Continuous AWS security audits,
priced for bootstrapped SaaS.
169 automated checks across CIS, SOC 2, HIPAA, PCI-DSS, NIST, and ISO 27001. AI remediation steps for every finding. 5-minute setup.
Starter is free forever for accounts under 50 resources. No credit card.
Out-of-the-box checks across all major frameworks
What the product actually does
Find quick-win compliance fixes first
The quick-wins lane surfaces controls like 'enable CloudTrail in all regions' or 'turn on S3 block-public-access at the account level' — fixes that take under 15 minutes of console work. Filter by effort, sort by severity, and close the easy gaps before the 2-day refactors.
Every finding ships with the fix, not a docs link
No 'see AWS docs' dead-ends. Every finding ships with AWS CLI commands, a Terraform block, or the AWS Console click-path — whichever your team uses. Claude-generated remediation plans add plain-English context on how the misconfig matters so a junior engineer can fix it without a tap on the shoulder.
Read-only, with an ExternalId. Always.
The CloudFormation role we install uses a custom least-privilege policy — Describe / Get / List actions only. No s3:GetObject, no secretsmanager:GetSecretValue, no kms:Decrypt. AssumeRole requires a per-customer ExternalId, so even if our account ID leaks the role stays yours.
One scan, six framework mappings
Each of the 169 checks is linked to the control IDs it satisfies in CIS, SOC 2, HIPAA, PCI-DSS, NIST 800-53, and ISO 27001. When an auditor asks for evidence on PCI Requirement 10.2, you can export the matching findings straight from the compliance gaps page.
Scans on our schedule, reports on yours
Daily re-scans on Max (up to 50/month), weekly on Pro (10/month), twice a month on Starter. New findings fan out to Slack, email, or any webhook endpoint you configure. PDF executive summaries generate automatically after every full scan and land in the reports tab.
Three steps. No consultant.
Connect your AWS account
Deploy a CloudFormation template we generate; it creates a read-only IAM role with a per-customer ExternalId.
Run your first scan
CloudArq runs up to 169 checks across your enabled regions — 46 on Starter, 108 on Pro, 169 on Max.
Fix what matters
Quick-wins and criticals surface at the top, each with a CLI command or Terraform block ready to paste.
Simple, transparent pricing
Per AWS account. Scale as you grow.
Starter
Security, cost & reliability basics for small accounts
- 46 infrastructure checks
- Up to 50 resources
- 1 AWS account
- 2 scans/month
- CIS compliance framework
- PDF audit report
Pro
Five pillars with AI remediation and weekly scans
Billed monthly. Cancel anytime.
- Everything in Starter
- 108 checks across 5 pillars
- Up to 500 resources
- 1 AWS account
- 10 scans/month (max 2/week)
- CIS, SOC 2 & HIPAA compliance (3 frameworks)
Max
All 6 pillars, 7 compliance frameworks, daily scans
Billed monthly. Cancel anytime.
- Everything in Pro
- 170 checks — all 6 pillars, full depth
- Up to 2,000 resources
- Up to 3 AWS accounts
- 50 scans/month (max 2/day)
- All 7 compliance frameworks
Organization
Cross-account dashboards under your AWS Organizations root role; volume discount on member accounts
- Everything in Max
- Up to 5 AWS accounts (5,000 pooled resources)
- Cross-account dashboards + OU grouping
- Pooled 100 scans/month across accounts
- Custom compliance frameworks
- Evidence collection for SOC 2 audits
Need more? Contact us for Enterprise pricing →
Frequently asked questions
About us
We're a new company. Talk to the founder.
CloudArq is a small, bootstrapped team. We don't have a logo wall of Fortune 500 customers yet, and we won't put fake ones on this page. If you're evaluating us for a real workload and want to ask the hard questions — security architecture, data residency, how we'd handle a specific audit — email us directly and the founder will reply, usually within a business day.
Ready to see what's in your AWS?
First scan is free. 5 minutes to connect. No credit card, no consultant call.