About Us

Built by security auditors who were tired of “paper programs.”

Our Mission

Make enterprise-grade security and audit readiness achievable for mid-market organizations. We believe you shouldn’t need a Fortune 100 budget—or a floor full of security engineers—to:

  • Know which systems handle your most sensitive data
  • Control who has access and why
  • Map policies to controls
  • Explain your security posture clearly to auditors, regulators, and your own board

Our job is to make that simple to see, simple to act on, and simple to prove.

Our Stats

10
+YRSIn Business
200
+Audits

Our Story

Virtual Auditor was founded in 2013 by Thomas Barker, a security auditor and technologist based in Champaign, Illinois.

For years, Tom and his team helped banks and healthcare organizations get through audits the hard way:

  • Rebuilding application inventories from scratch
  • Chasing access lists in email
  • Reverse-engineering who touched which data from incomplete logs
  • Producing thick, one-time reports that were out of date as soon as they were printed

The pattern was always the same:

The organizations weren't failing because they didn't care.

They were failing because they couldn't see their environment clearly enough to prove what was happening.

Virtual Auditor was created to solve that problem.

What started as a specialized security consultancy—advising on ransomware readiness, 23 NYCRR 500 compliance, and high-profile events like the Equifax-era regulatory changes—evolved into a full software platform. (MarketScreener)

Today, Virtual Auditor combines:

  • Proprietary software deployed in your environment
  • Seasoned audit and security expertise
  • A repeatable operating rhythm for risk, compliance, and evidence

…so mid-size banks, health systems, and other regulated organizations can run a credible, defensible security program without hiring a dozen specialists.

How We Work

Auditor-first Icon

Auditor-first
Design

We design tools and reports around the questions auditors, regulators, and examiners actually ask—because that’s our background.

On-prem or private cloud Icon

On-prem or private
cloud

We deploy inside your data center or private cloud/VPC, so your telemetry and evidence remain under your control.

Framework-aware by default Icon

Framework-aware by default

We speak HIPAA, PCI DSS 4.0, NIST CSF 2.0, ISO 27001, SOC 2, and NYDFS 23 NYCRR 500, and align our findings to those expectations from day one.

Partnership, not just Tooling Icon

Partnership, not just
Tooling

We stay engaged through regular reviews, remediation planning, and audit prep—not just deployment day.

Request Demo