Skip to content

Compliance

SOC 2

System and Organization Controls 2

What we assess

What your SOC 2 test covers

We test the systems in your SOC 2 boundary against the Trust Services Criteria, so your report shows controls that hold up under real attack, not just on paper.

Security (Common Criteria)

The core controls every SOC 2 covers: how you protect systems and data from unauthorized access.

We test for

  • Access control and authentication
  • Network and perimeter security
  • Vulnerability and patch management
  • Change management controls

Availability

Whether systems meet the uptime and resilience commitments you make to customers.

We test for

  • Redundancy and failover
  • Backup and recovery
  • Capacity and monitoring
  • Incident response

Confidentiality

How confidential data is protected in transit, at rest, and in use.

We test for

  • Encryption in transit and at rest
  • Data classification and handling
  • Access restriction
  • Secure disposal

Processing Integrity & Privacy

Whether processing is complete and accurate, and personal data is handled properly.

We test for

  • Input and processing validation
  • Data accuracy controls
  • Privacy notice alignment
  • Consent and retention

How it works

How your engagement runs

From scope through the final retest, your team stays in the loop at every step, with findings tracked live in our platform.

  1. 01

    Scope & align

    We scope your SOC 2 boundary and align testing to the Trust Criteria.

  2. 02

    Test criteria

    Testing mapped to the Security and Availability Trust Criteria.

  3. 03

    Auditor report

    Findings mapped to your controls, ready for Vanta, Drata, or your GRC.

  4. 04

    Fix & retest

    Fix the findings, then a free retest before your examination.

FAQ

Frequently asked questions

What teams most often ask before SOC 2 testing.

Still have questions?
01Does SOC 2 require a penetration test?

Most auditors do not mandate one outright, but nearly every serious examination expects a penetration test as evidence for the Security and Availability criteria, and enterprise customers frequently ask for it directly. We run the test and give you a report your auditor recognizes.

02When should we run the test relative to our audit?

Ideally inside your audit window and early enough to remediate any findings before the examination closes. We build the timeline around your audit dates so it does not become a last-minute scramble.

03Do you work with Vanta or Drata?

Yes. We format evidence so it uploads cleanly into Vanta, Drata, or your GRC platform of choice.

Ready to test your defenses?

Talk to our team about what your SOC 2 compliance requires.

Get a Fixed-Scope Quote

Tell us what you need tested. We reply within one business day.