Menu
Get Ready
SOC 2 Readiness AssessmentCompare service firms
SOC 2 Readiness FirmsPenetration Testing FirmsvCISO FirmsISO 27001 ConsultantsCompliance ConsultantsAll Service Firms
Thoropass is a specialist SOC 2 audit firm in New York, NY, USA that charges $12K–$30K for Type II audits with 2–6 week timelines. Founded in 2019, they hold 8 accreditations and specialize in B2B SaaS, FinTech, HealthTech, and 2 more. Their pricing is below average compared to the specialist average of $21K–$61.9K.
Free. Anonymous until you pick.
Estimated Type 1 and Type 2 ranges, placed against the broader specialist peer set. Numbers are directional; final pricing depends on scope, Trust Services Criteria, evidence quality, and observation period.
Note: Pricing shown is estimated based on typical engagements. Use our SOC 2 cost calculator for a personalized estimate.
of Specialist firms charge more for Type II.
of Specialist firms have longer minimum timelines.
listed certifications. Tier average: 4.
Side-by-side pricing, timeline, and certification counts for the 5 closest-priced peers in the specialist tier.
| Thoropass | Tempo Audits | Johanson Group | Modern Assurance | MJD Advisors | CyberSapiens Germany | |
|---|---|---|---|---|---|---|
| Type II Cost | $12K–$30K | $10K–$30K | $15K–$30K | $7K–$42K | $15K–$35K | $15K–$36K |
| Type I Cost | $8K–$15K | $8K–$20K | $10K–$18K | $5K–$24K | $8K–$20K | $10K–$20K |
| Timeline | 2–6 wk | 2–6 wk | 1–3 wk | 1–7 wk | 2–6 wk | 3–7 wk |
| Team Size | 200-250 | 5–15 | 12–20 | 2–10 | 5–10 | 20–30 |
| Certifications | 8 | 1 | 4 | 3 | 2 | 2 |
| Founded | 2019 | 2022 | 2014 | 2022 | 2021 | 2019 |
For buyers in B2B SaaS and FinTech, Thoropass fits the specialist profile when timeline (2–6 weeks) and Type II pricing ($12K–$30K) align with what specialist firms typically deliver. Their 8 active accreditations, including PCI DSS QSA, PCI ASV, HITRUST Assessor, extend that fit beyond pure SOC 2 into adjacent compliance frameworks.
First-time SOC 2 / ISO 27001 / HIPAA / PCI / HITRUST seekers (under 200 employees) who want one vendor handling both the GRC platform and the audit, eliminating the handoff between Vanta/Drata-style automation and a separate CPA firm. Companies pursuing multiple frameworks who want shared evidence across SOC 2 + ISO 27001 + HITRUST + PCI in a single audit cycle. Mid-market SaaS, fintech, and healthtech seeking 25-50% savings vs. traditional audit firms with fixed pricing.
Bundles a proprietary GRC platform with an in-house CPA firm, PCI QSAC and ASV, and HITRUST Authorized External Assessor under one roof. Same auditor from Day 1 through report issuance, no handoff between readiness vendor and audit firm. First Pass and Smart Sort AI pre-screen evidence before audit, cutting manual overhead up to 80% and completing audits up to 62% faster. 30+ frameworks on a single shared evidence set, plus a standalone audit module that works alongside Vanta, Drata, Secureframe, Hyperproof, Archer, and OneTrust. Active healthcare practice (Array Behavioral Care, Alaffia Health, HealthSnap) covering HITRUST + SOC 2 coordinated audits in PHI-sensitive environments.
of 6 criteria match. Get a personalized quote
Thoropass is the end-to-end cybersecurity auditor for modern compliance teams. It combines accredited auditors, AI-powered evidence automation, and a modern audit operating model to deliver faster, more transparent audits without handoffs, rework, or last-minute surprises. The company owns both ends of the SOC 2 problem: the GRC platform you use to prepare for the audit, AND the licensed CPA firm that signs the audit report. Most of the market splits these roles (Vanta, Drata, and Secureframe handle automation and refer you to a separate auditor like Schellman or A-LIGN). Thoropass collapses that handoff.
Thoropass supports 30+ frameworks (SOC 2, HITRUST, HIPAA, PCI DSS, ISO 27001/27018/42001, NIST CSF 2.0, CMMC L1, GDPR, 23 NYCRR 500, and more) and helps organizations consolidate audits into coordinated, scalable programs. With 200+ integrations and AI-powered evidence workflows, customers reduce manual audit overhead by up to 80% and complete audits up to 62% faster.
