Drop-in audit logging and SOC 2 prep in one platform. Tamper-proof trails, automated evidence collection, and policy templates — open source, not $40K/year.
Open Source
AGPLv3 licensed
Tamper-Proof
SHA-256 + Merkle proofs
SOC 2 Prep
51 controls + 15 policies
80% Cheaper
vs Vanta / Drata
Every B2B SaaS team hits the same wall. Here's what you're signing up for when you build it yourself.
2-4 weeks
Schema design, hash chaining, tenant isolation, search indexing, export pipelines. That's before you write a single test.
Every quarter
SOC 2 auditors come back every year. New formats, new requirements, new exports. The maintenance never stops.
Deals blocked
"Do you have immutable audit trails?" If the answer is no, your deal sits in security review for weeks.
AuditKit handles all of this with a single SDK.
Edit the fields, hit Send Event, and watch the tamper-evident audit log build in real time.
await audit.log('document.updated', {
actor: { id: 'user_123', name: 'Jane Doe' },
target: { type: 'document', id: 'doc_456' },
tenantId: 'org_acme',
});No events yet
Edit the fields and click Send Event to see the audit log populate.
npm install @auditkit/sdkFrom zero to enterprise-grade audit trails in under 5 minutes.
One package. Zero config. Works with Node, Python, Go, and Ruby.
$ npm install @auditkit/sdkFive lines of code. Tamper-evident from the first event.
await audit.log('user.login', {
actor: { id: 'usr_1' },
tenantId: 'org_acme',
});Embed our pre-built viewer in your app. Tenant-scoped by default so each customer sees only their own events.
<AuditKitViewer
tenantId="org_acme"
token={jwt}
/>Auditors, customers, security teams, compliance officers. AuditKit is designed for all of them.
Every event is SHA-256 hash-chained to the previous one, creating a cryptographic chain of custody that proves no records have been altered. Merkle tree verification lets auditors validate the entire log mathematically.
const proof = await audit.verify('evt_789');
// => {
// valid: true,
// hashChain: "unbroken",
// merkleRoot: "a1b2c3..."
// }Tenant-scoped by default. Each customer sees only their own events. Embed the pre-built viewer directly in your app with a single React component or iframe.
Webhooks fire on every event. SIEM streaming pushes to Splunk, Datadog, and S3 in real time. Built-in anomaly detection flags suspicious patterns before they become incidents.
{
"type": "anomaly.detected",
"severity": "high",
"reason": "Bulk export from new IP",
"actor": "user_123",
"tenant": "org_acme"
}const report = await audit.export({
format: 'pdf',
standard: 'ocsf',
range: 'last-quarter',
tenantId: 'org_acme',
});
// => SOC 2 evidence PDF readyOne-click exports in CSV, JSON, and PDF. Industry-standard OCSF and CEF formats. Generate SOC 2 evidence packages that auditors actually accept.
Your auditor just sent a 200-item evidence request list. Your team is screenshotting admin consoles, digging through Google Drive folders, and formatting CSVs at 2am. AuditKit automates the 70% of SOC 2 prep that's just evidence collection — the part your team hates most.
60-80 hrs/quarter
"I soon got overwhelmed by the sheer amount of evidence I had to gather." Every quarter, your team stops shipping features to screenshot admin consoles.
$25K-$80K
"It costs $40K in year one." Tool subscriptions, auditor fees, consultant hours, and the hidden cost of engineering time diverted from product.
38 pages
"How hard could it really be?" Then the pre-audit readiness review came back as 38 pages of feedback on every aspect of our business.
Upload, organize, and hash-verify every piece of audit evidence. Tagged to SOC 2 controls. Auditor-ready export.
Pre-built SOC 2 checklist with 51 controls. Track readiness per category. Know exactly where you stand.
Pre-written security policies ready to customize. Save $5K-$15K in consultant fees. Employee acknowledgment tracking.
Quarterly access review campaigns. Pull user lists, assign reviewers, track approve/revoke decisions. No more spreadsheets.
