SOC 2: the developer's pillar guide

SOC 2 is an attestation report issued by a licensed CPA firm under the AICPA's SSAE 18 standard. It tests whether a service organization's controls meet the relevant Trust Services Criteria (TSC). It is NOT a certification, NOT a regulation, and NOT issued by any government body — those are common misconceptions.

A SOC 2 report has practical value because it standardizes what enterprise buyers ask vendors during procurement. A Type 1 report says your controls existed at a point in time. A Type 2 report says they operated effectively over a window (typically 3, 6, or 12 months).

Common pitfall: assuming "SOC 2 compliant" is a binary status. It is not. The auditor expresses an opinion; reports include exceptions and management responses. A SOC 2 with exceptions is normal — what matters is the disposition.

There are five TSC categories. Most SaaS reports cover Security only (mandatory) or Security + Availability. Add the others only if you genuinely process customer data on those dimensions.

• Security (Common Criteria) — every SOC 2 includes this. Access control, change management, vulnerability management, incident response.
• Availability — uptime + DR. Add if you sell an SLA.
• Processing Integrity — data transformations are complete + accurate. Add if you transform customer data en route.
• Confidentiality — non-personal data marked confidential is protected. Add if you handle pre-release product data or trade secrets.
• Privacy — covers personal data. Usually GDPR/HIPAA frameworks address this better; only add if your auditor recommends.

Type 1 is point-in-time. The auditor looks at your control design as of a specific date. Takes 4–8 weeks once you start. Suitable for: closing your first enterprise deal where the buyer accepts "they have a SOC 2."

Type 2 is the real one. The auditor evaluates control operating effectiveness over an observation window (3 months minimum, 6+ typical, 12 standard for annual). Takes 6–12 months end-to-end including the window. Required by most procurement teams.

Strategy for small teams: get a Type 1 to unblock the first sale, then immediately begin the Type 2 window. Most auditors will roll the Type 1 into the Type 2 engagement.

Auditors sample evidence. You don't have to be perfect — you have to be consistent. The hardest parts of a SOC 2 are not technical; they're documentation:

• Written policies for access, change management, incident response, vendor risk, BCP/DR. KollGuard ships 10 templates.
• Workforce evidence: training records, signed acknowledgments, quarterly access reviews. KollGuard's personnel register tracks the dates.
• Technical evidence: MFA enforced, branch protection on, TLS everywhere, vulnerability remediation cadence, audit logs retained. KollGuard's scanner produces this automatically.
• Risk acceptances for findings you chose not to remediate. KollGuard requires a written justification for accepted_risk — exactly what auditors want.

Two costs, separately:

Tool cost (evidence + scanning): KollGuard $19.89/mo. Vanta/Drata/Secureframe ~$7.5k–$25k/yr. The platforms include more administrative breadth (vendor questionnaires, training); KollGuard runs the technical scans.

Auditor cost: Type 1 typically $5k–$20k, Type 2 typically $15k–$50k+ depending on scope and CPA firm. This is separate from tool cost. Some platforms bundle (Thoropass) but split-cost almost always wins on price.

For a 5-person startup, the cheapest legitimate path to SOC 2 Type 1 in 2026 is roughly $8k–$25k all-in (KollGuard subscription + a CPA firm engagement).