[OSS GAP] Access Review / Audit Evidence #security #compliance #audit #b2b
Pain: Startups doing SOC2-style reviews need lightweight evidence collection and approvals, not a full compliance command center. “as I log in I got this msg and would not get me through unless i agree Is it okay to agree? anyone got this? I never requested for it. ---------------------------------------------” — reddit (https://www.reddit.com/r/PersonalFinanceCanada/comments/1skytpq/td_broker_says_agree_to_otc/)
Why now: Small teams in 2026 are cutting tool spend and refusing extra platform debt. Vanta, Drata, Secureframe are strong products, but they are packaged for bigger companies than security lead and other small teams. That makes a smaller, self-hosted wedge in access review / audit evidence unusually easy to explain.
Tiny wedge: User import for security lead and other small teams without Vanta-style pricing and platform weight.
Why this wins: Replaces recurring Vanta spend with a boring self-hosted alternative for security lead and other small teams.
Scope cut: Skip continuous compliance cloud and vendor management suite in v1.
Stack: Node.js + Express + PostgreSQL.