SecPortal vs Thoropass
compliance plus audit-as-a-service vs security testing workspace
Thoropass combines a compliance automation platform with an in-house audit team to run SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, HITRUST, NIST CSF, CMMC, and SOX programmes end-to-end on one tenant. Integrations into cloud accounts (AWS, GCP, Azure), identity providers (Okta, Google Workspace, Microsoft Entra), HR and onboarding systems, MDM, and code surfaces (GitHub, GitLab, Bitbucket) feed a control catalogue and a continuous evidence pull; in-product AI drafts policy and remediation copy; and an embedded auditor signs the examination at the end of the cycle. SecPortal is a different shape: scoped engagements, manual finding entry, AI report generation, branded client portal, native external and authenticated web scanning, code scanning on connected repositories, retesting, findings management with CVSS 3.1 scoring, and the exception register all live inside one workspace. This page is the side-by-side for buyers comparing a compliance automation platform bundled with audit labour to a security testing and remediation workspace that scans, records, reports, and delivers findings to clients, business units, or auditors.
No credit card required. Free plan available forever.
| Feature | SecPortal | Thoropass |
|---|---|---|
| Primary use case | Security testing and remediation workspace with scanning, findings, AI reports, and branded portal on one tenant | Continuous compliance automation platform combined with an in-house audit team that runs SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, HITRUST, NIST CSF, CMMC, and SOX programmes end-to-end |
| Built-in external vulnerability scanning (16 modules) | Reads evidence from external scanner integrations (Tenable, Qualys, AWS Inspector, similar) rather than running scans itself | |
| Authenticated web application scanning (DAST) | ||
| Code scanning (SAST and SCA via Semgrep) on connected repositories | Pulls code-side evidence from GitHub/GitLab integrations; does not run SAST or SCA scans itself | |
| Subdomain enumeration and external attack surface discovery | ||
| Domain verification before any external scan (DNS TXT or meta tag) | No external scanning surface to gate | |
| Continuous scheduled scanning cadence (daily, weekly, biweekly, monthly) | Continuous control checks against integration-sourced evidence rather than active scanning | |
| Engagement model with scope, ROE, and deliverables | ||
| Manual finding entry with full editor (for pentest and review findings) | Manual evidence upload against controls rather than a finding editor for technical pentest findings | |
| Findings management with CVSS 3.1 auto-scoring | Control coverage views and risk register rather than CVSS-scored vulnerability findings | |
| 300+ finding templates with remediation guidance | Pre-built control catalogue with AI-drafted remediation suggestions; not a vulnerability finding template library | |
| Scanner result import (Nessus, Burp Suite, CSV) | Scanner integrations feed control evidence; not a generic finding-import surface | |
| Encrypted credential vault for authenticated scans (AES-256-GCM) | Stores integration tokens for evidence collection; not a credential vault for active scanning | |
| Retest workflow paired to original finding | Continuous control re-checks rather than a paired-retest workflow on a finding | |
| Exception register with eight-field decision chain | Risk acceptance captured against controls inside the platform | |
| Compliance framework templates and control mapping | 21 frameworks including OWASP, OWASP ASVS, OWASP MASVS, OWASP API Security Top 10, ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST 800-171, FedRAMP, MITRE ATT&CK, DORA, NIS2, CIS Controls, and Essential Eight | SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, HITRUST, NIST CSF, CMMC, SOX, and custom-framework support with continuous evidence checks |
| AI-powered report generation (executive, technical, remediation) | AI drafts policy and remediation copy on the control record; not engagement-shaped narrative pentest deliverables | |
| Branded white-label client portal on your subdomain | Auditor-facing examination workspace and trust pages under the Thoropass-hosted domain | |
| Bundled in-house audit team for SOC 2 / ISO 27001 examination | ||
| Continuous control monitoring across cloud, identity, HR, MDM, code, and device integrations | ||
| Employee security training tracking and policy acknowledgement | ||
| Background check and HR onboarding evidence | ||
