SOC 2 is the report your enterprise customers ask for before they sign. We run the whole path — scoping, gap assessment, control implementation, evidence collection, and auditor coordination — so your engineers spend hours on it, not quarters.
Type 1 vs Type 2 (and which you need)
- Type 1 proves your controls are designed correctly at a point in time. Faster, cheaper, and often enough to unblock an early deal.
- Type 2 proves controls operated over a window (usually 3–12 months). It’s what mature procurement teams actually want.
- The pragmatic play for most companies: Type 1 to unblock sales now, with the Type 2 observation window starting immediately after — designed so nothing gets redone.
How we run it
- Scoping and gap assessment — which Trust Services Criteria apply, what you already satisfy, and the shortest defensible path to audit-ready.
- Control implementation — policies and controls that fit how you actually operate, not a template stack that fails its first audit question.
- Evidence automation — we wire evidence collection into your existing tooling so the observation window runs itself instead of consuming your team.
- Auditor selection and coordination — we know the audit firms, what they charge, and how they differ; we manage the engagement through report delivery.
What it costs and how long it takes
- Readiness work is scoped by company complexity — a 20-person SaaS with one product is a different project than a multi-entity platform. Ranges on the pricing page.
- The audit itself is a separate fee paid to the CPA firm — budget five figures, varying with scope and auditor tier. We help you not overpay.
- Timeline: Type 1 readiness typically runs 6–12 weeks; Type 2 adds the observation window on top.
Where penetration testing fits
Most SOC 2 programs include an annual penetration test — auditors expect it and customers ask for it by name. Ours is AI-assisted, produces auditor-friendly reports, and comes with a client-shareable attestation letter.
Common questions
- Can we pass with our current stack? Almost certainly — SOC 2 rarely demands new tools, just configured and evidenced ones.
- SOC 2 or ISO 27001? Depends where your customers are. US-centric buyers say SOC 2; international enterprise says ISO 27001 — and the control overlap means doing the second after the first is far cheaper than the first.
- What about AI features we ship? Customers increasingly ask AI questions inside SOC 2 reviews — that’s AI governance, and it maps into the same control set.