The big difference is context-awareness. Vanta/Drata give you templates and checklists. Humadroid starts by understanding your company - what you actually do, how you operate, your tech stack.
From there, the AI generates policies that are yours, not generic docs with [COMPANY NAME] placeholders. Same with control descriptions - they're specific and actionable for your setup, not "implement access control" with no context. It also identifies risks based on what you actually do and helps build business continuity plans around your real critical processes.
You still review everything (it's compliance, not magic), but you're editing 80% done work instead of staring at a blank template wondering where to start.
The price difference is real too, but honestly that's a side effect of being early and solo - not the core value prop.
Gotcha. And then how does that translate into the audit process? Because Vanta/Drata have auditors they work with regularly, there's a bit of an incentive on both sides to use these templates because then it speeds up that part tremendously. I can't imagine the auditors being happy about really diving into hyper bespoke documents for every audit.
Your product seems great for actually doing the spirit of these frameworks (reducing risk, improving controls and processes etc.). However from what I've seen the reality of these audits is it's a box ticking exercise for everyone involved, and so improving the efficiency there tends to be the goal. How do you position yourself in that?
Also hope this doesn't come off too critical, it's just something I've been through recently and love seeing new things! I'd definitely add a vanta/drata comparison to your website though as that is inevitable.
Honestly, great questions - this is either good exercise for me or actionable feedback. Both valuable.
Right now I recommend auditors but don't have formal partnerships. Vanta/Drata's auditor relationships are... let's say on the edge of conflicted? I don't want to go that route. And at $250/month I can't play the referral game anyway (Vanta pays hundreds per referral - that math doesn't work for me).
What I can do is democratize access. I've watched too many small teams get excited about SOC 2, then ghost once they see the total cost - $15k+ for the platform, $20k+ for consultants, $15k+ for auditors. I want the barrier low enough that smaller businesses can actually get certified and compete with bigger players.
On the checkbox vs. real security thing - you're right, it's tricky. I don't want to be another "generate docs, tick boxes, forget until next audit" platform. But targeting smaller businesses actually helps here - when you're a 10-person company, management is in the compliance process, not just signing off on someone else's work. It tends to stick better.
That said, sometimes I wonder if I help too much. My System Description assistant is almost unfair - what used to take weeks now takes minutes. Is that checkbox-enabling or democratizing? Genuinely not sure.
And yes - "vs Vanta/Drata" pages are going on the list. You're not the first to ask.
Their problem was that they didn't look like normal sunglasses, so people were immediately intrigued/suspicious of them. Although these have the little light if you're recording, the amount of instagram videos where creators are using these and the random people they're directly talking to don't notice, should tell you all.
The rise of smart accessories (especially watches) should tell you that a lot of people don't want to disconnect
I've been using OpenAPI for years with multiple versioning types (header based, content negotiation + media type based) and haven't had issues across Java, Typescript or Go with generating the right code for it
In this case it's not about being able to use the product at all, but the joy from using an incredibly fast and responsive product, which therefore you want to use local-first.
Android is only recently switching to quarter releases instead of yearly. Most. Popular Linux distros only have major releases every 6 months. While chrome cuts a release branch every 4 weeks, it soaks it in a beta channel for another 4. Same goes for the rust compiler toolchain, albeit on a 6 week cadence.
It’s more common than you think if you expand your view of release a bit. On the one hand you very much still have shrink-wrap software (for example, all firmware) that ships on a very slow cadence.
On the other hand even the big tech companies will only expose code paths very slowly and very conservatively. Meta’s Threads.app for example combined both a constant churn of innovation on master with a very measured gating of new features shipping to the public.
The best teams do indeed, as you say, ship and test finished builds on a weekly or daily basis even if the stuff that gets under the customers’ / users’ / clients’ noses appears on a far less regular basis. After all, any kind of severe bug could necessitate a release at any moment.
not all the world is a web site or even internet connetted. not all the world has no safety concerns.
if you work in medical or aviation areas every release legally needs extensive - months - testing before you can release. If there are issuse found in that testing you start over. Not all tests can be automated.
i work in agraculture. the entire month of July there will be nobody in the world using a planter or any of the software on it. there is no point in a release then. the lack of users means we cannot use automated rollback if the change somehow fails for customers - we could but it would be months of changes rolled back whe Brasil starts planting season.
- Schedule time for it
- Understand that I will have slip ups and that's okay
- Make it hard to do the bad things (in this case, I have domain blockers to stop me redditing, I move my phone to another room etc.)
- Make it enjoyable. For me it's finding a particular energetic DJ set and just bopping along while I do the focused work.
And so on.
reply