Thoropass review: audit and automation under one roof
Thoropass, formerly Laika, pairs compliance automation software with its own in-house audit firm, so readiness and the attestation happen with a single vendor. The model removes a major source of handoff friction but suits mid-market buyers more naturally than the smallest startups.
The single-vendor audit model
Thoropass, which operated as Laika before rebranding in 2023, is unusual in that it sells both the compliance software and the audit itself. Most compliance automation platforms get you audit-ready and then hand you off to a separate CPA firm, which means two contracts, two onboarding processes, and a gap where evidence formatted for the tool has to be re-explained to an outside auditor. Thoropass closes that gap by running the attestation through its own affiliated assurance practice, with an auditor involved from early in the engagement rather than appearing at the end. For buyers who find the readiness-then-handoff sequence frustrating, this integrated structure is the platform's central selling point.
Frameworks and SOC 2 coverage
Thoropass covers a broad slate of frameworks including SOC 1 and SOC 2, ISO 27001, ISO 27018, the newer ISO 42001 for AI management systems, HIPAA, HITRUST, PCI DSS, GDPR, NIST CSF 2.0, CMMC, and Cyber Essentials. For SOC 2 specifically, it supports both Type 1 and Type 2 reports across the Trust Services Criteria, so you can scope to Security alone or add categories like Availability and Confidentiality. The presence of ISO 42001 and NIST CSF 2.0 signals the company keeps pace with current standard versions rather than lagging on framework updates. If your roadmap includes stacking ISO 27001 or HITRUST on top of SOC 2, doing it through one vendor that also audits is a coherent path.
OrO and First Pass AI
Thoropass frames its approach as the OrO Way, blending automated evidence collection with hands-on guidance and a dedicated auditor relationship. Its First Pass AI feature is designed to reduce the back-and-forth between evidence collection and auditor acceptance by pre-checking artifacts before they reach a reviewer, which is where audits often stall. The platform connects to common tools through a library of auditor-vetted integrations covering cloud providers, identity, source control, and ticketing systems to automate evidence gathering. Because the same company both builds the automation and runs the audit, the AI pre-checks are tuned to what its own auditors will actually accept, which is a meaningful difference from generic readiness tools.
Pricing and who benefits
Thoropass does not publish fixed tiers; pricing is quote-based and bundles software plus audit, so the number you receive depends on framework count, company size, environment complexity, and modules selected. Bundling means a single line item covers both the platform and the attestation, which simplifies budgeting but also means the software and audit costs are entangled rather than separable. The model tends to deliver the strongest value for mid-market companies pursuing a first SOC 2 or running several frameworks, where coordinated readiness and audit save real time. Very small startups working on a single, simple audit may find the all-in package heavier than they need, and teams wanting maximum flexibility to choose their own auditor should weigh the tradeoff of locking readiness and attestation to one provider.