The trigger. An enterprise customer shows interest. You have a lean team, as many agents as people, and SOC2 lands in your inbox with no prep.
What most find when they go looking. Nothing at all, or a shitty SOC2 from the year before that raised more questions than it answered. Priya opens the AWS console for the first time with security in mind. The S3 bucket their product writes to: public. The IAM user they use for deployments: AdministratorAccess, key created on day one, never rotated, stored in a .env file that got committed to the repo twice. Root account: no MFA. CloudTrail: off. Three security groups with 0.0.0.0/0 ingress she doesn't remember creating.
The trap. Confusing evidence collection with evidence generation. Most automation is just structured collection: a tool pulls an API snapshot instead of a human taking a screenshot. Better hygiene, not a different thing. Vanta and Drata solved collection. That works for configuration-state controls: encryption enabled, MFA enforced, branch protection configured. Process controls are different. Access reviews, change approvals, incident response still depend on human-generated artifacts. Type I friction is mostly gone. Type II ceiling hasn't moved. Early-stage teams also need to know what matters and what can wait. That judgment is domain-specific. HIPAA is not ISO is not SOC2 Type I.
Where existing tools stop. Escher is the bridge between your team and the auditor. Claude Code helps Priya write the fix, draft the policy, answer the questionnaire. The writing gets faster but it starts from what Priya tells it. She still has to go find that out herself. Console, service by service, region by region, reconstructing what exists before she can describe it to anything. The three days become two. The hard part is exactly as hard. That's the gap Escher fills.
Built: three independent checks
01Vanta/Drata trust page: checks trust.vanta.com and security.drata.com. Known false positive rate (~50%) from SPA routing; treat as confirmed only when a second signal agrees.
02Pricing page enterprise tier: fetches /pricing, requires "enterprise" and "contact sales/custom pricing" in actual page content. Reliable, no false positives.
03Own-domain security page: fetches /security, /trust, /compliance, requires 2000+ characters and security keywords (SOC2, HIPAA, ISO 27001, encryption). Content-gated, no noise.
Results
196 flagged · ~15–20 with pricing:enterprise-tier confirmed · top 6 have multiple P5 signals stacking