Founded in 2019 and rebranded from Laika in March 2023, Thoropass is headquartered in New York with an EMEA hub in London (opened November 2024). The firm has raised $98M across four rounds: Series A ($10M, Sept 2020, led by Canapi), Series B ($35M, led by J.P. Morgan Growth Equity Partners), and Series C ($50M, Nov 2022, led by Fin Capital with Centana Growth, J.P. Morgan, Canapi, and ThirdPrime participating). It now serves 1,000+ organizations, completes 500+ audits annually, and was named to the Inc. 5000 for a second consecutive year in 2025 with 351% three-year growth.
This is the core of Thoropass’s positioning. Three things follow from owning both sides:
Same auditor from Day 1 to the stamp. No transition meeting from your readiness vendor to a separate audit firm. The auditor who scopes your environment is the same one signing the report, and they stay embedded across scoping, fieldwork, and delivery.
First Pass and Smart Sort AI pre-screen evidence. First Pass (Dec 2024) programmatically checks evidence completeness and accuracy before it reaches the auditor. Smart Sort (Jan 2026) ingests any GRC export and converts it into audit-ready evidence. The two work alongside human auditors to programmatically verify evidence before you ever get to audit. Thoropass reports this cuts secondary auditor requests up to 80% and reduces manual QA time by 95%.
Shared evidence across frameworks. SOC 2, ISO 27001, PCI DSS, and HITRUST use the same control set with one collection cycle. For companies pursuing two or more frameworks, this eliminates redundant evidence work and underpins the 62% faster audit cycle vs. traditional process.
The platform also supports companies who don’t want to switch GRC tools. Since 2025, the audit module is available standalone for customers already on Vanta, Drata, Secureframe, Hyperproof, Archer, or OneTrust. The “our GRC or yours” model lets buyers preserve existing investments while still consolidating audit execution.
The AICPA issued a Peer Reviewer Alert in December 2022 about self-review threats when compliance automation platforms also have audit affiliates. Thoropass has addressed this publicly: evidence flows through standardized APIs reviewed and approved by auditors before deployment, and the licensed CPA firm operates under AICPA Code of Professional Conduct standards. They’ve now passed two AICPA peer reviews with the “Pass” rating, the highest available.
This matters because the rest of the market sometimes raises independence concerns about platform-plus-audit firms. Two peer review passes (2022 and 2025) is the strongest counter-evidence available.
Thoropass markets coverage across 30+ frameworks total with control-mapping that lets a single evidence set satisfy several reports.
Worth noting what’s missing: no FedRAMP capability, no StateRAMP, no CMMC Level 2 C3PAO status. Companies targeting federal authorizations will need a 3PAO partner.
Yes. Thoropass runs an active healthcare practice focused on digital health, healthcare SaaS, and PHI-sensitive environments, with HIPAA / HITECH assessments delivered in-house and HITRUST i1 and r2 Validated Assessment & Certification offered under its HITRUST Authorized External Assessor status. For most healthcare buyers the typical engagement is a coordinated HITRUST + SOC 2 audit on a single shared evidence set, which avoids duplicating control work and shortens the overall cycle.
The healthcare positioning is backed by published customer stories rather than logos alone:
For broader market context on this segment, see our directory of SOC 2 auditors for healthcare.
Sam Li, Co-Founder & CEO. UVA Computer Science, Harvard MBA. Previously co-founder and CTO of Zinc Platform (YC-backed insurtech), with stints at Google, Goldman Sachs, and Cambridge Associates. Named a 2026 EY Entrepreneur Of The Year New York finalist.
Eva Pittas, Co-Founder, President & COO. Spent 20+ years at Citigroup as Managing Director of IT Risk & Control and Vendor Management for the Institutional Clients Group. Founded BRCG, a boutique fintech compliance consultancy, before Laika/Thoropass. NYU Stern.
Austin Ogilvie, Co-Founder & Executive Chairman. Background in data science and ML, previously at Alteryx.
Dicken Chaplin, CFO. Joined December 2022. Previously CFO at Turbonomic, where he grew revenue from $20M to $200M+, leading to a $2B acquisition by IBM.
