The SOC 2 Guide

Quickly figure out what you need and how much it will cost.

Guide Sections:

This is a completely open source quick guide, that focuses on comparing the available options.

We are SOC auditor agnostic. If you find something out of date, create an issue or make an update.

The FYI

You already did the hard work of securing your technology, so getting the attestation proving it should be easy. But it still isn't.

Gap Analysis

Figure out where you are at versus where you should be. And then you can use this to know what automation to run.

Security Automation

Update your policies and infrastructure to fill in these gaps. Use the automation to ensure your technical policies are being followed.

Attestation

Ask an auditor to sign off on your policies and infrastructure automation by giving you a badge and a report.

That's it, pretty simple right?

So what is SOC 2 really?

SOC 2 is a marketing and sales tool that allows you to put a rubber stamp on your website. SOC 2 implies nothing about security. Done correctly, there can be value in it for you. But please don't mistake having a SOC 2 badge for being secure.

At completion you will have:

  • Policy set: You have written your own policies. And then you ask the auditor to validate that you are following them.

  • A compliance report: To receive a report to provide your customers, this includes all the details of your policies for anything in scope.

  • An attestation icon and url: Additionally you'll get a link to put on your website. This proves they did the audit.

You define your policies. You determine what is in scope or not. What you include will be audited and then appear in your report.
Since the policies are up to you, the SOC 2 audit is a commodity so any licensed auditor works the same.

Automation Platforms

These are Not Required, but your auditor may require that you use one. The collection of evidence for following policies can be challenging. Many auditors require you to manually upload screen shots that prove you are following your policies. These platforms exist to automatically collect evidence from your cloud providers and integrated third party tools.

For platforms that also perform the audit, you must pay both the automation platform cost and the audit cost. In some cases, you might be able to mix and match, and other cases it will be a packaged deal depending on the provider.

Cost pricing amounts are per year.

CompanyTotal Cost (per year)Automation Platform CostAlso Performs AuditAdditional Audit CostTotal integrationsNote
Akitra
A-LIGN (A-SCEND)
~ €26.8k
€5.8k
+ €21k
Very unresponsive (multiple months with no response)
anecdotes
$50k + Audit
$50k
AWS Audit Manager
Usage Based + $8k Audit
USAGE
  • Does any auditor accept evidence from AWS?
  • $1.25 / 1k resources
    • Drata
    $15k + Audit
    $15k
    100+
    Forward focused on being agile.
    Probo
    Infra + $8k Audit
    INFRA
    Contracted Partners
    + $8k
  • Self hosted
  • Some third party auditors supported
    • RealCISO
    ~ $30k
    $6k
    Contracted Partners
    + $24k
    10
    Only works with Bonadio CPA.
    risk3sixty
    Scrut
    Scytale
    Secureframe
    ~ $14k
    $7.5k
    + $6.5k
    100+
    Provides an in house audit or works with third party auditors. Includes automated answers to vendor questionnaires.
    Sprinto
    ~ $9k
    $7k
    Contracted Partners
    + $2k+
    200+
    Aggressive Marketing
    Thoropass (Laika)
    ~ $12k
    $7k
    + $5k
    Audit only done in house.
    TrustCloud (Kintent)
    Free + $8k Audit
    Free
    10
    Improving UX.
    Trustero
    10
    Can be difficult to work with.
    Tugboat (onetrust)
    Verify limited platform
    Vanta
    ~ $25k
    $15k
    Contracted Partners
    + $10k
    1000+
    Has list of Audit Partners, and always charges a fixed price. However generally considered expensive.

    Auditors

    There are many auditors, this is only a short list because of their usage of one of the Automation Platforms. Auditors are the only ones that grant you the SOC 2 certification, they may or may not require that you use an Automation Platform to complete your audit.

    CompanyTotal Cost (per year)Automation Platform (included in price)Note
    Prescient Assurance
    $8k
    Works with TrustCloud.
    Thoropass (Laika)
    $12k
    Includes the cost of an automation platform.

    Pen Testers

    Pen testing is not required for many certifications. So can be avoided unless you are interested in security not compliance. An important step, if you are considering or are required to have a pen test completed--is knowing what you should be asking for in a Request for Information from your potential pen tester. Some helpful guidance straight directly from one company is available in this white paper.

    Not all Security vendors offer the same services, some of them only offer vulnerabliity scans while others offer manual exploratory testing.
    To understand more about what you may need, please review the Buying Security Guide by TL;DR Sec.

    The prices below are aligned for a medium sized application service running for a single product.

