Auditlayer – Compliance evidence without the manual work

What actually happens before an audit

Before an audit, you need to show that controls are in place, that they operate over time, and that this can be substantiated with actual data.

In practice, this often means:

• Searching for information in IAM, ticketing, CI/CD, cloud platforms, HR systems
• Producing exports, screenshots, and manual summaries
• Responding to auditors' follow-up questions after the initial review

This work takes time from people with other critical responsibilities — and is rarely perceived as adding value compared to actual security work.

Three trends making this harder

More frameworks

More regulations — especially in the EU (NIS2, DORA, etc.)

Complex IT environments

More systems, vendors, and integrations to cover

Continuous compliance

Not just point-in-time, but showing how controls operate over time

Evidence is no longer about a single point in time, but about showing how controls have operated over time.

Many organizations already have a lot in place

Most have:

Policies and documentation
Technical controls implemented
Clear ownership of security domains

But lack:

A coherent way to continuously collect and preserve evidence
Visibility into which evidence already exists and what is missing
The ability to reuse the same evidence across multiple frameworks

Our hypothesis

If compliance evidence could be collected continuously and directly from existing systems, audit preparation could become simpler, less stressful, and less dependent on last-minute manual effort.

It should be worth an ongoing service — not just project work before each audit.

Auditlayer is an attempt to test this hypothesis.

How it could work

Illustrative sketch — not a finished product

NIS2 Compliance Status

73% of evidence collected

73%

Access Control 85%

Incident Handling 60%

Cryptography 78%

Recent Evidence (automatically collected)

GitHub Branch protection rules verified 2 min ago

AWS CloudTrail logging enabled 15 min ago

Azure AD MFA policy snapshot collected 1 hour ago

Clarifying what we are building

❌ Not a finished product

❌ Not a promise of full automation

❌ Not a replacement for auditors or legal interpretation

✓ An exploration of how compliance evidence can be handled more systematically

✓ Targeted at organizations where data collection is the primary bottleneck

Does this sound familiar?

If you are responsible for compliance or security audits and recognize the situation described above, we would like to understand:

• Which framework takes the most time for you today?
• Where does evidence most often fall through the cracks?
• What consumes disproportionate time before an audit?

The goal is conversation, not a demo.

Email *

Company

Role

Most time-consuming framework

Most time-consuming task (optional)

We'll reach out to continue the conversation.