As I expected, we're hearing from customers they won't use a product that passes the contents of their database tables into an AI model (although some AI products are doing this). So the problem Credal is solving makes sense. Have you considered building an open source Python package for solving just this bit of the problem?
Any tips on the SOC2? Did you use something like Drata / Vanta?
Thanks!! There are some fairly good OS models for the core stuff (PII, SSNs etc) out there already (Presidio, Spacey), so folks that need an OS option have one to start with. Detecting the more complex stuff can sometimes need a little iteration, but I could definitely imagine a world where we publish that in the future
On SOC 2, we used Drata, and spoke to Vanta, Laika and a few others. The price Vanta initially quoted us was waaaay higher than the other two, and between Laika and Drata we went with Drata mostly because there seemed to be more automation in Drata. In the end, the Drata live support was incredible and hard to imagine how we would have gotten the certification so fast without. We started our infra on DO, and so the most painful part of SOC 2 for us was the migration we did to AWS to take advantage of AWS' many security features. My main advice would be take full use of the Drata live support (I'd guess Vanta have something similar), but maybe on a deeper level - when you're doing SOC 2, don't focus on the certification: focus on the policies and technology that actually makes your company secure. In the end, that's what enterprises really care about, especially for the ones that have given us 300 question long questionnaires!
Our AWS migration wound up taking about 4 weeks, getting all the policies in place took about 8 weeks (which overlapped with about 2 weeks of the migration), and then the audit itself was a couple weeks as well
Apologies for the shameless plugin. I generally don't do this, but I just thought our product might be relevant for the use case you mentioned. We do not compete with Credal, but at Adaptive [1], we have been building a platform that helps with infrastructure access management and allows users to automatically generate and collect evidence, especially for CC5 and CC6 (logical access). Vendor security questionnaires become easy to answer when we, as an organisation, use our product.
We have seen reproducibility and access auditability in organisations that adopt products that access schema and metadata from databases, compute infrastructures, etc. comforts customers. Your customers care about security incidents like unauthorised access, privilege abuse, accidental operations, insider threats, etc. on the vendor's side which in my opinion are real threats.
As I expected, we're hearing from customers they won't use a product that passes the contents of their database tables into an AI model (although some AI products are doing this). So the problem Credal is solving makes sense. Have you considered building an open source Python package for solving just this bit of the problem?
Any tips on the SOC2? Did you use something like Drata / Vanta?
0 - https://www.definite.app/