Compliance for the cloud: How Shellkode closed the compliance loop and raced through security audits
Shellkode, a modern IT services solution provider, is on a mission to help organizations effectively transition from legacy IT to cloud-native environments. The company focuses on building enterprise-grade cloud solutions to solve complex IT challenges and help organizations leverage data analytics to make smarter decisions. Shellkode is also a premium AWS partner and a key player in the Generative AI services segment in India.
Key requirements
A compliance solution to fast-track ISO 27001 and SOC 2 audits while also building a compliance baseline to continuously track compliance health and remediate gaps
Sprinto solution
A comprehensive compliance automation platform with pre-built security programs, controls, and policies to jumpstart audit preparation and monitor controls 24/7
SOC 2
ISO 27001
India
24 hours
To validate ISO controls and close gaps
<7 days
To complete SOC 2 Type 1 audit
98%
Less infosec effort to achieve compliance
Ready to get started?
The Challenge: Transforming cloud competency into a strong compliance posture
The need for ISO 27001 and security compliance arose when Shellkode began fielding regulated companies that demanded a cloud audit to ensure security benchmarks were met and upheld.
Compliance was also a crucial ingredient for Shellkode’s planned growth trajectory – provable security was a major springboard for the company’s plans to expand to new geographies and a strong base for building effective security guardrails around increasing headcount.
Initially, Shellkode engaged an ISO auditor from the founders’ professional network for the task. However, after the auditor sent them a sizable document with around 400 questions on everything from the nature of risk assessment to the status of various controls, the new-to-compliance founding team felt like they had hit a wall.
“We’re a busy team; the founding team especially travels a lot for client meetings. With all these constraints, we were told we’d need at least three months to prepare for our ISO 27001 audit. But we wanted an accelerated way to do compliance,” says Bhuvanesh R, CTO at Shellkode.
Next, Shellkode got in touch with a Sprinto partner, who gave them a brief self-assessment quiz based on how the platform manages compliance to help estimate their readiness for ISO 27001 and SOC 2 audits.
Shellkode exhibited good security practices with a 94% score on the quiz, but required some fine-tuning to align with and achieve compliance with these two standards.
“After looking at the questionnaire results, we asked our partner how long it would take us to become audit-ready. When they said 10 days, we laughed, but we were also intrigued.”
With this vote of confidence, Shellkode’s team began working to close that 6% gap.
“The things that needed fixing were few and far between. For example, MFA wasn’t enabled on a few systems, and our BGV documentation wasn’t well organized. It took us just 5 hours in total to close these gaps internally,” Bhuvanesh recalls.
Once this pre-onboarding phase was through, the partner gave them a live demo of Sprinto.
The first thing Shellkode noticed was that Sprinto, being an integration-led platform, could instantly automate a large chunk of their compliance tasks, enabling the velocity they were looking for.
The clincher, however, was Sprinto’s ability to efficiently prove security best practices by automatically validating controls and collecting audit-grade evidence.
We were impressed with how Sprinto served as a source of truth by structuring compliance and automating evidence collection. At first, we couldn’t believe that a platform could do all this!
The Solution: Bringing accountability into compliance
Shellkode already had healthy cloud configurations and security best practices in place and had put in the effort to close security gaps allowing them to hit the ground running with Sprinto.
In terms of integrations, automation, and tracking, we’ve never seen anything like this!
Shellkode raced to audits over three brief phases on Sprinto.
Phase 1: Connecting the dots with integrations and policies
Sprinto’s native support for all the cloud systems used by Shellkode made it simple and quick for the company to bring their [technical and tactical] assets onto Sprinto for control mapping and monitoring. Shellkode also created an easily manageable policy system by formalizing internal Disaster Recovery and Incident Management policies using Sprinto’s built-in templates.
To strengthen security on the people front, Shellkode used Sprinto’s control-linked policy campaign capabilities to conduct policy acknowledgments, ensuring comprehensive tracking and clear audit logs.
They also breezed through necessary security training in a day by splitting their team into four groups and synchronously going through Sprinto’s in-built training modules over group calls.
Phase 2: Tracking compliance progress in real-time
Plugged into Sprinto, the parent-child hierarchy in the platform’s information architecture helped produce a vivid, real-time picture of Shellkode’s compliance status on the dashboard, clearly detailing which control status, owners, and pending tasks.
Sprinto’s always-on compliance tracking helped the team continuously monitor control health to ensure they could catch compliance drift in time, avoid delays, and get to audits faster.
Phase 3: Raising the bar with automated tracking and evidence collection
Using Sprinto’s integrations to map assets, Shellkode was able to automate over 95% of control tracking, validation, and evidence collection. Given Shellkode’s cloud-only operating environment, Sprinto’s responsive integrations and automated workflows could validate controls accurately and quickly, collecting time-stamped, auditor-grade evidence of passing controls with each check.
In case of failing checks, Sprinto sent out context-rich, time-bound notifications to the control owners, creating accountability, clarity of expectation, and prompting on-time remediation.
This reduced infosec effort for audit prep from the suggested 30 days to a little over 14 hours, accelerating Shellkode’s ISO 27001 and SOC 2 Type 1 audits.
Initially we were under the impression that getting compliant was going to be a prolonged activity, requiring a lot of hands-on effort. Once we got onto Sprinto, that myth was dispelled pretty quickly
In effect, Sprinto played the role of an accountability partner, making sure Shellkode kept doing the right things and hastening progress.
Compliance often becomes a guessing game—you don’t know what criteria you’ve fulfilled and what to do next. With Sprinto, you don’t have to run around to find answers. The platform makes everything clear-cut—you know exactly where you’re doing well and where you’re sliding.
The Results: Shorter audit timelines and cloud confidence
Shellkode settled on an auditor from three options provided by Sprinto on the second day after onboarding.
On the third day, they onboarded the auditor to the platform, providing access to a secure auditor dashboard for evidence review. Within three weeks, Shellkode was ISO 27001 certified.
Shellkode’s next audit for the SOC 2 Type I framework took only a third of the time, concluding with a clean report in just 7 days.
Apart from being an engine to speed up audits, Sprinto also played the role of a ‘compliance decoder’ for Shellkode. The platform provided actionable guidance on how to fulfill framework requirements, maintain compliance, and fast-track both SOC 2 and ISO audits.
As a result, Shellkode successfully expedited compliance with its chosen frameworks. The team swiftly established security guardrails to accommodate growth and engaged up-market clients confidently, armed with ready evidence of their cloud security measures.
Sprinto helped uncover a lot of things we were supposed to be doing. Now we’re able to answer clients confidently when they ask about our security.