Frequently Asked Questions

Does this replace my auditor?

No. AuditKit automates the technical controls portion of compliance audits, but you still need:

• SOC2: CPA firm for certification ($15,000 - $30,000)
• CMMC: C3PAO for assessment ($25,000 - $150,000)
• PCI-DSS: QSA for certification ($15,000 - $50,000)

What AuditKit replaces: Technical consultant fees ($30,000 - $100,000) for infrastructure scanning and remediation

What you still need: Certified auditor/assessor for final certification

What's the difference between Free and Pro?

Try Pro Free for 14 Days →

How much does it cost?

Free version: $0 forever (open source)
Pro version: $297/month with 14-day free trial

Compare to traditional costs:

• SOC2 consultant: $50,000+
• CMMC C3PAO assessment: $25,000+
• Compliance platforms (Vanta/Drata): $5,000+/year

What's the difference between CMMC Level 1 and Level 2?

CMMC Level 1 (17 practices) - FREE

• Protects Federal Contract Information (FCI)
• Basic cybersecurity hygiene
• Required for all DoD contractors
• Self-assessment allowed

CMMC Level 2 (110 practices) - PRO

• Protects Controlled Unclassified Information (CUI)
• Based on NIST SP 800-171 Rev 2
• Required for contractors handling CUI
• Requires C3PAO assessment

When is the CMMC deadline?

November 10, 2025 - CMMC requirements start appearing in DoD contracts

DoD contractors must be compliant when specified in contract solicitations. Many contracts now include CMMC Level 1 or Level 2 requirements.

Start your assessment now →

Can AuditKit prepare me for C3PAO assessment?

Yes, for technical controls. AuditKit automates:

• Technical security configuration checks
• Evidence collection guides
• Remediation commands
• Assessment reports

You still need to handle:

• Organizational policies
• Security awareness training
• Incident response procedures
• Physical security measures

Timeline: Most contractors fix 80%+ of technical issues in 2-4 weeks with AuditKit.

Which cloud providers are supported?

Fully supported:

• AWS (Amazon Web Services)
• Azure (Microsoft Azure)
• GCP (Google Cloud Platform)
• M365 (Microsoft 365) via ScubaGear integration

Coverage:

• AWS: 64+ SOC2 controls, 30+ PCI-DSS, 17 CMMC L1, 110 CMMC L2 (Pro)
• Azure: 64+ SOC2 controls, 30+ PCI-DSS, 17 CMMC L1, 110 CMMC L2 (Pro)
• GCP: 170+ core checks (Free), +32 advanced checks (Pro)
• M365: 29+ Entra ID rules via ScubaGear

What frameworks are supported?

Does AuditKit make any changes to my infrastructure?

No. AuditKit is read-only. It only:

• Reads configuration
• Checks security settings
• Generates reports

It never modifies your infrastructure.

The auditkit fix command generates a script for you to review and run manually.

What permissions does AuditKit need?

• AWS: ReadOnlyAccess managed policy
• Azure: Reader role
• GCP: roles/viewer role

All read-only, no write permissions required.

Setup guides →

Why is my compliance score low?

Common reasons:

1. Security services not enabled

Enable these first:

• AWS: GuardDuty, Config, CloudTrail, Security Hub
• Azure: Defender for Cloud, Azure Policy, Activity Logs
• GCP: Security Command Center, Cloud Logging, Cloud KMS

2. Basic security controls missing

• MFA not enforced
• CloudTrail/logging not configured
• Encryption not enabled
• Public access on storage

Fix critical issues first, then re-scan.

"Error: AWS credentials not configured"

Solution:

aws configure
# Enter your AWS Access Key ID and Secret Access Key

AWS setup guide →

Where can I get support?

Documentation:

• Getting Started
• Installation Guide
• CLI Reference
• Cloud Setup Guides

Community Support:

• GitHub Issues
• GitHub Discussions

Pro Support:

• Priority email support: hello@auditkit.io
• Try Pro free for 14 days →