| Vendor risk management module across third-party suppliers | Vendor security questionnaire response workflow on the engagement record | |
| Auditor portal for SOC 2 and ISO 27001 examination support | Activity log with CSV export and per-engagement evidence pack | Built-in auditor seat and observation period workflow |
| Integrated invoicing and Stripe Connect payments for engagements | ||
| Activity audit trail with CSV export | Platform audit logs available | |
| MFA enforcement on every workspace | SSO/SAML on higher tiers; MFA configuration per tenant | |
| Free plan available | ||
| Pricing model | Free, Pro, Team | Sales-led annual contract licensing bundled with audit labour and scaled by framework count, organisation size, and module footprint |
| Setup time | 2 minutes | Integration connection across cloud, identity, HR, MDM, and code surfaces plus control mapping and audit-scoping calibration |
| Best fit for | AppSec teams, internal security teams, vulnerability management teams, product security teams, pentest firms, MSSPs, and consultancies that scan, record, report, and deliver findings from one workspace | GRC and compliance owners who want a single vendor for compliance automation plus the in-house audit team across SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, HITRUST, NIST CSF, CMMC, and SOX |
SecPortal vs Thoropass: compliance plus audit-as-a-service vs security testing workspace
Thoropass is a compliance automation platform combined with an in-house audit team that runs SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, HITRUST, NIST CSF, CMMC, and SOX programmes end-to-end on one tenant. The platform connects to cloud accounts (AWS, GCP, Azure), identity providers (Okta, Google Workspace, Microsoft Entra), HR and onboarding systems, MDM, and source code platforms (GitHub, GitLab, Bitbucket), runs continuous checks against the control catalogue, drafts policy and remediation copy with the in-product AI, and routes evidence into an examination performed by a Thoropass auditor who can sign the SOC 2 or ISO 27001 report at the end of the cycle. The buyer assumption is one vendor for both the compliance automation surface and the audit-firm relationship.
SecPortal is a different category. SecPortal is a security testing and remediation workspace that carries scoped engagements, manual and scanner-driven findings, AI-generated reports, a branded client portal, the exception register, and an audit trail all on one tenant. The buyer is an AppSec team, an internal security team, a vulnerability management team, a product security team, a penetration testing firm, an MSSP, or a security consultancy whose work covers scanning, finding, reporting, and delivering to clients, business units, or auditors. If you are comparing a compliance automation platform that bundles audit labour to a security testing workspace that scans, records, reports, and ships findings, this page is the side-by-side. The adjacent comparisons buyers in the GRC and compliance category often evaluate alongside are SecPortal vs Vanta, SecPortal vs Drata, SecPortal vs Secureframe, and SecPortal vs OneTrust.
Where Thoropass stops for security testing, finding, and delivery work
These are not Thoropass-specific criticisms; they are properties of a compliance automation platform plus audit-firm bundle when you compare it to running scoped engagements, manual reviews, external and authenticated web scanning, code scanning, AI report writing, and branded delivery on a single workspace.
Built as a compliance and audit-as-a-service platform, not a security testing workspace
Thoropass started as an in-house audit firm and now combines a compliance automation platform with a network of in-house auditors and consultants who run SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, HITRUST, NIST CSF, CMMC, and SOX programmes end-to-end. The product connects to cloud accounts (AWS, GCP, Azure), identity providers (Okta, Google Workspace, Microsoft Entra), HR and onboarding systems, MDM, and source code platforms (GitHub, GitLab, Bitbucket), then runs continuous checks against the control catalogue and routes evidence into the audit observation period that Thoropass auditors examine inside the same tenant. The buyer is the GRC, compliance, or operations owner who wants a single platform plus an embedded audit team. SecPortal is a different shape: scoped engagements, manual finding entry, AI report generation, branded client portal, native external and authenticated web scanning, code scanning on connected repositories, retesting, findings management with CVSS 3.1 scoring, and the exception register all live inside one workspace on the security testing side.
