SOC 2 · ISO 27001 · NIST CSF · NIST SP 800-53 · Essential Eight · PCI DSS

Your AI compliance team.
Always on.

Audit Trail's AI agent continuously investigates your compliance posture, writes audit-ready control narratives, drafts your information security policies, and creates remediation PRs — the work a GRC consultant charges $15,000 to do.

Run your first AI compliance scan — freeSee how it works →

No credit card required · First scan in under 10 minutes · Audit narratives written by AI, reviewed by you

Vanta automates evidence collection. Audit Trail automates the thinking.

39
Compliance controls
6
Compliance frameworks
<2 min
Setup time
Read-only
GitHub access

The problem

Your enterprise prospect wants compliance evidence. You have no compliance team.

  • xEnterprise prospects ask for compliance evidence. You spend hours screenshotting GitHub PRs and writing up change management narratives.
  • xMapping your Git workflow to SOC 2, ISO 27001, or NIST CSF requires compliance expertise you don't have and can't afford to hire for.
  • xYou're already doing the right things in GitHub: code reviews, branch protection, dependency updates. But none of it is captured as compliance evidence.

The solution

Turn your GitHub activity into compliance evidence. Automatically.

  • Install once. Audit Trail watches commits, PRs, reviews, Dependabot alerts, branch protection, and deployments, mapping them to 39 controls across 6 frameworks.
  • Not just checkboxes. Audit Trail measures control effectiveness using NIST SP 800-53A methodology. Are your PR reviews substantive or rubber stamps? Are dependency patches applied in days or weeks?
  • Covers the technical SDLC controls that live in your repos. For HR policies, vendor risk, and physical security, Audit Trail tells you exactly what's missing so you know where to focus.

How it works

From GitHub App install to audit-ready package. Four steps.

1

Connect once

Install the GitHub App. Read-only access. Your source code never leaves GitHub.

2

Agent investigates

Our AI agent runs through every compliance control — analysing your PR reviews, branch protection, deployment approvals, and vulnerability patch rates. It reasons about whether your evidence is sufficient or just present.

3

Narratives and drafts generated

For each control, the agent writes an auditor-ready narrative grounded in your actual evidence. For policy gaps, it drafts your Information Security Policy, Access Control Policy, and Incident Response Plan. For technical gaps, it opens a draft remediation PR.

4

Human review and export

You review what the agent produced, sign off on the narratives, complete the controls that require human action (access reviews, vendor assessments), and export the audit package. Your auditor gets a professionally documented, timestamped evidence package.

The AI handles everything that lives in your code and configuration. Controls that require human judgment — quarterly access reviews, vendor risk assessments, security awareness training, board sign-off — are structured and scheduled by the agent, completed by your team. This is the correct design for a compliance program auditors will trust.

Compliance Frameworks

Six frameworks. Zero manual work.

We have done the control mapping for you. All 39 controls cover the technical SDLC activity that lives in your GitHub repos: change management, access control, vulnerability management, and security testing.

FrameworkControls
Primarystrongest GitHub evidence coverage, most auditor-accepted
SOC 22022
5
ISO 270012022
10
NIST CSF2.0
7
Extendedspecific regulatory contexts
NIST SP 800-53Rev 5
7
ACSC Essential Eight2023
5
PCI DSS4.0
5

Need IRAP, HIPAA, or a custom framework? Contact us for Enterprise

Pricing

Transparent pricing. The market leaders won't show you theirs.

Vanta starts at ~$10,000/year. Drata starts at ~$7,500/year. Both require a sales call before you see a number. Audit Trail is $99/month, self-serve, cancel anytime.

Free

$0/month
  • Up to 2 repositories
  • 2 compliance frameworks
  • Basic compliance dashboard
  • Gap analysis with action steps
  • AI agent runs
  • Policy generation
  • Auditor portal or exports
Get started

Starter

$99/month

$990/year if paid annually

  • Up to 5 repositories
  • All 6 compliance frameworks
  • 2 AI agent runs per month
  • 5 policy drafts per month
  • Auditor portal with sign-offs
  • PDF & CSV exports
Start with Starter
Most popular

Growth

$199/month

$1,990/year if paid annually

  • Unlimited repositories
  • Unlimited AI agent runs
  • Unlimited policy drafts
  • Australian regulatory mapping (Essential Eight, Privacy Act 1988, APRA CPS 234)
  • Full audit packages with timestamped evidence
  • Security posture trends and readiness scoring
  • Control effectiveness analysis
Start with Growth

Enterprise

Custom

For teams with specific regulatory needs

  • Everything in Growth
  • SSO / SAML authentication
  • IRAP and HIPAA framework support
  • Custom framework mappings
  • Dedicated support and onboarding
  • SLAs and uptime guarantees
Contact us

For context: one hour with a compliance consultant costs more than a month of Audit Trail Growth.

Built for Australian teams

Essential Eight is a first-class framework in Audit Trail — not an afterthought. We map to the ACSC 2023 maturity model and include Australian regulatory crosswalk analysis (Privacy Act 1988, APRA CPS 234) on the Growth plan.

FAQ

Common questions

SaaS companies that use GitHub and need compliance evidence for enterprise deals, SOC 2 or ISO 27001 audits, or security questionnaires. Especially teams of 5-50 engineers with no dedicated compliance person. If your product lives in GitHub repos, Audit Trail turns your existing developer activity into compliance evidence automatically.

More questions? Get in touch

Your compliance posture, running in the background.

Connect your repositories and see your compliance score in under 10 minutes. Free to start. No credit card required.

Get started freeQuestions? Get in touch