Pricing FAQ About
Book a scoping call
SOC 2 consulting for AWS startups

SOC 2 readiness for AWS startups.
In weeks, not months.

I'm Devon, a security engineer. I'll assess your AWS environment, show you exactly where your SOC 2 gaps are, and deliver the remediation code that closes them.

Powered by agents I built. Shipped by someone who actually reads your Terraform.

Book a scoping call See a sample report
The tool is open source. View kumo-assess on GitHub
Devon Booker
Devon Booker - security engineer, AWS-native
kumo-assess  ·  SOC 2 CC6+CC7  ·  aws/us-east-1
35
Score
0
Pass
2
Fail
4
Partial
FAIL CC6.3 Privileged access review not implemented
PARTIAL CC6.7 KMS key rotation inconsistent
PARTIAL CC7.2 CloudTrail alerting gaps
35
/ 100
From the field

I ran this on my own AWS account.

It scored 35 out of 100. I wrote up every finding, the remediation, and what it cost to fix - Terraform diffs included. If you want to see what an honest SOC 2 readiness assessment actually looks like, read the writeup.

Read the writeup
The problem

SOC 2 readiness is overpriced
and under-delivered.

$15k-50k

Traditional readiness

Most consulting engagements take 6 to 12 weeks and cost $15k to $50k. Much of the time goes to evidence collection that could be automated.

$25k+/yr

Compliance SaaS

Vanta and Drata are priced for Series A and up. They're mostly dashboards. The AWS-technical work still falls on you.

Six figures

The hidden cost

Startups end up paying six figures combined before a single control is actually fixed in their infrastructure.

The approach

Scan. Review. Remediate.

01 · SCAN

Agent-driven assessment

I run a read-only scan of your AWS environment using agents I built. Thirty minutes. You approve the IAM role before anything starts.

02 · REVIEW

Walk every gap on a call

We go through every finding together. You get the full markdown report with evidence citations and priorities scored against your audit timeline.

03 · REMEDIATE

Terraform, not slide decks

I deliver the Terraform modules and IaC changes that close the gaps as PRs against your repo. Fixed scope, fixed price, no surprise invoices.

What's covered

The AWS-technical part of SOC 2,
where most startups fail.

CC6 Logical Access IAM · MFA · password policy · least privilege
CC6.6 Boundary Protection CloudTrail
CC6.7 Data Protection S3 · KMS
CC6.8 Change Detection Config · Security Hub
CC7 System Operations monitoring · incident response
CC1, CC2, CC8, A1, C1 Additional families expanding quarterly

Built on direct AWS API calls, not heuristics. Five collectors today: IAM, CloudTrail, S3, Security Hub, Config. The assessment logic is transparent and open source.

Packaging

Three tiers. Fixed scope, fixed price.

Tier 1
Assessment
$2,500
Delivered in 48 hours
  • Full read-only scan of your AWS environment
  • Markdown report with every gap scored and prioritized
  • 1-hour walkthrough call
  • 48-hour turnaround
Tier 2 · Most common
Assessment + Roadmap
$5,000
2-week engagement
  • Everything in Assessment
  • Detailed remediation plan with effort estimates per gap
  • IaC recommendations with Terraform module references
  • 2-week engagement
Tier 3
Full Engagement
From $15,000
4 to 6 weeks
  • Everything in Tier 2
  • I write the Terraform and deliver PRs to your repo
  • Follow-up scans to verify remediation
  • Fixed price after scoping call

Not sure which fits? Book a 30-minute scoping call and I'll tell you straight.

Why me

Built by an engineer.
Not a compliance
checkbox factory.

I built the tool I use. The whole pipeline - four tiers of Claude agents plus a deterministic rules engine - is on my GitHub, under test, read-only by construction. If you want to verify anything before trusting me with your environment, you can read the source.

4 years in IT, security analyst today

Hands-on with AWS, Terraform, and cloud security day-to-day. I'm not a consultant watching from the outside.

Built the whole tool solo

Four-tier agent pipeline plus a deterministic rules engine. Go API, React frontend. Every line on my GitHub.

Read-only by construction

Zero mutating API calls exist in any collector. The tool can only observe your environment. I can send you the IAM Terraform before we start.

14 automated tests on the rules engine

The scoring logic is covered. You can see exactly what was checked and why. Show your work, not a black box.

Devon Booker
About

I'm Devon Booker.

I'm a security engineer based in the Bay Area, focused on AWS-native startups working toward SOC 2. I've spent the last four years in IT and security, and I'm currently a security analyst. On the side I build the tools I'd want to use in that role - like kumo-assess, which is the assessment engine behind this consulting practice.

I'd rather ship Terraform than slide decks. If you're past the "do we need SOC 2" conversation and want someone who can actually close the gaps, we should talk.

GitHub LinkedIn Email
FAQ

The questions I actually get.

Is this a replacement for Vanta or Drata?

No. Vanta and Drata are full compliance platforms that handle policies, training, employee onboarding, and evidence collection across multiple systems. I handle the AWS-technical portion of SOC 2, which is where most startups actually have gaps. Think of me as the specialist you hire alongside or instead of a compliance platform, depending on your stage.

How is this different from hiring a traditional compliance consultant?

Speed. A traditional readiness assessment takes 2 to 6 weeks. My scan takes 30 minutes. The agent-driven tool handles the data collection and analysis that consultants do manually, which means I can spend my time on the remediation work that actually matters. Same caliber output, delivered faster and at lower cost.

Is the tool open source?

Yes. The full kumo-assess codebase is on GitHub. You can run it yourself if you prefer. Most customers hire me because they want the remediation work done, not because they can't run the tool.

Do you have access to my AWS account?

You create a read-only IAM role. The tool cannot modify anything in your environment - zero mutating API calls exist in the collectors. I can send you the relevant Terraform for the IAM role before the scan so you can review it.

What happens if I need a framework other than SOC 2?

CMMC, ISO 27001, PCI DSS, and HIPAA are on the roadmap. If you have an immediate need, email me directly. Many controls map across frameworks, so I may be able to help already.

What environments do you support?

AWS today. GCP and Azure are planned for H2 2026.

Can I see a sample report?

Yes - I ran kumo-assess against my own AWS account and wrote up every finding. Read the case study.

How do I get started?

Book a 30-minute scoping call. I'll ask about your environment, target audit date, and current state. You'll leave the call with a fixed price and a start date.

Ready to see your AWS SOC 2 gaps?

Book a 30-minute scoping call. I'll tell you straight where you stand and what it'll cost to close.

Book a scoping call