SOC 2 readiness assessment, with the pentest most firms skip.
A 2-week productized engagement with a senior practitioner. Gap analysis tied to production evidence, focused pentest, prioritized remediation roadmap, executive readout. $2,500 flat, credited in full toward retainer.
Most SOC 2 readiness assessments are paper-only: a 30-page document mapping your policies to the Trust Services Criteria. Useful, but it misses the controls actually running in production and the application bugs your auditor cannot find. We do both. The pentest is included because we run it in-house.
Four deliverables, one engagement.
The artifacts your auditor and your engineering team both need. All written by the senior practitioner who is doing the work, not handed off to a junior associate.
Gap analysis against Trust Services Criteria
Each TSC scored against your current controls. Not a generic template. The assessment is tied to real production evidence: your IdP configuration, AWS Config snapshots, GitHub branch protection, IAM Access Analyzer findings, EDR coverage, change management logs. Auditors at Schellman, A-LIGN, BARR, Prescient, and KirkpatrickPrice pull from the same evidence sources. Better to surface the gaps now than at fieldwork.
Prioritized remediation roadmap
Each gap ranked by effort, impact on audit outcome, and dependency on other gaps. Effort estimates are realistic (a senior engineer week is more honest than a checkbox). Suggested owners are mapped to your team where we can see the org chart. The roadmap is structured so engineering can pick up the highest-impact items first and burn down the rest in parallel.
Policy gap inventory with templates
The policies you need, the policies you have, and editable templates for every missing one. Templates are written to match how engineering teams actually operate, not legal-template boilerplate. Most clients adopt 70 to 80% of the template language as-is and customize the rest. Versioned, review-scheduled, and tied to the controls they support.
Focused pentest report
8 to 12 hours of practitioner-grade offensive security work on your application. Auth flow review, API security testing, common web vulnerability scan, and follow-up on any anomalies the automated tooling surfaces. Findings are scored by severity (Critical, High, Medium, Low), tied to specific endpoints or requests, and include remediation guidance. The pentest most readiness firms either subcontract at extra cost or skip entirely.
Two business weeks, kickoff to readout.
01
Week 1, day 1
Kickoff and scope
60-minute kickoff call. We confirm scope (which entities, regions, services are in audit scope), provision read-only access, identify the auditor and observation window, and pin down the two or three things that matter most to your audit date.
02
Week 1, days 2-5
Gap analysis and pentest
Gap analysis runs against the Trust Services Criteria. Pentest runs in parallel against your application. Both extract real evidence rather than self-reported answers. Critical findings surface immediately so your team can start remediation before the report ships.
03
Week 2, days 1-3
Report and roadmap
Prioritized remediation roadmap with effort estimates, policy templates for missing policies, pentest findings report, and gap analysis writeup. Drafts shared mid-week so your team can react before the executive readout.
04
Week 2, days 4-5
Executive readout
30-minute presentation to your leadership team. We walk through the most consequential findings, prioritize remediation, and answer questions in real time. The deck and all artifacts are yours. If retainer makes sense, we scope it on the same call.
What we see in almost every first-time SOC 2 readiness assessment.
Five gaps that show up in roughly 80% of the readiness assessments we run. None of them are exotic; all of them get caught at fieldwork if not surfaced beforehand.
- MFA enforced "in policy" but not in IdP configurationThe policy says all admin access requires MFA. Your IdP shows two service accounts and a forgotten contractor still using password-only login. Auditors check the IdP, not the policy.
- Vendor inventory either missing or six months staleCC9.2 is the finding auditors love to issue. A tiered vendor inventory with review cadence per tier closes it. Almost no first-timer has one until we surface the gap.
- Backup procedures documented, never testedA1.2 wants tested backup and recovery, not just documented procedures. If your team has not actually run a restore exercise in the last 12 months, the auditor opens a finding. We document the test or run one with you.
- Change management informalCC8.1 wants documented change management with named approvers. Slack messages saying "LGTM, ship it" do not survive auditor review. PR review with branch protection and a named approver in the change log does.
- Incident response plan untestedCC7.4 wants a tested IR plan. A document in Drive that nobody has read in two years is not tested. We either run a tabletop exercise during the Sprint or document the next one with realistic dates.