No active vulnerability scanning surface
Thoropass does not run its own external attack surface scan, authenticated DAST against a logged-in application, or SAST and SCA on connected repositories. The platform reads control evidence from external scanner integrations (Tenable, Qualys, AWS Inspector, GitHub code scanning, and similar) and code-repository metadata rather than running scans itself. If the security team needs to scan a perimeter, run a logged-in DAST pass, or run SAST plus dependency analysis against a repository as part of the security testing programme, that work happens in a separate platform that feeds Thoropass evidence afterwards. SecPortal runs 16 external scanner modules across DNS, TLS, ports, headers, technology, subdomain enumeration, path probing, and CVE correlation on any verified domain, authenticated web scanning behind stored credentials, and Semgrep-powered SAST plus dependency analysis on repositories connected by GitHub, GitLab, or Bitbucket OAuth.
No engagement, scope, or scoped deliverable model
Thoropass is organised around the framework programme, the control, the policy, the continuous evidence pull, and the auditor-led examination cycle. There is no scoped engagement record with a kickoff, a defined target list, rules of engagement, a final report, and a closure date. If the work being shipped is a penetration test, a vulnerability assessment, an external attack surface programme, an AppSec code review, a third-party security review, or a billable security assessment with a contract scope and a deliverable, Thoropass does not carry that record. SecPortal does, on the same workspace as the scanner stack, the AI report generator, and the branded client portal.
No branded client portal for technical findings delivery
Thoropass provides a trust page and an auditor-facing examination workspace, but those are compliance-evidence and audit-observation surfaces, not delivery portals for technical pentest findings, retest cycles, remediation conversations, and report downloads on a tenant subdomain under your security team or consultancy brand. The Thoropass surface is hosted under the Thoropass domain. SecPortal serves a branded client portal on a tenant subdomain so every finding, retest, remediation thread, and report download lives under your name rather than under a vendor name.
AI assists policy and control narrative, not pentest report deliverables
The AI surface inside Thoropass is positioned around the compliance work: drafting policy language, summarising evidence against the control, accelerating control mapping, and writing audit-ready narrative for the GRC or compliance owner. It is not a narrative report generator that drafts an executive summary, a technical findings section, and a remediation roadmap from a live pentest findings record with CVSS vectors, evidence files, and per-finding owner data. SecPortal AI report generation runs Claude against the engagement record to produce executive, technical, and remediation deliverables that a client, an application owner, or an internal stakeholder receives at the end of an assessment.
Sales-led pricing bundled with audit labour
Thoropass pricing is sales-led and scaled by framework count, organisation size, and the bundle that includes the in-house audit labour. The platform-plus-audit bundle fits enterprise procurement where the buyer wants a one-stop provider rather than separate compliance automation, separate auditor, and separate security testing toolchain. SecPortal pricing is published on the website with a free plan, monthly Pro and Team tiers, and no annual contract floor for the Pro and Team tiers; the security testing workspace runs on the same self-service flow regardless of whether the buyer also runs Thoropass on the compliance side.
How an audit-as-a-service platform and a security testing workspace see the same problem differently
Compliance automation plus embedded auditor is a useful framing for control evidence and the audit relationship. The buyer should be clear-eyed about what an audit-as-a-service platform gives you and where the engagement, scan, manual finding, and delivery workflow has to go instead. The contrast below is between a compliance platform that derives value from reading control evidence and routing it to an embedded auditor and a security testing workspace that holds the engagement record on the tenant where the operators work.
Audit-as-a-service reads control evidence and routes it into an embedded audit team
Thoropass, Vanta, Drata, Secureframe, Sprinto, Hyperproof, and similar compliance automation platforms each take the framework catalogue as the asset of record. Thoropass differentiates by stitching the embedded auditor into the same tenant: the platform pulls configuration from cloud, identity, HR, MDM, and code surfaces, runs continuous checks against the control catalogue, and routes the resulting evidence into an examination performed by a Thoropass auditor who can sign the SOC 2 or ISO 27001 report at the end of the cycle. The economic value sits in compressing the auditor handoff that GRC owners used to manage by hand across separate platforms.
A security testing and remediation workspace owns the finding from scan to closure
SecPortal does not assume that a compliance automation platform or an embedded auditor is the right shape for every kind of security work. The workspace runs scoped engagements, supports manual finding entry from a tester or reviewer, runs its own external and authenticated web scanning plus code scanning on connected repositories, calibrates severity through CVSS 3.1 with environmental adjustment, captures the exception register on the same record as the finding, ships AI-generated executive, technical, and remediation deliverables, and serves the report and the live findings through a branded client portal on a tenant subdomain. The same record holds for a scoped pentest, a continuous vulnerability assessment, an AppSec code review, a third-party security review, and an external attack surface programme.
