AuditKit: Multi-framework compliance scanner that shows what auditors need

🚨 CMMC Level 2 Pro - Defense Contractors

Deadline: November 10, 2025 - All new DoD contracts require CMMC compliance

$ auditkit scan -framework all

✗ CRITICAL: Root account missing MFA
→ SOC2: CC6.6 | PCI: 8.3.1 | CMMC: IA.L1-3.5.2 | HIPAA: §164.312(a)(2)(i)
Console URL: https://console.aws.amazon.com/iam/home#/security_credentials
Screenshot: Navigate to Security credentials → MFA → Screenshot "Assigned MFA device"
Fix: aws iam enable-mfa-device --user-name root --serial-number arn:aws:iam::123456789:mfa/root

✗ CRITICAL: S3 bucket 'customer-data' public
→ SOC2: CC6.3 | PCI: 1.3.1 | CMMC: SC.L1-3.13.16 | HIPAA: §164.312(a)(1)
Console URL: https://s3.console.aws.amazon.com/s3/buckets/customer-data
Screenshot: Permissions tab → Block public access → All 4 settings "On"
Fix: aws s3api put-public-access-block --bucket customer-data --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

$ auditkit evidence -output evidence-tracker.html
Evidence tracker generated with 23 screenshot requirements
📋 5 collected | ⏳ 18 remaining | 🎯 SOC2_CC6.6_MFA_Evidence.png needed

The Problem

Every compliance framework checks the same things with different names. You run separate tools for each one. Your auditor wants screenshots proving you fixed everything. But which screens? What format? What labels?

DoD contractors face CMMC Level 2 requirements by November 10, 2025. Consulting firms charge $50K+ for what you could assess yourself—if you knew what auditors actually wanted to see.

One Scan, All Frameworks

AuditKit runs once, maps findings to all frameworks. No more juggling different scanners.

What AuditKit Actually Does

• Scans for controls that matter across SOC2, PCI-DSS, CMMC, HIPAA, ISO 27001
• Maps each finding to relevant framework requirements
• Shows EXACTLY which console screens to screenshot
• Generates framework-specific evidence checklists
• Tracks what you've collected vs. what's missing
• Outputs reports formatted for each framework's auditors
• CMMC Level 1: Complete 17-practice assessment for DoD contractors
• CMMC Level 2: 110 practices for CUI handling (Pro version)

Installation

Who Should Use This

• Defense contractors facing CMMC Level 1/2 requirements by Nov 10, 2025
• Startups facing multiple compliance requirements
• Teams juggling SOC2 + PCI + HIPAA + CMMC simultaneously
• Companies quoted $50K+ per framework for prep
• Engineers who prefer fixing things themselves
• Anyone tired of running 5 different scanners

Who Should NOT Use This

• If you need someone to do compliance for you
• If you want a magic "pass audit" button
• If you need vendor certifications
• If you require hand-holding

Current Status

v0.6.0 - Complete SOC2 (64 controls), PCI-DSS production ready, CMMC Level 1 (17 practices), AWS + Azure providers complete.

CMMC Level 2 Pro - 110 practices for CUI handling, enterprise features, priority support. Learn more →

Coming in v0.7.0 - GCP provider, ISO 27001 complete, container scanning, advanced evidence automation.