ADVERSARIAL VERIFICATION

Your vendor's SOC 2 could be fake. We'll tell you which ones.

We run adversarial verification on vendor compliance reports using 11 public-signal sources. You get findings, not opinions.

Upload a Vendor Report

Starting at $500 per report · $2,000/month unlimited

HOW IT WORKS

Three steps to verified compliance

No consultants. No waiting. Just findings.

Upload

Submit a vendor name or compliance report. We accept SOC 3 summaries, trust page URLs, or any public compliance claims.

We Verify

Our engine cross-references the vendor's claims against 11 public-signal sources using deterministic scripts — not AI guesswork.

Get Findings

Receive a transparent findings report within 48 hours with evidence chains, methodology disclosure, and questions for the vendor.

TRANSPARENT METHODOLOGY

We show our work

Every finding includes the exact data source, query timestamp, and extraction method. Our methodology is versioned, published, and auditable. If a finding goes to court, the evidence chain holds up.

We use deterministic scripts for all signal collection and cross-referencing. No AI hallucinations. No black boxes. Every step is reproducible.

Read our full methodology

SEC/EDGAR Filings
GitHub Security Advisories
Certificate Transparency
AICPA Peer Review
HaveIBeenPwned
Court Records (PACER)
USPTO Trademarks
DNS/Subdomain History
State Corporation Filings
Job Posting Archaeology
UKAS/ANAB Directories

SAMPLE OUTPUT

What you get

Excerpted from an actual adversarial verification report. Vendor anonymized.

Gap Severity: Medium

Audit Firm Not Publicly Disclosed

[Vendor]'s trust center and certifications pages describe certifications but do not name the SOC 2 audit firm. The documentation states only: "an independent, external third-party firm."

Many large companies keep audit firm identity confidential, and this is not inherently problematic. However, it prevents independent verification of the auditor's quality without requesting the information directly from [Vendor].

Source: Trust page analysis + documentation review
Retrieved: 2026-04-06T06:43:47Z
Method: VerityHelm Methodology v1.0 — Claim Extraction (§3)

Positive Signal Severity: Low

Active Bug Bounty Program with Published Metrics

[Vendor] operates a public bug bounty program with published metrics: $843K+ in bounties paid, 318 valid reports from 511 researchers, 1-hour average response time. The publication of detailed annual statistics demonstrates operational maturity.

Source: HackerOne public program page + vendor blog
Retrieved: 2026-04-06
Method: VerityHelm Methodology v1.0 — Signal Collection (§2)

Questions to Ask the Vendor

Which CPA firm performed your most recent SOC 2 audit, and what was the audit period?
Is your SOC 2 audit firm enrolled in the AICPA Peer Review Program?
How many security incidents occurred during your most recent audit period?
Which compliance platform(s) do you use for evidence collection, and did the platform facilitate the audit engagement?
What is your vulnerability disclosure and remediation SLA for critical/high severity issues?

This is an anonymized excerpt from a real verification report. Full reports include 5–10 findings with complete evidence chains, signal freshness data, and methodology disclosure.

EARLY ACCESS

Get verified findings on your vendors

Join the waitlist for early access to adversarial compliance verification.

You're on the list.

We'll be in touch when early access opens. In the meantime, read our published methodology.