Most enterprises run both, with each platform doing what it was built for
The honest framing is that an audit-as-a-service platform and a security testing workspace solve adjacent problems. Thoropass carries the framework evidence and the auditor relationship between certification cycles. SecPortal carries the engagement, scan, finding, exception, retest, and report record that produces the technical security evidence the auditor reads against the control. The two coexist: GRC operates on the framework catalogue inside Thoropass, the security testing team operates on the engagement record inside SecPortal, and the audit observation period reconstructs from both surfaces without rewriting either.
Who each platform is the right fit for
Thoropass and SecPortal solve adjacent problems for different buyers. The honest answer is that the right tool depends on whether the work is continuous control-evidence automation plus an embedded auditor or scoped engagements, manual review, scanning, AI reporting, and branded delivery on one workspace. Many enterprises run both, with Thoropass carrying the framework-evidence and audit-relationship layer and SecPortal carrying the engagement, finding, and delivery record beside it.
Thoropass fits GRC and compliance owners who want platform plus auditor on one bundle
If you are a GRC or compliance owner whose primary job is to keep SOC 2, ISO 27001, HIPAA, PCI DSS, HITRUST, NIST CSF, CMMC, GDPR, or SOX certifications in force, the asset of record is the control catalogue, the bottleneck is continuous evidence collection across cloud, identity, HR, MDM, and code surfaces, and you want the same vendor to also conduct the audit, Thoropass was built for that shape. The buyer assumption is one platform with embedded auditor labour that owns the framework programme from evidence collection through the signed examination report.
SecPortal fits security teams that scan, find, report, and deliver
If you are an AppSec team, an internal security team, a product security team, a vulnerability management team, a penetration testing firm, an MSSP, or a security consultancy whose work covers scoped engagements, manual finding entry, external perimeter scanning, authenticated web testing, code scanning, AI-generated reporting, and branded delivery, SecPortal carries that lifecycle on one tenant. Findings, scans, retests, exception decisions, evidence, and the audit trail all live on the engagement record rather than scattered across a compliance automation console, a separate scanner stack, a separate report generator, and a separate portal.
Many security programmes run both side by side
A growing enterprise can keep Thoropass for the SOC 2 and ISO 27001 evidence automation plus the embedded auditor relationship that runs across cloud, identity, HR, MDM, and code surfaces and use SecPortal for the engagement record that holds scoped pentests, vulnerability assessments, AppSec code reviews, external attack surface programmes, and the findings the technical team produces. Thoropass surfaces the compliance posture to the auditor; the SecPortal client portal serves the technical findings, retest cycles, and report downloads to clients, business units, or internal stakeholders under your subdomain.
Where the evidence comes from in each platform
Thoropass and SecPortal both produce evidence an auditor or a buyer reads, but the evidence source is different. Thoropass reads integrations and routes the result to an embedded auditor. SecPortal runs scans, accepts manual finding entry, and holds the engagement record from kickoff to closure. The contrast matters when the auditor or the business unit asks for the technical security testing evidence behind a control, not just the configuration state of an organisational system.
Thoropass supplies control-level evidence and routes it to an embedded auditor
The Thoropass value proposition is that compliance evidence collection becomes a background process and the auditor sits on the same tenant rather than at the end of a separate procurement cycle. The platform connects to cloud accounts, identity providers, HR systems, MDM, and code repositories, runs continuous checks against the control catalogue, drafts policy and remediation copy, and renders the resulting evidence into the examination an embedded auditor signs. The right question is not whether that evidence layer is useful (it is), but whether it covers the technical security testing record that drives findings, retests, and remediation conversations on a scoped engagement.
