TraceLayer

The Brief

The compliance automation market is dominated by Vanta and Drata — products that charge $30–50K/year to help companies pass SOC 2. Both are UI-heavy, integration-heavy, and slow to onboard. The actual compliance work — evidence collection, control mapping, gap analysis — is formulaic enough to be largely automated with modern LLMs.

The question was not whether this was buildable. The question was how fast. Three weeks was the target. It shipped in three weeks.

The Approach

Rather than building a monolithic system, TraceLayer was designed as a network of specialized agents. Each compliance framework — SOC 2, ISO 27001, HIPAA, PCI-DSS — gets its own specialist agent that understands the specific control requirements, evidence standards, and audit expectations for that framework. A routing agent handles user queries and delegates to the appropriate specialist.

This is not a gimmick. The specialization matters: SOC 2 Trust Service Criteria and ISO 27001 Annex A controls use different language and different evidence formats. A single general-purpose agent produces mediocre answers for both. Specialists produce expert answers for their domain.

"The architecture that won was not the most sophisticated. It was the most appropriate."

The technology stack was chosen for speed and operational simplicity:

• ◆FastAPI for the backend: Python is the natural home for LLM orchestration, and FastAPI's async support makes multi-agent coordination tractable.
• ◆Supabase for storage: Row-level security handles multi-tenancy without custom middleware. The integration catalog lives in Postgres; evidence files live in Supabase Storage.
• ◆Groq / Llama 3.3 for inference: 70B parameter models running on Groq's inference hardware are fast enough for interactive use and precise enough for compliance analysis. The speed matters — users waiting three seconds for a compliance gap analysis will tolerate it; waiting thirty seconds will not.
• ◆Next.js for the frontend: App Router, server components, and incremental rendering make the evidence dashboard feel native.

The Build

The first week was architecture. The agent graph was sketched, the framework knowledge bases were structured, and the integration API surface was defined. No code was written until the design was stable.

Week two was the integration layer and core agent logic. 120+ integrations spanning AWS, GCP, Azure, GitHub, Jira, Okta, and Slack were normalized behind a common evidence-collection interface. The framework agents were given structured access to this interface plus their domain knowledge bases.

Week three was the product layer: the dashboard, the gap analysis report generator, the remediation guidance system, and the billing integration. Stripe Checkout with usage-based pricing was wired in on day sixteen.

A key technical decision was the evidence normalization schema. Every integration produces different data formats. A GitHub webhook and an AWS CloudTrail log look nothing alike, but they both need to produce evidence that maps to specific control requirements. The normalization layer is where most of the complexity lives.

class EvidenceNormalizer:
    def normalize(self, source: str, raw: dict) -> Evidence:
        handler = self.handlers.get(source)
        if not handler:
            raise UnsupportedSourceError(source)
        return handler.normalize(raw)

The framework agent receives normalized evidence and applies its domain knowledge to determine whether the evidence satisfies the relevant control requirements.

The Outcome

TraceLayer is live. It has paying customers. It has run competitive demos against Drata and Vanta where the compliance team from a Series B startup chose TraceLayer for the demo quality, the integration breadth, and the price.

Eleven compliance frameworks are supported: SOC 2 Type I/II, ISO 27001, HIPAA, PCI-DSS, GDPR, CCPA, NIST CSF, FedRAMP (partial), CIS Controls, and SLSA. Coverage continues to expand.

The build validated the core thesis: that an agentic development workflow using Claude Code can compress months of product work into weeks without sacrificing quality.

Lessons

The hardest part was not the LLM orchestration. It was the compliance domain knowledge. Getting the agent prompts right — precise enough to produce expert answers, flexible enough to handle edge cases — took as long as the technical integration work.

The lesson: in domain-specific AI products, the domain work is the product work. The LLM is infrastructure.

Multi-tenancy at the data layer is easier to get right at the start than to retrofit. Supabase's RLS policies were set up correctly from day one. This is not a decision I would reconsider.