$2,500 flat. Credited in full toward retainer.
Fixed price, fixed timeline, fixed deliverables. If you sign a vCISO retainer within 30 days of Sprint completion, the full $2,500 credits against your first month. The Sprint becomes the discovery phase of the retainer rather than a separate line item. Founding cohort clients pay $500 in exchange for a testimonial and case study rights.
Not ready to talk? Score your SOC 2 readiness.
Twenty questions, a scored PDF in your inbox, a realistic timeline to audit. Free.
Common questions about SOC 2 readiness.
What is a SOC 2 readiness assessment?
A pre-audit review against the SOC 2 Trust Services Criteria. The assessor maps your existing controls to the criteria, identifies gaps, and writes a remediation plan you can execute before fieldwork. Done well, it surfaces the issues your auditor would otherwise find at fieldwork (when fixing them costs 5 to 10 times more) and gives your team a runway to close them on a controlled timeline. Done poorly, it produces a 30-page document that nobody can act on.
How is your SOC 2 readiness assessment different?
Three differences. First, our 2-week Sprint includes a focused penetration test on your application. Most readiness firms are paper-only and either subcontract pentests at extra cost or skip them. Second, our gap analysis is tied to production evidence (Okta, AWS, GitHub, your EDR, your IdP), not policy PDFs. Third, the engagement is productized at a flat $2,500 with the cost credited in full toward your first month of retainer if you continue. No partner-rate billing, no scope creep.
How long does the assessment take?
Two business weeks from kickoff to executive readout. Week 1: kickoff call (60 minutes), access provisioning, gap analysis, and pentest scoping. Days 2 to 5: gap analysis and pentest run in parallel. Week 2: report drafting, policy gap inventory, executive readout deck, and a 30-minute presentation to your leadership. The aggressive timeline is the point: most companies hire a readiness assessor because their audit date is 6 to 12 weeks out and they need actionable findings yesterday.
Who is this for?
Companies preparing for their first SOC 2 audit (Type I or Type II) or companies who failed a prior readiness assessment and need a second opinion. Most clients are B2B SaaS between 20 and 250 employees with an enterprise pipeline blocked on SOC 2 attestation. We have also run readiness assessments for healthtech (paired with HIPAA), fintech (paired with PCI DSS), and defense sub-primes (paired with CMMC).
How is this different from what Vanta or Drata provides?
Vanta and Drata automate evidence collection and surface failing controls against a Trust Services Criteria checklist. Useful, but they do not write your policies, run your incident response, sign your management representation letter, or attend the auditor kickoff. The readiness assessment is the human program around the platform: we run the gap analysis, write the remediation plan, sit on auditor calls, and own the controls work that the platform tracks. Most clients use Vanta or Drata; we are the consulting layer above the tool.
What does the deliverable look like?
Four artifacts: (1) a gap analysis document with each Trust Services Criteria scored against your current controls, (2) a prioritized remediation roadmap with effort estimates and owner suggestions, (3) a policy gap inventory with templates for missing policies, and (4) a focused pentest findings report with severity ratings and remediation guidance. Plus the executive readout deck. Everything is yours to keep and reuse.
How much does it cost?
$2,500 flat for the 2-week Sprint. The full $2,500 credits in full against your first month of retainer if you sign within 30 days of Sprint completion. Founding cohort clients pay $500 instead of $2,500 in exchange for a testimonial and case study rights. There are no hidden expenses or "plus-fees" for routine work. Travel and tooling are baked in.
Can you handle SOC 2 Type II observation?
Yes, this is what the Embedded vCISO retainer covers. The Sprint gets you ready for fieldwork. The retainer maintains the program through the 3 to 12 month observation window: monthly evidence collection cycles, control monitoring, drift correction, and audit liaison. Most clients run Sprint to retainer in sequence: Sprint clears Type I, retainer carries the program through Type II.
What if my auditor surfaced findings I cannot resolve before fieldwork?
We help you make a defensible call: implement before fieldwork, document a compensating control with a remediation timeline, or accept the finding and address it in the next observation window. None of these are great, but knowing which to pick and how to defend it on the auditor call is exactly the value a senior practitioner adds. We have been on both sides of these calls.