Comparison
A Comp AI alternative with deterministic checks and no license contagion
Scorifya Controls is a self-hosted SOC 2 compliance tool. 33 deterministic Python check runners across AWS, GitHub, GCP, and Azure. 20 manual controls with evidence tracking. RFC 3161 timestamps on every attestation. Three tiers from $99/mo, no per-seat charges, and a closed-source binary that keeps AGPLv3 obligations out of your deployment.
Why teams pick Controls over Comp AI
Deterministic over AI
Every Controls check is a hand-written Python function that hits a specific AWS, GCP, Azure, or GitHub API and returns pass, fail, or error. No AI generation, no hallucinated coverage, no surprise behavior between releases. Auditors can read the exact code that produced the evidence.
No AGPLv3 contagion
Comp AI's self-hosted core is AGPLv3. If your compliance pipeline ever sits next to a customer-facing service, that license can pull downstream code into review. Controls ships as a closed-source binary, so the license boundary stops at your container.
Unbundled audit
Comp AI Pro at $997/mo includes a SOC 2 audit. Useful if you do not have an auditor yet. If you already work with a CPA firm, or you want to choose your own, Controls separates platform pricing from audit pricing so you pay for what you need.
How Controls compares to Comp AI
| Dimension | Comp AI | Scorifya Controls |
|---|---|---|
| Check engine | AI-driven check generation | 33 deterministic Python runners, one per criterion |
| License | AGPLv3 (self-hosted core) | Closed-source binary, no copyleft contagion |
| Audit included in price | Yes on Pro ($997/mo) | No, bring your own CPA firm |
| Pricing model | Two managed tiers, $199 and $997/mo | Three tiers, $99 / $249 / $499 monthly, ~16% off annual |
| Starter price | $199/mo managed | $99/mo, $79/mo Founders (first 25) |
| Data residency | Self-host option, managed is hosted | Self-hosted on Docker, no managed alternative |
| Auditor portal | Yes | Yes, read-only link, no account required |
| Cryptographic timestamps | Not advertised | RFC 3161 tokens from DigiCert on every attestation |
| Air-gapped TSA support | Not advertised | Custom TSA env var supported |
| Cloud coverage | Broad SaaS surface area | AWS, GCP, Azure, GitHub. 33 checks, all AICPA-mapped |
| Setup time | Onboarding flow | Three Docker commands, first scan within an hour |
Comp AI information based on the publicly published pricing page and the AGPLv3-licensed source repository as of mid-2026. Controls information reflects the current shipped product.
What Controls delivers
- ✓33 deterministic Python check runners: AWS (14), GCP (7), Azure (7), GitHub (5). Every runner maps to a specific AICPA TSC 2017 criterion. No AI in the evaluation path.
- ✓20 manual controls with attestation, evidence file uploads, and next-review-date tracking.
- ✓Posture score trend chart so you can show auditors continuous improvement.
- ✓Drift detection with Slack alerts when a control that was passing starts failing between runs.
- ✓Read-only auditor portal, time-limited share link, no Scorifya account required for the auditor.
- ✓RFC 3161 cryptographic timestamps from DigiCert on every attestation. Auditors verify offline with OpenSSL, independent of Scorifya entirely.
- ✓Custom TSA env var for air-gapped or sovereign-cloud environments where DigiCert is not reachable.
- ✓Audit period tracking with a days-elapsed progress bar covering the full observation window.
- ✓Print-to-PDF report generation for the auditor package, with all 33 checks and 20 controls.
- ✓Closed-source binary distribution: deploy on any Docker host, no AGPLv3 obligations propagating into your stack.
Evidence quality your auditor can verify without trusting either of us
The hard part of self-hosted compliance is convincing the auditor that the timestamps on your evidence are real. Controls uses RFC 3161, an IETF standard for trusted timestamping. DigiCert signs every attestation token. Your auditor verifies it offline with OpenSSL using DigiCert's root certificate, which is already in their trust store. No Scorifya account, no Comp AI account, no vendor dependency.
Pricing, side by side
Comp AI
Managed Starter
$199/mo
Managed Pro: $997/mo (audit included). Self-hosted core is AGPLv3.
Scorifya Controls
Starter, Pro, Team
$99 / $249 / $499/mo
Monthly or annual, no per-seat charges. Founders pricing: 20% off, forever, for the first 25 buyers in each tier.
Common questions
How is this different from Comp AI?
Comp AI uses an AI-driven approach to generate and evaluate checks. Controls ships a fixed library of 33 deterministic Python check runners, one per AICPA criterion. The trade-off is intentional: Controls covers fewer surfaces but every check is auditable code you can read, fork, and reason about. Auditors who want to know exactly what was tested can read the source.
Why does the AGPLv3 license matter to me?
Comp AI's self-hosted core is AGPLv3, which can extend obligations to any service that integrates it. If your compliance pipeline ever touches customer-facing infrastructure, that license can become a downstream legal review. Controls ships as a closed-source binary, so the license boundary stops at your deployment.
Do I have to buy an auditor through Scorifya?
No. Comp AI's Pro plan bundles a SOC 2 audit; Controls separates the platform from the audit. You bring your own CPA firm and pay them directly. The auditor portal exports everything they need to review without a Scorifya account.
What does the pricing look like vs Comp AI?
Controls has three tiers: Starter at $99/mo (AWS + GitHub), Pro at $249/mo (all four clouds), Team at $499/mo (multi-tenant for agencies). All monthly or annual, no per-seat charges. Comp AI's managed Starter is $199/mo and Pro is $997/mo with audit bundled. If you already have an auditor or are price-shopping on the platform alone, Controls' Starter and Pro tiers undercut.
Can I switch from Comp AI to Controls mid-observation-window?
Yes. Your check history lives in your Postgres database, not on a vendor server. Run an export from Comp AI, deploy Controls, point it at the same cloud credentials, and the next check run starts populating your own database. The RFC 3161 timestamps on new attestations carry forward independently of either platform.
Does Controls have an AI agent?
No, and that's deliberate. AI-generated checks risk hallucinating coverage that does not exist in code. Every Controls check is a hand-written Python function with explicit AWS/GCP/Azure/GitHub API calls. You can read each one in the open-source check library before deploying. Auditors prefer this over 'the AI says this passed.'
See everything Controls includes
Full feature list, live pricing, and a Docker quick-start on the product page.