Aayush
Ghosh Choudhury

The scene was a sales call in 2020. Aayush Ghosh Choudhury was pitching procurement software. The CTO on the other end liked the product. Then came the question that was starting to follow every enterprise conversation: "Are you SOC 2 compliant?"

He wasn't. The deal stalled. Then the next one stalled. And the next. Every time the conversation got to security questionnaires, the same operational chaos kicked in - scattered controls, external consultants charging by the hour, security spreadsheets that needed manual updates, and a compliance process that moved at the speed of paper. Not software.

Aayush had spent years at McKinsey watching organizations transform - or fail to. He'd built supply chain software at PandoCorp. He knew what friction looked like in enterprise systems. But nothing quite prepared him for the specific texture of compliance friction: the kind that doesn't just slow you down, it costs you signed contracts.

So the team built a workaround. An internal tool that automated evidence collection, mapped controls across frameworks, and turned months of compliance prep into weeks. They built it for themselves. Then they looked at what they'd built and asked: what if this was the product?

In November 2021, Scrut Automation launched - born not from a whiteboard session about market opportunity, but from the specific frustration of watching deals die at the security questionnaire stage. The regulation-tech experiment Aayush had been running under the name Gomigo found its final form: a full-stack GRC platform for the companies that live in the cloud and need compliance to move at software speed.

Aayush grew up with the technical grounding of an IIT Ropar engineering degree - the kind of institution where problem-solving isn't an aspiration, it's the curriculum. He followed that with the Indian School of Business, where the framing shifted from "how does this work" to "who buys this and why."

At McKinsey, he landed in restructuring and healthcare practices - two domains where the cost of getting things wrong is not abstract. Organizational transformation, at that level, means watching companies either adapt or dissolve. It gave Aayush an operational sensibility that few startup founders carry: the ability to see systems from the inside, read where they're failing, and redesign them without burning the whole thing down.

But consulting, ultimately, is advisory. The decisions belong to someone else. Aayush wanted to own the outcome. He joined PandoCorp, building supply chain management software in an era when supply chain visibility was just starting to matter at scale. Then came the compliance detour that turned into Scrut.

The pattern is consistent: Aayush moves toward operational complexity, not away from it. GRC is one of the most structurally difficult categories in enterprise software - every customer has different regulatory requirements, different cloud architectures, different risk tolerances. Legacy tools treated this complexity as a feature. Scrut treats it as the problem to solve.

Mid-market companies sit in an uncomfortable gap in the GRC market. Off-the-shelf compliance tools give you a one-size-fits-all framework that doesn't map cleanly to how your actual organization runs. Enterprise-grade tools come with year-long implementation timelines and feature sets you'll never touch. Aayush put it plainly in a 2024 press release: neither option fits, and both are expensive.

Scrut's answer is flexibility at scale. The platform automates evidence collection across 70+ integrations, maps controls across 30+ compliance frameworks simultaneously, and provides continuous monitoring so companies know their compliance posture in real time rather than in quarterly audit snapshots. A control that satisfies SOC 2 can automatically map to ISO 27001 or GDPR requirements - instead of rebuilding the evidence pile for each framework from scratch.

The platform now handles SOC 2, ISO 27001, HIPAA, CCPA, PCI DSS, GDPR, and custom frameworks. The 2024 growth capital went toward two things: generative AI integration to automate the manual workflows that still require human attention, and expansion into North American and European markets where regulatory pressure is intensifying.

The growth metrics suggest the gap Scrut identified is real and large. 350% year-over-year expansion. 800+ customers across regulated industries. G2 recognition as fastest-growing and highest-satisfaction product in security compliance in 2024. LinkedIn's Top 20 Startups list. Gartner flagging the company as a key player. None of this happened because compliance got less important - the opposite is true. Every new privacy regulation, every cloud breach, every enterprise procurement audit makes the market Scrut serves larger.

Scrut's investor base reads like a considered thesis about where enterprise compliance is heading. Lightspeed - the firm that backed Snapchat, Affirm, and Nutanix - led the Series A alongside MassMutual Ventures, the strategic arm of a 170-year-old insurance company that understands regulated industries from the inside. Endiya Partners, the India-focused fund that has consistently backed cloud-native B2B companies, has been with Scrut since the beginning.

The April 2024 round closed at $10 million in growth capital, bringing the total to $20.5 million. The immediate priorities: generative AI to reduce the manual overhead that remains in GRC workflows, and a push into North American and European enterprise accounts where compliance requirements are both stricter and better resourced.

GRC has long been a category populated by consultants who became software vendors - people who understood compliance deeply but built tools that looked like compliance: heavy, auditor-designed, and process-oriented. Aayush came from the other direction. He was a buyer before he was a builder.

That shift in vantage point shapes how Scrut is designed. The company's stated goal - to make GRC "frictionless and delightful" - sounds like standard startup marketing until you sit with the second word. Delightful. In a category where the defining emotion has historically been dread. The ambition is to completely reframe the relationship between a company and its compliance program.

Aayush talks about advisory relationships the way serious operators do: "The conversation needs to be transparent, authentic, and vulnerable." He describes the Scrut team as "expanding rapidly, but still manages to be close-knit." These aren't throwaway lines from a press release. They're signals about management style: the belief that fast growth and strong culture are not in tension.

He is a regular contributor to industry publications on GRC trends, writes on the intersection of generative AI and compliance workflows, and speaks at industry conferences as a recognized thought leader in security governance. For a founder whose entire product thesis is about removing friction, Aayush spends a lot of time explaining why the friction existed in the first place - and why the current moment, with AI capabilities finally mature enough to handle the unstructured complexity of compliance evidence, is the right time to eliminate it.