Continuous compliance monitoring built by people who lived through too many audit sprints.
In 2022, Michael Tanaka was head of engineering at a fintech startup preparing for its second SOC 2 Type II audit. The first audit had taken 11 weeks of preparation. The second, with everything supposedly documented from the previous cycle, still took 7 weeks. Nothing was continuous. Logs had to be re-exported. Access lists had to be regenerated. Screenshots of configurations that should never have changed had to be taken again.
The fundamental problem was not that his team lacked discipline. It was that compliance tools of that era were designed around audit events, not ongoing operations. They helped you prepare a report. They did not help you stay compliant between reports.
CompliRun was prototyped over three months using AWS Lambda and a custom control-mapping layer. The first version reduced that team's third audit prep to 11 days. After sharing it with two other fintech teams — both of whom asked to use it — Michael left to build it as a product.
Today CompliRun is used by engineering teams at SaaS companies, fintech startups, and healthcare software vendors preparing for SOC 2 Type II and ISO 27001 certification.
A compliance posture checked quarterly is already three months stale. A system monitored daily catches configuration drift within 24 hours. Everything we build prioritizes continuous visibility over point-in-time snapshots.
Screenshots can be faked. API-sourced configuration exports with SHA-256 hashes cannot. We read from your infrastructure directly — CloudTrail, IAM, Config, GuardDuty — because the source of truth is your environment, not your clipboard.
Pulling access lists, exporting logs, and formatting evidence packages for auditors is not a good use of engineering time. Automated collection eliminates the repetitive work and leaves humans to make the decisions that actually require judgment.
Most delays and back-and-forth in audits happen because evidence is hard to find, not because the auditor is being unreasonable. The Evidence Room concept came directly from feedback from Big Four auditors who told us what they actually need to see and in what order.
An 18-person healthcare data platform was approaching its first SOC 2 Type II audit with no prior compliance infrastructure. They connected 14 integrations over three days and cleared 73% of flagged controls within three weeks. Audit prep lasted 11 days — including the Evidence Room walk-through with their auditor from Armanino.
A payments infrastructure provider already had SOC 2 Type II and needed ISO 27001 for a European banking client. Because their SOC 2 evidence was already collected and organized in CompliRun, the ISO 27001 control gap analysis identified only 23 additional controls to address. They received certification seven months after starting, with no additional headcount for compliance work.
A developer platform team of 11 was spending roughly 3 weeks per year on compliance-related tasks spread across engineering, security, and operations. After 6 months on CompliRun, their compliance overhead tracked to under 3 hours per month — primarily approving access reviews and reviewing the weekly gap report.
Connect your infrastructure and get a gap report against SOC 2 or ISO 27001 in under 48 hours.
Request a Demo