SecPortal supplies finding-level evidence from the engagement record
The SecPortal value proposition is that the technical security work has a single record that walks from the scoped engagement to the scan, to the finding, to the exception decision, to the retest, to the report, and to the closure event. CVSS 3.1 vectors, severity, evidence, owner, remediation status, retest pairing, and exception rationale all sit on the same record. When an auditor (whether embedded in Thoropass or independent) reads the security testing evidence for an observation period, the record reconstructs itself rather than getting reassembled from chat threads and ad hoc PDFs.
Where SecPortal sits next to Thoropass rather than inside the same category
SecPortal is not a compliance automation platform, does not provide audit-as-a-service, and does not pretend to replace either. SecPortal sits next to a compliance automation platform as the security testing and delivery workspace where scoped pentest findings, manual reviewer findings, external perimeter scan output, authenticated web DAST output, SAST and SCA output from connected repositories, AI-generated reports, the exception register, and the branded client portal all live on one tenant. If Thoropass is the right answer for the control-evidence layer plus the auditor relationship, the security testing workspace is still the right answer for the engagement, finding, and delivery work that sits beside it.
Thoropass AI vs SecPortal AI report generation: two different AI surfaces
Thoropass markets its in-product AI as the assistant that accelerates compliance work through policy drafting and control-narrative copy. SecPortal has its own AI surface, but at a different layer: AI report generation against the live findings record on a scoped engagement. Both surfaces use generative AI; they consume different inputs and produce different deliverables for different stakeholders.
Thoropass AI accelerates policy and control-narrative copy on the framework record
The AI surface inside Thoropass is built to make compliance work less manual: it drafts policy language, summarises evidence against the control, accelerates control mapping across the framework footprint, and writes audit-ready narrative for the GRC or compliance owner. The unit of input is the control catalogue and the integration-sourced evidence. The unit of output is policy text, control-remediation language, and audit narrative for the auditor reading the examination.
SecPortal AI report generation drafts engagement deliverables from the findings record
SecPortal AI report generation runs Claude against the live findings record on a scoped engagement. The unit of input is the engagement, the findings, the CVSS vectors, the evidence files, the owner, the remediation status, and the retest state. The unit of output is the executive summary, the technical findings section, and the remediation roadmap a client, application owner, or auditor reads at the end of an assessment. Both surfaces use generative AI; they consume different inputs and produce different deliverables for different stakeholders.
The two AI surfaces observe different layers of the same programme
The Thoropass AI tells the GRC owner what the framework expects and how to phrase the policy and remediation evidence. SecPortal AI report generation tells the security team and the receiving stakeholder what the technical assessment found, why it matters, and how to fix it on a defined timeline. Both feed the audit observation period: the Thoropass AI helps the compliance owner present the control posture; SecPortal AI reports give the auditor or business owner the underlying technical evidence behind the control claim.
How findings, scans, and reports get into each platform
Thoropass is downstream of the security testing programme: the platform reads control evidence from cloud, identity, HR, MDM, and code integrations, surfaces the resulting compliance state, and routes that state into the audit examination. The scanning, the manual pentest finding, and the narrative report happen elsewhere. SecPortal runs scanning, finding entry, and reporting inside the same workspace as the engagement.
The external scanning feature runs 16 modules covering SSL, headers, DNS, ports, subdomains, technology fingerprinting, and CVE correlation. The authenticated scanning feature adds DAST behind stored credentials so issues that only surface inside an authenticated session do not slip past anonymous testing. The code scanning feature runs Semgrep-powered SAST and dependency analysis against repositories connected by OAuth from GitHub, GitLab, or Bitbucket. The findings management feature holds the consolidated record with CVSS 3.1 scoring, evidence, owner, and remediation status. The AI reports feature drafts the executive and technical narratives the client or auditor receives.
Transparent pricing, no procurement cycle
SecPortal pricing is published on the website and self-service from sign-up. There is no annual contract floor on the Pro or Team tiers, no per-employee licensing model, no bundled audit-labour line item, and no sales call required before you can run a real engagement.
SecPortal Free
Free forever
1 user, 3 clients, 2 engagements per client, 3 AI credits, 6 core scan modules.
SecPortal Pro
From $149/month
All scan modules, 100 clients, 25 AI credits/month, branded client portal, invoicing, compliance tracking.
