← Back to Insights

SOC 2: Engineering Controls, Not Collecting Screenshots

Metasphere Engineering 11 min read
Compliance DevSecOps Security Architecture

Your 18-person engineering team just landed a deal that changes the trajectory. The procurement team sends a security questionnaire and one non-negotiable requirement: SOC 2 Type II before contract signature. Six weeks to audit.

The health inspector is coming. The kitchen has no logbook.

You take inventory. No audit logs in immutable storage. Access reviews done manually via reply-all email chain from Q3 that nobody archived. Zero deployment audit trail because the senior engineer who deploys to production does it from his laptop via kubectl apply. Three engineers yanked from feature work for four weeks. Screenshots collected from eight different systems into a shared Google Drive folder. Cramming for an exam. The report arrives, barely. Three months later, every control has drifted back to its previous state. (The kitchen cleaned up for the inspection. It’s a mess again.)

Key takeaways
  • Engineers collecting screenshots for weeks is compliance theater. Months later, every control has drifted. The audit was waste, not assurance.
  • SOC 2 TSC maps directly to engineering practices mature teams already maintain: audit logging, access reviews, change management, incident response.
  • Compliance-as-code means controls enforce themselves. IaC policies prevent non-compliant resources. CI/CD audit trails write themselves. Access reviews run from IAM metadata.
  • Continuous evidence collection eliminates the audit scramble. Stream control state to immutable storage. The audit trail stays current without anyone touching it.
  • kubectl apply from a laptop is a SOC 2 finding. All production changes must flow through a pipeline with audit logging, approval gates, and artifact signing.

SOC 2 Trust Service Criteria map to engineering practices mature teams already maintain. The difference between a clean audit and a panicked scramble is whether those controls were built year-round or bolted on before the auditor’s visit.

SOC 2 compliance controls silently drift after audit, creating evidence gaps at re-auditAnimated timeline showing five SOC 2 compliance controls (MFA, encryption, logging, access review, vulnerability scan) all green at audit. Over six months, logging config changes to amber, access review is skipped turning amber, and vulnerability scanning is disabled turning red. At re-audit, evidence gaps are highlighted for each drifted control. Final annotation: without continuous enforcement, controls drift within 90 days.Compliance Control Drift After AuditAudit WindowMFAEncryptionLoggingAccess ReviewVuln ScanSOC 2 Audit PassedMonth 1Month 2Month 3Month 4Month 5Month 6Time passes after audit...~LoggingConfig changed silently~Access ReviewQ2 review skippedVuln ScanDisabled by deploy3 of 5 controls driftedMFAEnc~Log~AccessVulnRe-Audit: Evidence Gaps Found!Logging4 months incomplete data!Access ReviewNo Q2 review evidence!Vuln ScanNo scans for 2 monthsWithout continuous enforcement, controls drift within 90 days.

What the Security TSC Actually Covers

The Security Trust Service Criterion (required for every SOC 2 report) covers nine control families. Most map naturally to technical controls that also make you more secure. Not hoops dreamed up by bored auditors. Genuinely useful security practices you should want whether an auditor visits or not.

Logical access controls require that access is restricted to authorized users and revoked on departure. In practice: SSO with MFA enforced at the IdP, access provisioning tied to HR via SCIM, automated deprovisioning within 24 hours of offboarding, quarterly access reviews. If you don’t want these independent of an auditor, your security posture has bigger problems than SOC 2.

Change management requires changes to be authorized, tested, and documented. In practice: infrastructure changes via code with PR review, code changes via PR with CI gates, deployment logs stored as immutable evidence. Your CI/CD pipeline is the evidence generator. Every merge becomes a documented, approved, tested change with an audit trail that writes itself.

