SOC 2 Type II audits are painful. Auditors want evidence for 42 controls — who has access, are vulnerabilities patched on time, does every deployment go through review. Normally you pay a consultant $15-50k and spend months collecting screenshots and logs manually.
ZeroAudit connects to your tools and has an AI agent collect that evidence automatically, then classifies it against SOC 2 controls and generates an audit-ready report.
Live demo: https://zero-audit-red.vercel.app
GitHub: https://github.com/mazurenkodmytro0710/ZeroAudit
Why DynamoDB
I chose DynamoDB over Aurora because every query I need is org-scoped. There are no cross-org queries anywhere in the app. Single-table design with two GSIs covers all access patterns without joins. Aurora would've been overkill.
The schema uses PK: ORG#orgId with SK patterns for evidence, agent runs, integrations, and metadata. GSI1 queries evidence by control sorted by time. GSI2 queries controls by coverage status.
What's real vs simulated
Real data from live API calls: CC7.2 uses Dependabot alerts and code scanning from GitHub. CC8.1 uses pull requests and branch protection rules. CC6.1 uses repository collaborators. A1.2 uses IAM events and console logins from AWS CloudTrail. CC7.4 uses incident history from PagerDuty.
Simulated: CC6.2 would need Okta for real user provisioning data. The AI classification runs on whatever evidence it gets — real or mock.
AI agent architecture
The agent runs as a fire-and-forget background process. POST /api/agent/run returns 202 immediately. I tried doing it synchronously but Vercel functions timeout at 10 seconds and 6 controls plus AI calls take around 2 minutes.
Each control fetches real evidence from connected integrations, merges it with mock evidence for context, sends it to Grok (grok-3-mini via OpenAI-compatible API), parses the response for coverageStatus, riskLevel, and reasoning, then saves the artifact to DynamoDB.
The UI polls /api/agent/status every 3 seconds while showing a terminal animation. The animation is pre-scripted per control and doesn't wait for actual API responses — intentional UX decision.
I switched from Gemini to Grok mid-development because Gemini's free tier hit daily quota. Grok's OpenAI-compatible API made the switch a one-line change.
Stack
Frontend: Next.js App Router, TypeScript, Tailwind CSS. Database: AWS DynamoDB in eu-north-1, single-table design. AI: Grok API grok-3-mini. Auth: GitHub OAuth, custom implementation. Integrations: GitHub API, AWS CloudTrail, PagerDuty API. Deploy: Vercel.
DynamoDB note: the table is named soc2-autopilot in eu-north-1. DynamoDB only allows creating one GSI at a time while another is being backfilled — I hit this during setup and had to wait about 5 minutes between GSI creations.
What I'd do with more time
Okta integration for real user provisioning data, scheduled scans via Vercel Cron, fixing deduplication at the write level instead of read time, search that actually filters the evidence map, and CSV export for auditors.
Created for H0: Hack the Zero Stack Hackathon #H0Hackathon
Live demo: https://zero-audit-red.vercel.app
GitHub: https://github.com/mazurenkodmytro0710/ZeroAudit