SecPortal Team
From $299/month
Up to 5 users, 75 AI credits/month, team management, activity audit trail with CSV export, MFA enforcement.
Why security teams pick SecPortal alongside or instead of Thoropass
- Run scoped engagements with a kickoff, deliverables, retests, and a final invoice on one record rather than a continuous control-evidence pull bundled with auditor labour
- Scan the perimeter with 16 external modules, run authenticated DAST against logged-in applications, and run SAST plus dependency analysis on connected repositories from inside the workspace
- Generate executive, technical, and remediation deliverables with Claude from the live findings record rather than control-remediation copy from a policy template
- Enter manual findings from a tester, reviewer, or third-party report into the same record the scanners feed
- Deliver findings through a branded client portal on a tenant subdomain instead of an auditor-facing examination workspace under a vendor-hosted domain
- Pair every retest to the original finding so the closure record holds up under audit
- Document CVSS, severity, evidence, owner, remediation status, and exception rationale on the engagement record so prioritisation is defensible to a board, an auditor, or an application owner
- Capture the exception register on the same record as the finding with linked finding, severity, compensating controls, residual likelihood, residual impact, business rationale, expiry, and review cadence
- Map findings across 21 framework templates including OWASP, OWASP ASVS, OWASP MASVS, OWASP API Security Top 10, ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST 800-171, FedRAMP, MITRE ATT&CK, DORA, NIS2, CIS Controls, and Essential Eight
- Store privileged scan credentials encrypted at rest with AES-256-GCM and rotate them through the in-product credential vault
- Invoice clients or business units directly from the engagement record through Stripe Connect
- Start on the free plan and upgrade without an employee-count audit, a framework-count audit, or a sales call for the higher tier
Related reading
If you are evaluating how to run an in-house security testing programme alongside or instead of a compliance automation and audit-as-a-service platform, the pages below cover the workflows, signals, and adjacent comparisons that come up most often.
- SecPortal for GRC and compliance teams for the audience page that lays out findings management, control mapping, exception register, and audit-ready reporting on one workspace.
- SecPortal for internal security teams for the in-house security team view of running vulnerability assessments, AppSec testing, and compliance audits across business units.
- Compliance audits workflow for the engagement-side workflow that walks controls, evidence, gaps, exceptions, and the auditor-facing pack.
- Control gap remediation workflow for closing audit findings between assessments rather than reopening them at the next observation period.
- Audit fieldwork evidence request fulfillment for the workflow that pairs evidence requests during fieldwork to the underlying engagement record SecPortal holds.
- Audit evidence retention and disposal for the retention discipline that keeps the engagement-side evidence the compliance platform points at intact across cycles.
- Vulnerability acceptance and exception management for the eight-field decision chain SecPortal captures on the same record as the finding the exception covers.
- Customer security evidence room for the upstream evidence-packaging workflow that pairs with a trust-page exposure model.
- Control mapping cross-framework crosswalks for the discipline that keeps a finding mapped to the right control across SOC 2, ISO 27001, and the other framework catalogues.
- Compliance tracking feature for the in-product feature that maps findings across 21 framework templates.
- Security compliance automation guide for the long-form view of how compliance automation, security testing, and the engagement record fit together across SOC 2, ISO 27001, PCI DSS, and NIST.
- SOC 2 compliance guide for startups for the framework-specific deep dive on what SOC 2 actually expects and how the technical security testing record feeds the audit pack.
- ISO 27001 audit checklist for the Annex A control walkthrough and the evidence pack that auditors read against the observation period.
- Audit evidence half-life research for the deeper analysis of why control evidence ages between audit cycles and how to keep currency reproducible.
- SOC 2 framework page for the Trust Services Criteria mapping the audit-side stakeholders read against the programme.
- ISO 27001 framework page for the Annex A control set and the certification cycle SecPortal supports as the technical-evidence layer.
When the work is scanning, finding, reporting, and delivering, not compliance automation bundled with audit labour
Run scoped engagements, generate AI reports, and ship findings through a branded portal on one workspace. The compliance audit platform sits alongside, not above. Start free.
No credit card required. Free plan available forever.