Skip to content
woolly.me
← Articles
Article

SOC 2 is a sales tool that happens to improve your security

Startups don't buy SOC 2 for security. They buy it because an enterprise deal won't close without it. What the readiness work actually is, from the infra side.

Last updated

The first thing to understand about SOC 2 is that almost nobody buys it to be more secure. They buy it because a deal won’t close without it. A startup gets into the sales cycle with its first real enterprise customer, the customer’s security team sends over a questionnaire, and somewhere in it is a line that says SOC 2 Type 2 report, and the deal doesn’t move until there’s one to attach. That’s the actual mechanism, and pretending it’s a security initiative is how the project ends up owned by the wrong people.

This matters because it tells you when. SOC 2 isn’t law. HIPAA is law if you touch health data, PCI-DSS is contractually mandatory if you handle cards, and those get bought on a compliance schedule. SOC 2 is a commercial expectation, the price of selling upmarket, and it becomes a live purchase at the moment a large buyer appears in the pipeline. For most startups that’s around Series A, when the first enterprise deal is big enough that “we don’t have SOC 2 yet” starts costing real revenue. Before that, it’s often premature. After the deal stalls on it, it’s late.

The report everyone wants is the one you have to plan for

Buyers want Type 2, not Type 1, and the difference decides your timeline. Type 1 says your controls are designed correctly on the day the auditor looked. Type 2 says they actually operated over a window, usually several months to a year. An enterprise security team treats Type 1 as a promise and Type 2 as evidence, and they want evidence.

The consequence is unforgiving: you can’t observe controls that weren’t running. If you start the readiness work the week the deal appears, the earliest honest Type 2 report is still a couple of quarters out, because the observation window hasn’t happened yet. This is the single most common way SOC 2 goes wrong, treated as a document you commission instead of a period you have to live through, and discovered late enough that it delays the exact deal it was meant to close.

What SOC 2 readiness actually is

Here’s where I should be precise about my own vantage, because it’s easy to overclaim in this territory. I’m not an auditor, and I’ve never signed a SOC 2 opinion. What I’ve built, repeatedly, is the infrastructure that a SOC 2 audit examines, in environments where that kind of scrutiny was routine: a defense program where I wrote InSpec compliance suites that tested environments against controls as code, and healthcare platforms at Aetna, CVS, and a rounding startup where access, change, and audit discipline weren’t optional. The readiness work, the part that takes months, is platform engineering, and it’s the same work whether or not an auditor is coming.

It comes down to a handful of controls, all of them infrastructure:

  • Access management: least-privilege IAM, no shared credentials, access granted and revoked through a reviewed process you can show. Federated login and short-lived tokens instead of long-lived keys make this dramatically easier to prove.
  • Change management: every change to production goes through a reviewed pipeline, not a console. If you’ve read my piece on CI/CD, this is the same discipline; an auditor just wants to see the reviews and the trail.
  • Logging and monitoring: audit logs that are complete, tamper-evident, and retained, plus alerting that proves you’d notice an incident.
  • Evidence you can produce on demand: the whole thing lives or dies on whether you can hand the auditor proof a control ran, without a week of scrambling each time they ask.

Every one of those is worth having whether or not you ever get audited. That’s the quiet upside of a sales-driven compliance project: the deadline is artificial, imposed by a buyer’s procurement calendar, but the controls it forces you to build are the ones a serious platform should have anyway.

Start it before you need it

The practical advice falls out of the timeline. If enterprise customers are anywhere on your roadmap, start building the controls now, while it’s cheap and nobody’s waiting on it, and treat the eventual audit as a formality that observes work you already did. The access model, the pipeline, the logging, the evidence trail, none of it should be new when the auditor arrives.

The teams that do this well never have a “SOC 2 project,” because the platform was audit-shaped from the start and the report is just someone attesting to it. The teams that don’t get a frantic quarter, a delayed deal, and a report that arrives right after the customer got tired of waiting.

Questions this raises

When does a startup actually need SOC 2?
When your first serious enterprise deal enters the pipeline, which for most startups is around Series A. SOC 2 isn't legally required the way HIPAA or PCI-DSS are; it's contractually required, meaning a large buyer's security team won't sign without it. If you're selling to other engineers or SMBs, you may not need it yet. The trigger is a deal, not a threat.
What's the difference between SOC 2 Type 1 and Type 2, and which do buyers want?
Type 1 attests that your controls are designed correctly at a point in time. Type 2 attests they actually operated over a period, usually several months to a year. Enterprise buyers overwhelmingly want Type 2, because a snapshot proves intent and an observation window proves discipline. The practical consequence is that you have to start early: you can't retroactively observe controls that weren't running.
Is SOC 2 readiness a security project or an infrastructure project?
Mostly infrastructure. The controls auditors examine are access management, change management through a reviewed pipeline, logging and audit trails, and evidence you can produce on demand. Those are platform-engineering deliverables. The auditor checks the controls; the platform team builds the thing being checked, and that build is where the months go.

Consulting

Dealing with this on your own infrastructure?

I take contract and consulting engagements on exactly this kind of work.

Get in touch