    Company
    Total Cost
    (per test)
    Supported Testing Methodologies
    Infrastructure Pen Tests
    Application Pen Tests
    Note
    Atredis
    		 
    Bishop Fox
    		 
    BSK Security
    $4.5k+
    OWASP ASVS
    • Boutique pen testing shop
    • Very responsive
    Cobalt
    ~$15k
    OWASP ASVS OSSTMM
    • Free retests within 6 months
    • Toxic marketing strategies
    Cure53
    		Technically savvy and responsive.
    Doyensec
    		Retests are additional cost.
    Foothold Security
    €5k ~ €8k
    OWASP ASVS OSSTMM PTES
    • Free retests within 90 days
    • Trainings available
    GlitchSecure
    $10k
    OWASP ASVS
    		Free retests within 12 months
    IncludeSec
    $10k+
    OWASP ASVS
    		Free retests within 12 months
    IOActive
    		 
    Kobalt
    $32.5k
    OWASP ASVS
    		Retests cost 20% of total spend
    Leviathan Security Group > $10k
    		 
    NCC Group
    		 
    NetSPI
    		 
    Network Intelligence
    NIST OWASP ASVS OSSTMM
    		 
    Optiv
    		 
    Praetorian
    		 
    Rapid7
    OWASP ASVS OSSTMM PTES
    • Not recommended
    • Retests are additional cost.
    Rhino Security Labs
    		Technically excellent, thorough
    SysLogic
    • Retests are additional cost.
    Trail of Bits
    		Expert Training Courses, R&D
    White Oak Security
    ~$20k
    STEM
    		 

    Security Consultants

    Most of the reports from the above providers are pretty easy to read, but you get stuck and need help reviewing them or you need a consultant to help you implement the controls to allow you to pass the audit, one of these might help.

    • Infrastructure security - Includes Cloud Provider auditing automation, third party tool integration, environment setup, and SAST, DAST best practices.
    • Application architecture - Includes setting up OIDC, authorization, secrets management, mTLS, service meshes, ZeroTrust application access.


    Company
    SOC 2 Report Review
    Infra implementation assistance
    Application architecture reviews
    Note
    Kobalt
    		Works only with Vanta
    Latacora
    		 
    Rhymetic
    		 
    SideChannel
    		 
    Violetx
    		 

    The SOC 2 Process

    Earning a SOC 2 requires a Company to undergo a third-party examination by a Certified Public Accountant (CPA). The CPA is required to follow a set of AICPA standards to perform the audit and issue the report. Most companies follow a logical process to earning their SOC 2:


    [Step 0] Do I need a SOC 2?

    Since SOC 2 is a marketing tool, the default is You don't need a SOC 2 certification. If you start losing deals because your customers are asking for one, then you can take the next step. Do not attempt SOC 2 before you have customers asking for it. It is a waste of time, money, and most importantly can slow your development process down. If you already have good security hygiene, getting a rubber stamp provides no additional value. If you don't have a great handle on infrastructure security practices. Check out the Minimum Viable Secure Product.


    [Step 1] Readiness examination

    An exercise where your Company finds out the current status of the organization as it relates to SOC 2 controls. Organizations use readiness examinations to prepare for their SOC 2 assessment and learn what gaps they must resolve before earning their SOC 2. Once you have completed this mini-internal audit, ask yourself, do I still need to get a SOC 2 rubber stamp?


    [Step 2] Type I

    Type I means you defined some policies. Companies with a Type I, means they have decided what processes they want to follow. However it doesn't even mean they are following them. This of the Type I as a set of security policy commandments. Having this list is can be a good start if you are looking for a way to improve your security posture. The Type I can be driving force in your organization.


    [Step 3] Type II

    Type II is the proof you are following the policies and controls outlined in your Type I. After a specified period of time (anywhere from 3-12 months) organizations earn their first SOC 2 Type II. Typically the Type II review period begins the day after the date of the Type I review period.


    [Step 4] Review

    Your SOC 2 will essentially expire after 12 months. So if you want to keep it active, you are committing to paying for it on a recurring basis. And a huge part of that is reviewing your policies and every year you'll need to undergo a Type 2 examination to keep your SOC 2 current.

    Source: SANS SOC 2 Cheatsheet

    Pass the SOC 2 Type II Audit

    The system description must be presented in accordance with the AICPA's description criteria (DC 200). Each of the description criteria (DC) are described below:

    DC1: Types of services provided

    Describe what services the service organization provides as it relates to the system in scope.

    DC2: Principal service commitments and system requirements

    This section lets the reader know what commitments and system requirements the service organization is making, and which documents the reader can find these commitments in (e.g. MSA, SLAs, Privacy Policy, etc.). This helps give the reader context as to what trust services categories are in-scope and why.

    DC3: Components of the system

    The components described here include the infrastructure, software, people, procedures, and data that support and make up the system. For many Cloud Service Providers (CSP), the infrastructure section will include their hosting provider (such as Amazon Web Services). The software section should list the software and applications that support delivering the service in scope. The people section should include an overview of the departments or key personnel that support the system and what they do. Procedures should state what procedures are and their purpose. Data should discuss what the data is that the system processes (what is your customer data), as well as any other data that directly supports the system.

    DC4: System incidents

    Describe any security incidents that rose to the level where your company failed to either meet criteria, your commitments to customers, or your system requirements.