Leith Khanafseh, Managing Partner, Assurance & Compliance Products. Previously led infosec audits at Coalfire for major cloud service providers, plus Big 4 experience.
Chris Biero, Senior Director, Head of SOC. 10+ years in GRC across startups and Fortune 500 firms.
Thoropass does not publish a rate card, but their own SOC 2 cost guide publishes the following audit-fee ranges for companies between 5 and 100 employees:
For larger mid-market and enterprise engagements (50 to 200+ employees, multi-framework programs), Vendr buyer data places typical annual contract value around $30,728 median (range $20,930 to $53,273), with small companies at $20K to $40K/year and mid-sized at $40K to $90K/year for the platform subscription, plus separate auditor fees. The platform-plus-audit bundle is the most common engagement, but the audit module is also sold standalone for companies already on Vanta, Drata, Secureframe, Hyperproof, Archer, or OneTrust.
Per Thoropass’s own SOC 2 cost guide, SOC 2 Type 1 audits take 2 to 3 months and SOC 2 Type 2 audits take 3 to 9 months (for companies between 5 and 100 employees). Larger or multi-framework engagements can extend beyond this. Thoropass markets “SOC 2 in weeks, not quarters” and reports a 62% faster time to audit completion vs. traditional process; published customer outcomes for audit-ready teams show what the fast end looks like in practice:
These are best-case outcomes. Teams starting from zero on policies, evidence collection, or first-time framework scoping should plan toward the longer end of the published range. The firm reports 80%+ of technical control evidence is auto-collected via integrations, and the First Pass AI layer reduces audit overhead by ~80%.
Named customers include:
G2 rating: 4.7/5 across 435+ reviews, with 74.7% in the Small-Business segment.
Critical feedback from G2 reviews surfaces a recurring set of complaints: UI can be clunky, limited bulk-edit options, occasional integration breakage, and slower performance at scale. Buyers weighing Thoropass should pressure-test the workflow against their specific cloud stack before committing.
Thoropass occupies a category of one in the SOC 2 market: the only company that ships a GRC platform AND signs the audit report. For first-time buyers pursuing multiple frameworks who value speed and fixed pricing over brand prestige, the bundle is compelling and the AICPA Peer Review track record answers the obvious independence question.
Where it gets tighter: if you already love your current GRC tool, the standalone audit module is a viable path, but you lose the workflow advantages that justify the bundle. If your buyers demand a Big-4 brand on the audit report, Thoropass is the wrong choice. And if you’re heading toward FedRAMP or CMMC Level 2 in the next 12-18 months, you’ll need a different partner anyway.
For early-to-mid-stage SaaS, fintech, and healthtech with one vendor needed, fast turnaround required, and predictable fixed pricing preferred, Thoropass is one of the most differentiated options in the specialist auditor market.
"Some of the best money I ever spent. Thoropass and being compliant ended up helping us close our second-largest customer."
"Thoropass combines readiness, evidence management, and auditor interaction in a single platform. The ability to collaborate with the auditor directly in-platform reduces friction and prevents duplicative work."
"For the past month, we've told our customers we're in the process of getting our SOC 2 and ISO 27001. Having the reports in our hands alleviates any concern from our customers."
"With no prior knowledge, Thoropass laid out an easy-to-understand road map. Setting attainable goals with reasonable timetable made the process extremely easy with multiple team members."
Tags below are preserved as crawlable text because they drive industry, accreditation, and GRC-platform comparisons across firm pages.
5 industries. Specialist average: 6.
8 certifications. Specialist average: 4.
Thoropass Audit Lifecycle Platform (First Pass AI, Smart Sort AI, Trust Center, Access Review Automation, 200+ integrations)
Firm-specific answers generated from the directory record and preserved in FAQPage schema.
Thoropass SOC 2 Type I audits typically range from $8K to $15K. Type II audits range from $12K to $30K. This is below average for specialist firms — the specialist tier average is $21.025K–$61.882K. Final pricing depends on your organization's scope, number of trust service criteria, and system complexity.
A typical SOC 2 engagement with Thoropass takes 2 to 6 weeks from start to report delivery. They offer accelerated timelines for organizations that are audit-ready.
