Throughproof
Guided · Secured · Approved

Your AI agent writes your code.
Now make it write your SOC 2 audit trail.

Throughproof is a free, portable skill for Claude Code, Cursor, Copilot & Gemini that logs every sensitive action the SOC 2 way — and never leaks secrets or PII into your logs. The Pro verifier then proves it to your auditor.

Get the free skill See it work

The problem

Vanta and Drata tell you what's failing and collect evidence from systems you already built. None sit in your editor and help you write the compliant code in the first place — which actions need an audit trail, how to log failures (not just successes), and how to keep secrets and PII out of your logs.

Three things, one line of code to the control

Guided

The skill guides your agent to write the audit trail correctly, as you type — for sensitive actions only.

Secured

No secrets, tokens, or PII ever land in your logs. Hygiene enforced at authoring time.

Approved

The verifier emits control-to-code evidence (CC7.2) your auditor can accept — deterministic, no LLM.

See it work

Without the skill, code like this ships every day — no audit trail, PII + token in logs:

@router.post("/users/{user_id}/delete")
def delete_user(user_id, request):
    db.delete_user(user_id)
    logger.info(f"Deleted user {user.email}")   # PII in log, no audit trail

The Pro verifier catches exactly that — deterministically, mapped to the control:

$ throughproof-verify user_service.py

✗ 4 finding(s):
  [HIGH] user_service.py:8   CC7.2  missing-audit-event
         sensitive action 'delete_user' (data.delete) emits no audit event
  [med ] user_service.py:11  CC6.x  pii-in-log
         possible PII in log (identifier 'email') — log an id reference instead
  [HIGH] user_service.py:16  CC7.2  missing-audit-event
         sensitive action 'login' (user.login) emits no audit event
  [HIGH] user_service.py:21  CC6.x  secret-in-log
         possible secret/token in log (identifier 'token')

Once it's fixed, you get the artifact auditors actually want:

$ throughproof-verify user_service.py

✓ no findings

✓ control-to-code evidence (2 satisfied path(s)):
  user_service.py:17  delete_user()  ↔  CC7.2 (data.delete)  [failure, success]  satisfied
  user_service.py:39  login()        ↔  CC7.2 (user.login)   [failure, success]  satisfied

No dashboards to reverse-engineer, no LLM guesswork — just the line from each SOC 2 control to the code that satisfies it. --json for your evidence pipeline.

Throughproof Pro — be first to the verifier

The free skill writes compliant logs. Pro proves it: continuous, multi-repo, with exportable control-to-code evidence. Drop your email for early access.

No spam. Just early access and a hand in shaping it.