    DC5: Applicable trust services criteria and related controls

    Describe the criteria that are in-scope so that the reader understands the criteria the service organization is being measured against. The service organization will also discuss in detail the control environment and describe the controls that support it. This is a narrative section that is essentially a lighter version of the information security policy.

    DC6: Complementary user entity controls (CUECs)

    CUECs are the controls that the service organization's customers need to have in place in order for the system and control environment to be complete and achieve its objectives. For example, maybe the customers need to have their own logical access controls in place so that only authorized users access the service, otherwise, unauthorized access may cause you to fail to meet your security commitments.

    DC7: Complementary subservice organization controls (CSOCs)

    The service organization will discuss the subservice organizations that support the system and control environment. Subservice organizations are vendors that you cannot meet your criteria, commitments, or system requirements without. For most CSPs, that is going to be the cloud hosting provider (AWS, GCP, Azure, etc.)


    External References

    Buying Security by TL;DR Sec

    Buying Security
    A fantastic guide synthesized from almost two hundred resources, as well as a survey of over a hundred security professionals.

    Breaks down the types of security consulting, motivations behinds assessments, potential vendors, as well as how to scope and prepare for your assessment.

    Practical guidance for companies

    NPSA UK Secure Innovation
    Competition to succeed in emerging technology can be intense. This guidance outlines cost-effective measures that you can take from day one to better protect your ideas, reputation and future success.

    This can even become the basis of your SOC 2. These are real threats, which suggest threat models which could apply. If they do apply, it can really help to target policies to deal with specifically these.

    Tailscale's Security Policies

    Tailscale's public SOC 2 Policies on GitHub
    Tailscale has several security policies in place to properly identify, respond to, and mitigate potential security risks. All employees, vendors and contractors working with Tailscale must follow these policies in order to best protect Tailscale's and its customers' data.

    They've published these publicly for transparency, so that you can see where they are in terms of security maturity.

    Comply SOC 2 Automation Tool

    Comply open source automation

    • Policy Generator: markdown-powered document pipeline for publishing auditor-friendly policy documents
    • Ticketing Integration: automate compliance throughout the year via your existing ticketing system
    • SOC 2 Templates: open source policy and procedure templates suitable for satisfying a SOC 2 audit

    JupiterOne's Policy Builder

    Standup-alone polices or integrated policy builder
    A set of foundational but comprehensive policies, standards and procedures designed for cloud-native technology organizations. The policy package covers the requirements and controls for most compliance frameworks and best practices, in a lightweight approach.

    They can be used as stand-alone documents. But the structure is designed to be best suited for use with the jupiter-policy-builder CLI and the policies app on the JupiterOne platform.

    Minimum Viable Secure Product

    List of the minimal controls
    Minimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers.

    They recommend that all companies building B2B software or otherwise handling sensitive information under its broadest definition implement at least the following controls, and are strongly encouraged to go well beyond them in their security programs.

    A Guide to personal security

    US DNC Security Checklist
    They strongly recommend anyone who works in politics, campaigns, or really anyone who has a device or an account on the internet, take these steps to secure them.

    A guide that is broken down into easy to follow steps for personal security. While it is directed at those in a specific industry there is really good starter advice here, that can get you far. (Don't listen to the advice about LastPass though, the approved list of Password Managers should be BitWarden, 1Password, Chrome Password Manager, and Apple Keychain.)

    Authress: Authentication & Authorization

    User Management and Access Control
    Quick start complete application security, by adding Authress to your stack.

    Authress is the only complete authentication solution for B2B, so it helps gets your application security most of the way towards compliance. If you're looking for an alternative list of solutions, the Auth Situation Report contains many more.

    Tools

    Create emergency access roles in AWS

    AWS Break Glass emergency role configuration

    It is recommended to restrict access to the AWS account that hosts your production environment. In these cases it may be necessary to provision a user or role with elevated permissions to be used only in emergency cases.

    This type of role is typically called a "Break Glass Role" and is usually used in On Call situations or other circumstances when quick mitigating action is needed.

    Prowler - Perform best practice assessments

    Open source documentation & guide

    Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.

    It contains support for hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, and many more.

    NodeZero

    Open Source PenTesting Platform

    The NodeZeroTM platform empowers your organization to reduce your security risk by autonomously finding exploitable weaknesses in your network, giving you detailed guidance about how to prioritize and fix them, and helping you immediately verify that your fixes are effective.

    Auth: Situation Report

    All you need to know before adding auth to your project

    If you’re someone who builds software, no matter if you’re on the backend or frontend or even on the product side, sooner or later you have to concern yourself with securing the thing. Or you realize that data privacy laws are very real and you must have a strategy for user data sharing. So you want to implement some sort of authentication. More likely, you’re looking for a solution, open-source or otherwise, that will solve this problem for you. And here comes confusion. This report has some of the answers.