What does KollGuard do?

KollGuard connects read-only to your GitHub repositories and databases (Postgres, Supabase), scans them for security gaps, and maps every finding to the controls auditors check. The first scan is free and takes minutes.

Which compliance frameworks does KollGuard support?

Twelve: SOC 2 and HIPAA are asserted directly from the technical checks, while ISO 27001, ISO 27701, PCI DSS, GDPR, NIST CSF, NIST 800-53 (the basis for NIST 800-171 and CMMC), HITRUST CSF, CIS Controls and the Joint Commission (JCAHO) Information Management standards are crosswalked from the same checks.

How is KollGuard different from Vanta, Drata, or Secureframe?

KollGuard actually scans your systems rather than only collecting evidence or sending questionnaires, starts free in minutes, is transparently and affordably priced, and lets vendors prove their posture without sharing source code or credentials.

Can KollGuard monitor my AI agents?

Yes. KollGuard's Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts, and LLM agents — recording every run as a tamper-evident, hash-chained heartbeat, raising health and behavior-drift alerts, and emailing a nightly digest. It maps agent activity to the same SOC 2 and HIPAA controls as the rest of your security posture, so the AI agents touching your data are continuously monitored for compliance.

Does KollGuard need access to my source code?

No. KollGuard performs read-only checks against repository and database metadata and configuration; it never copies or stores your source code, and credentials are encrypted in a vault.

How much does KollGuard cost?

The first scan is free. Paid plans are Starter at $19.89/month and Growth at $99/month, with custom Enterprise pricing. There are no quote-based contracts to get started.

Is this really 6 weeks?

For a small (≤10 people) software team with one production system, the self-serve path is 4–8 weeks of calendar time. Most of the time is the auditor's review, not your work. The bottleneck is usually getting policies signed and providing evidence promptly.

Why not just use Vanta or Drata?

Cost. A small team self-serving SOC 2 with KollGuard ($19.89/mo) + a CPA firm ($5k-$20k) totals roughly $5k-$25k for Type 1. Vanta/Drata + auditor totals $20k-$80k+. The platforms automate more workflow but you pay a platform-sized contract for the privilege.

Do I need security training that issues 'certificates' to employees?

Yes — the auditor will ask for evidence that each employee completed annual security awareness training. A SaaS like KnowBe4 makes this easy ($10/user/month). A YouTube playlist + a short quiz the employees sign also works for a small team.

What if I have exceptions in my audit?

Normal. Almost no Type 1 is exception-free. Your management response is what matters: 'We acknowledge this finding. We have implemented X to mitigate. Remediation target Q3 2026.' Auditors accept that.

Should I get Type 1 or jump straight to Type 2?

Type 1 first, almost always. Type 1 unblocks the first enterprise deal. Then start your Type 2 observation window the day the Type 1 issues. Most CPA firms will roll the engagements.

Self-serve SOC 2 — without a $30k/yr GRC platform

The seven-phase plan

1. Decide scope (1 day)
Pick Type 1 first. Pick Security only (skip the other Trust Services Criteria for now). Define what's in scope: production, prod-adjacent services, your code repo, the database, your CI/CD. Out of scope: marketing site, internal HR tools. Write a one-paragraph statement; that's your scope document.
2. Adopt your policy library (2 days)
You need ~10 policies (access, change management, incident response, BCP/DR, vendor risk, AUP, asset, info classification, risk assessment, vulnerability management). KollGuard ships 10 templates. Customize the company name + owner + review date. Have an admin approve them in writing. This is a 2-day task, not a 2-month one.
3. Wire technical controls (1-2 weeks)
Branch protection on main. Signed commits required. MFA on every admin. TLS-only (rest + transit). Audit logs piped somewhere durable. Secrets in a vault, never in env files. RLS on every public-schema table. KollGuard's scanner tells you exactly which of these you're missing in 5 minutes.
4. Establish workforce hygiene (1 week)
Quarterly access reviews (calendar invite + a signed attestation). Security awareness training (Knowbe4, Curricula, even a YouTube playlist + quiz). Signed acceptable-use acknowledgment for every employee. Offboarding checklist. KollGuard's personnel register tracks the dates.
5. Engage a CPA firm directly (2 weeks lead)
Skip the Vanta-class platforms. Email three small CPA firms that do SOC 2 (Prescient Assurance, Johanson Group, Sensiba, Schneider Downs are common picks). Send them your scope statement + policy list. Type 1 typically quoted at $5k–$20k. Pick one based on responsiveness and price.
6. Provide evidence (1 week)
The auditor will send a request list. Hand them the KollGuard evidence package (control rollup, dispositioned findings with rationale, hash-chained audit-log slice, approved policies, personnel register). For anything not in the package, they'll ask — answer the same week.
7. Resolve exceptions, sign the report (1-2 weeks)
There will be exceptions (always). Write a management response for each. Either remediate or accept-with-justification. Sign the management assertion. Auditor signs the opinion. You have a SOC 2 Type 1.

Cost breakdown (honest)

Line item	Self-serve	Platform-led (Vanta/Drata-style)
Tool / scanner	KollGuard $19.89–$99/mo	$7.5k–$25k/yr
CPA auditor (Type 1)	$5k–$20k	$5k–$25k (sometimes bundled)
Security training	$10/user/mo or DIY	Often bundled
Penetration test	$3k–$15k (optional but recommended)	$3k–$15k
Total Type 1	~$8k–$25k	~$20k–$80k+

Frequently asked

Is this really 6 weeks?: For a small (≤10 people) software team with one production system, the self-serve path is 4–8 weeks of calendar time. Most of the time is the auditor's review, not your work. The bottleneck is usually getting policies signed and providing evidence promptly.
Why not just use Vanta or Drata?: Cost. A small team self-serving SOC 2 with KollGuard ($19.89/mo) + a CPA firm ($5k-$20k) totals roughly $5k-$25k for Type 1. Vanta/Drata + auditor totals $20k-$80k+. The platforms automate more workflow but you pay a platform-sized contract for the privilege.
Do I need security training that issues 'certificates' to employees?: Yes — the auditor will ask for evidence that each employee completed annual security awareness training. A SaaS like KnowBe4 makes this easy ($10/user/month). A YouTube playlist + a short quiz the employees sign also works for a small team.
What if I have exceptions in my audit?: Normal. Almost no Type 1 is exception-free. Your management response is what matters: 'We acknowledge this finding. We have implemented X to mitigate. Remediation target Q3 2026.' Auditors accept that.
Should I get Type 1 or jump straight to Type 2?: Type 1 first, almost always. Type 1 unblocks the first enterprise deal. Then start your Type 2 observation window the day the Type 1 issues. Most CPA firms will roll the engagements.

Self-serve SOC 2 — without a $30k/yr GRC platform

The seven-phase plan

1. Decide scope (1 day)

2. Adopt your policy library (2 days)

3. Wire technical controls (1-2 weeks)

4. Establish workforce hygiene (1 week)

5. Engage a CPA firm directly (2 weeks lead)

6. Provide evidence (1 week)

7. Resolve exceptions, sign the report (1-2 weeks)

Cost breakdown (honest)

Frequently asked

Start the technical-controls phase today