configured locally and Claude Code. Clone the repo and provide claude with your GRC platform's findings. " You'll have your first impact analysis and draft PR in about five minutes.
MIT license. Use it, fork it, open a PR if you spot something we missed.
Perspective for technical leaders navigating growth and strategy, while being secure & compliance.