Vendor inventory with SOC 2 report tracking, DPA storage, and expiration alerts. 89% of audits check vendors.
Document risks with likelihood/impact scoring. Treatment plans and owner assignment. Connects to anomaly detection.
SHA-256 hash chains, Merkle tree proofs, and Ed25519 digital signatures on every upload. After the Delve scandal — where 494 fake SOC 2 reports were exposed — auditors want proof your evidence is real. AuditKit provides cryptographic proof that nothing has been altered since collection.
This is a live preview of AuditKit's SOC 2 dashboard. Click controls to mark them ready and watch your readiness score update.
Click controls below to mark them as ready
Each evidence item's SHA-256 hash incorporates the previous hash, creating an immutable chain.
The only tool that's open source, managed, self-hostable, and cryptographically immutable.
| Feature | AuditKit | WorkOS | Pangea | Retraced | Custom Build |
|---|---|---|---|---|---|
| Open source | — | — | |||
| Managed cloud | — | — | |||
| Tamper-proof (hash chain) | — | — | — | ||
| Merkle tree proofs | — | — | — | ||
| Tenant-scoped access | — | ||||
| Embeddable viewer | — | — | |||
| SIEM streaming | — | — | |||
| Multi-language SDKs | — | — | |||
| Self-hostable | — | — | |||
| GraphQL API | — | — | — | — | |
| AI anomaly detection | — | — | — | — | |
| Setup time | 5 min | 1 day | 2 hrs | 1 week | 2-4 weeks |
| Price (100K events) | $39/mo | $99+/mo | Contact | Free | Dev time |
See detailed comparisons: AuditKit vs Vanta · AuditKit vs Drata · AuditKit vs Spreadsheets
Published pricing. Monthly billing. No lock-in contracts. No surprise renewals.
50K events/mo
90-day retention
Start Free Trial500K events/mo
1-year retention
Start Pro Trial2M events/mo
3-year retention
Start Business Trial10M events/mo
7-year retention
Go SupersizeFrom secure document sharing to AI-powered operations, teams choose AuditKit to handle the compliance work they'd rather not build.
“We needed tamper-proof audit trails for every document view, download, and watermark event. AuditKit gave us enterprise-grade logging in an afternoon — would have taken us weeks to build the hash-chaining alone.”
“Our enterprise customers asked for full audit visibility into every crawl, every report, every user action. AuditKit’s tenant-scoped logs and embeddable viewer meant we could ship that feature same-day instead of next quarter.”
“When you’re handling SOPs and sensitive operational data, you need an immutable record of who accessed what and when. AuditKit’s SIEM streaming and compliance exports made our SOC 2 prep painless.”
Your enterprise customers need audit trail access. Ship it today, not next quarter.
AuditKit is an open-source audit logging and SOC 2 compliance platform for B2B SaaS companies. It provides tamper-evident audit trails using SHA-256 hash chaining and Merkle tree proofs, tenant-scoped access controls, and automated SOC 2 evidence collection. AuditKit helps companies ship enterprise-grade audit logging in minutes and prepare for SOC 2 audits at a fraction of the cost of traditional compliance platforms.
Everything you need to know about AuditKit.
Security scanner for AI coding tool configurations. Like npm audit, but for AI workflows.
Catches prompt injection in GitHub Actions, supply chain attacks in npm lifecycle scripts, invisible Unicode backdoors in AI config files, and more. The same patterns behind Clinejection, Cacheract, and the Shai-Hulud npm worm.
aidevshield v1.0.0 — AI Workflow Security Scanner
Scanning: ./my-project
Checks: workflows | package.json | AI configs
[CRITICAL] .github/workflows/ai-triage.yml:18
Wildcard user permissions on AI workflow
[CRITICAL] .cursorrules:1
Hidden Unicode characters detected
[HIGH] node_modules/evil-pkg/package.json
curl | sh in postinstall script
6 issues found (2 critical, 1 high, 2 medium, 1 low)