LoxeAI

The AWS evidence layer
for your SOC 2 audit.

Walk through your SOC 2 audit with an evidence package your auditor can independently verify, every finding traced to the exact AWS API call that produced it. No surprises. No scrambling.

Hand your auditor something they can actually verify.

Run your free scan → How it works
SHA-256 verified · read-only IAM · no persistent access · delete anytime · auditor-submittable report
What's different
01 / VERIFIABLE
SHA-256

Every finding hashed.

Every finding includes the AWS API endpoint, timestamp, and SHA-256 hash of the raw response. Your auditor can re-run the call themselves.

02 / FAST
5 min

Not 30 days.

Provision a read-only role, paste the ARN, get a gap report before your coffee gets cold.

03 / HONEST
$39.99

We don't trade in vapor.

No 'AI trained on millions of audits.' No 'zero-persistence' that isn't. One flat fee, no subscription.

04 / PRIVATE
0 agents

No humans in your pipeline.

No sales calls. No shared dashboards. Read-only IAM, ExternalId-bound. Your evidence stays yours.

Meet Gideon

Your compliance copilot,
grounded in your scan.

Gideon isn't a generic chatbot. It reads your exact findings, your gap scores, and your AWS footprint — then tells you what to fix, in what order, with exact CLI commands. So when your auditor asks a question, you have an answer, not a spreadsheet.

  • Remediation roadmap with copy-pasteable AWS CLI commands
  • Policy generator: security policy, IRP, change management
  • Risk register (AICPA-aligned, 8-question intake)
  • Auditor rehearser: practice answers before your audit
Howdy — your CC6.1 gap score is 42. Here's what to fix first: your root account has no hardware MFA. aws iam enable-mfa-device …
How long will this take?
About half a day — 1–2 changes plus verification. Start with root MFA (30 min), then revisit the password policy.
Included with every paid report
What the market is saying

“The control is actually working — you just can't prove it six months later because the proof was in a screenshot someone saved to a folder nobody remembers.”

— Anonymous SaaS founder · enterprise saas

“Evidence collection is a problem even with tools that can be ridiculously expensive. Used Drata, wasn't that good. Used Vanta — not that much automation.”

— Anonymous CISO · enterprise fintech · customer discovery

“The SHA-256 traceability angle is genuinely smart. Tamper-evident, API-sourced evidence is something auditors will respect.”

— Anonymous security founder · customer discovery
Free
$0
Free scan, free gap report
  • Gap score & freshness
  • Evidence count
  • Top findings (locked)
  • No credit card
Run free scan →
One-time, per report
$39.99
No subscription. No monthly billing. One scan, one report.
  • Deep analysis across 12 Critical SOC 2 controls
  • Traceable evidence
  • Remediation CLI commands
  • Gideon compliance copilot
  • Scan history & deltas
  • Edit & resolve findings
Get audit-grade →

Run your free scan

Provision a read-only IAM role. Paste the ARN. Get a gap report in under 30 seconds.

1. Generate an ExternalId

2. Deploy the CloudFormation

Template grants only what we need. ExternalId is baked into the trust policy.

Download YAML Launch in AWS Console ↗

3. Paste your Role ARN

Limits: 3 scans / external_id / day · 1 concurrent · resets 00:00 UTC

What we touch

  • IAM users, roles, policies, password policy, MFA
  • S3 encryption, public access, versioning
  • CloudTrail trails, event selectors
  • Config recorders & rules
  • EC2 SGs, VPCs, flow logs
  • KMS keys + rotation policies
  • GuardDuty detectors & finding stats
  • SecurityHub standards + HIGH/CRITICAL findings
  • SSO/Identity Center permission sets
  • Secrets Manager metadata only (never values)
  • WAF Web ACLs & protected resources
  • Lambda, RDS, SNS, CloudWatch

Read-only · ExternalId-bound · Zero secret material accessed · What we store