Comp AI: The open-source way to get compliant with SOC 2, ISO 27001, HIPAA and GDPR
Getting a startup through a SOC 2 audit has long meant months of manual evidence collection, policy writing, and repeated back-and-forth with auditors. A growing number of compliance platforms have moved to automate parts of that process, and Comp AI is now doing it with an open-source codebase that organizations can inspect, modify, and self-host.
Comp AI is an open-source compliance platform targeting SOC 2, ISO 27001, HIPAA, and GDPR. It automates evidence collection, policy management, and control implementation, and it positions itself as a direct alternative to established vendors Vanta and Drata.
The codebase is licensed under AGPLv3, with the project operating under what it calls an “Open Core” model. The core platform, described as roughly 99% of the codebase, is open source. A small portion falls under a commercial license covering enterprise features.
Three core features define the current product. The AI Policy Editor lets users draft and update security policies through a natural language interface. Users describe a requested change in plain text, and the editor proposes a complete updated version of the policy. A diff viewer shows what will be added or removed before the user accepts any edit. The workflow is non-destructive: no changes are applied until the user clicks to confirm.
The Automated Evidence feature handles recurring evidence collection tasks. Users navigate to a compliance task in the platform, click to create an automation, and enter a plain-language prompt describing what needs to be verified. The platform’s agent then builds an automation to collect and store that evidence on a recurring schedule.
The Device Agent is a desktop application that runs in the system tray and checks employee devices for compliance against four security controls: disk encryption, antivirus protection, password policy, and screen lock timeout. It runs checks every hour and reports results to the organization’s portal. The agent supports macOS 14 and later, Windows 10 and later, and Ubuntu 20.04 and later. It does not collect personal data, browsing history, or file contents, according to the documentation.
For organizations where agent installation is not possible, the platform includes manual evidence collection guidance covering the same four control areas across Windows, macOS, and Linux.
The platform also exposes an API for organizations that want to build internal tools on top of it, covering evidence collection, policy management, and employee records.
Cloud integrations connect to AWS, GCP, and Azure. A Security Questionnaire feature appears in the documentation navigation, with published policies feeding into it automatically.
Comp AI is available on GitHub.
Must read:
- 40 open-source tools redefining how security teams secure the stack
- Firmware scanning time, cost, and where teams run EMBA
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!