Thoropass has deep expertise in B2B SaaS, FinTech, HealthTech, Insurtech, Professional Services. They are best suited for First-time SOC 2 / ISO 27001 / HIPAA / PCI / HITRUST seekers (under 200 employees) who want one vendor handling both the GRC platform and the audit, eliminating the handoff between Vanta/Drata-style automation and a separate CPA firm. Companies pursuing multiple frameworks who want shared evidence across SOC 2 + ISO 27001 + HITRUST + PCI in a single audit cycle. Mid-market SaaS, fintech, and healthtech seeking 25-50% savings vs. traditional audit firms with fixed pricing.
Thoropass holds 8 accreditations: AICPA, CPA Firm, AICPA Peer Review, PCI DSS QSA, PCI ASV, HITRUST Assessor, ISO 27001 Certification Body, ISO 42001. This is above average for specialist firms, indicating broad certification capabilities.
Thoropass uses Thoropass Audit Lifecycle Platform (First Pass AI, Smart Sort AI, Trust Center, Access Review Automation, 200+ integrations) for their audit engagements. They integrate with Thoropass (proprietary) for evidence collection and compliance automation. Reports are delivered via Weeks, not quarters (62% faster than traditional process).
Thoropass is a specialist SOC 2 audit firm founded in 2019 with 7 years of experience. Bundles a proprietary GRC platform with an in-house CPA firm, PCI QSAC and ASV, and HITRUST Authorized External Assessor under one roof. Same auditor from Day 1 through report issuance, no handoff between readiness vendor and audit firm. First Pass and Smart Sort AI pre-screen evidence before audit, cutting manual overhead up to 80% and completing audits up to 62% faster. 30+ frameworks on a single shared evidence set, plus a standalone audit module that works alongside Vanta, Drata, Secureframe, Hyperproof, Archer, and OneTrust. Active healthcare practice (Array Behavioral Care, Alaffia Health, HealthSnap) covering HITRUST + SOC 2 coordinated audits in PHI-sensitive environments. They are best suited for organizations that need b2b saas, fintech, healthtech expertise.
Thoropass is headquartered in New York, NY, USA. They also have offices in New York, NY (HQ), London, UK (EMEA hub). They serve clients across the United States and can conduct SOC 2 audits remotely.
Compared to the 65 specialist firms in our directory, Thoropass's Type II pricing ($12K–$30K) is below average (tier average: $21.025K–$61.882K). They hold 8 certifications vs. the tier average of 4. Their minimum timeline of 2 weeks is faster than the tier average.
Thoropass is best suited for First-time SOC 2 / ISO 27001 / HIPAA / PCI / HITRUST seekers (under 200 employees) who want one vendor handling both the GRC platform and the audit, eliminating the handoff between Vanta/Drata-style automation and a separate CPA firm. Companies pursuing multiple frameworks who want shared evidence across SOC 2 + ISO 27001 + HITRUST + PCI in a single audit cycle. Mid-market SaaS, fintech, and healthtech seeking 25-50% savings vs. traditional audit firms with fixed pricing. Their key differentiator is: Bundles a proprietary GRC platform with an in-house CPA firm, PCI QSAC and ASV, and HITRUST Authorized External Assessor under one roof. Same auditor from Day 1 through report issuance, no handoff between readiness vendor and audit firm. First Pass and Smart Sort AI pre-screen evidence before audit, cutting manual overhead up to 80% and completing audits up to 62% faster. 30+ frameworks on a single shared evidence set, plus a standalone audit module that works alongside Vanta, Drata, Secureframe, Hyperproof, Archer, and OneTrust. Active healthcare practice (Array Behavioral Care, Alaffia Health, HealthSnap) covering HITRUST + SOC 2 coordinated audits in PHI-sensitive environments.
A buyer-side checklist. Bring these to your first call — the answers separate firms that have run hundreds of SOC 2 engagements from firms that are bidding on them.
Tell us your scope. Thoropass replies with a price, a timeline, and why they'd be a fit. Anonymous until you pick.
Want to compare first? See 65 similar specialist firms or get 3 quotes.
A complete 2026 guide to SOC 2 for healthcare companies. Learn how SOC 2 maps to HIPAA, prioritize Trust Services Criteria, and prepare for your audit.
SOC 2 for fintech: which TSC apply, what auditors focus on for payment data, and how a clean report unlocks enterprise deals.
Best SOC 2 compliance software for fintech in 2026. Compare platforms that cover SOC 2 + PCI-DSS + SOX — built for neobanks, payment processors, and BaaS.