TSC CategoryAutomated ControlEvidence SourceCollection Frequency
CC6.1: Logical accessIAM policy enforcement, MFA required, least-privilege validationAWS IAM Access Analyzer, CloudTrail auth eventsContinuous
CC6.2: System boundariesNetwork segmentation, security group rules, WAF configVPC Flow Logs, AWS Config rulesContinuous
CC6.3: EncryptionEncryption at rest enforced (EBS, S3, RDS), TLS in transitAWS Config conformance pack, certificate monitoringDaily scan
CC7.1: MonitoringCentralized logging, anomaly detection, alert pipelineCloudWatch, GuardDuty findings, SIEM dashboardsContinuous
CC7.2: Incident responseAutomated triage, runbook execution, escalationPagerDuty audit log, incident timeline, post-mortem recordsPer incident
CC8.1: Change managementPR review required, CI/CD pipeline gates, deployment approvalGitHub audit log, pipeline execution recordsPer change
A1.2: AvailabilityAuto-scaling, health checks, DR validationCloudWatch metrics, DR test results, uptime recordsContinuous + quarterly DR test

Infrastructure That Generates Its Own Evidence

Most of the evidence problem disappears when infrastructure produces audit records as a side effect of normal work. The shift from compliance-as-sprint to compliance-as-practice cuts evidence prep from weeks to days. The engineering team barely notices the audit is happening.

AWS CloudTrail, GCP Cloud Audit Logs, and Azure Activity Logs capture every API call to cloud infrastructure: timestamp, actor identity, request parameters, response. Archive these to S3 with Object Lock enabled, and they become immutable evidence of who accessed what and when. An auditor asking “do you log access to production systems?” gets answered with a CloudTrail export and a date range filter.

VPC flow logs prove network segmentation works. Automated scanner reports (Qualys, Nessus, or Trivy running on schedule) prove scanning cadence. Endpoint enrollment records from Jamf or Intune prove devices are managed and encrypted. GitHub or GitLab audit logs prove PR approval workflows. Each of these is an engineering investment that satisfies SOC 2 requirements as a byproduct of doing your job well. For how this integrates at the infrastructure layer, a cloud-native platform engineering approach makes these controls native to the deployment process.

Anti-pattern

Don’t: Collect SOC 2 evidence via manual screenshots saved to a shared drive. This produces stale data, inconsistent formatting, and evidence that auditors immediately question.

Do: Stream control state to immutable storage continuously. CloudTrail to Object Lock S3, SSO logs via API export, scanner reports on automated schedule. Evidence that generates itself is always current and tamper-proof.

If you already have a well-instrumented DevSecOps practice , most of the evidence problem is solved before the auditor even shows up.

Access Reviews Without the Quarterly Scramble

Access reviews keep showing up as SOC 2 findings for teams that run them by hand. Always the same way. Quarterly calendar reminder fires. Someone exports a spreadsheet of user accounts from each system. Managers reply-all with approvals. Half the replies say “looks fine” with no real review. Security reconciles responses. This takes 2-3 weeks per quarter, produces stale data, and generates evidence that auditors have gotten very good at spotting as rushed.

Prerequisites
  1. Single Sign-On covers 95%+ of your application estate
  2. SCIM provisioning connects your IdP to critical SaaS applications
  3. Offboarding process revokes access within 24 hours of HR action
  4. Access review tooling integrates directly with your identity provider
  5. Reviewers can approve or revoke access inline without spreadsheet exports

Automated access review tools (or compliance platforms like Vanta and Drata that plug into your identity provider and SaaS apps) run continuous monitoring and kick off structured reviews on schedule. Reviewers see current access data and approve or revoke right in the workflow. Audit-ready evidence falls out automatically.

The prerequisite is SSO coverage. Teams that get broad SSO coverage before pursuing SOC 2 complete access reviews in hours instead of weeks. If you have dozens of separate user stores across legacy applications, automation is much harder and quarterly manual reviews remain necessary until SSO coverage improves. Make SSO migration the first investment before engaging an auditor. Every application behind SSO is one fewer manual access review, and the time saved compounds with every audit cycle.

SOC 2 Readiness: Implementation Order MattersSOC 2 Readiness: Implementation OrderMonth 1-2: FoundationSSO + MFA everywhereEncryption at restCentralized loggingMonth 3-4: AutomationIaC for all infrastructureAutomated vulnerability scansCI/CD pipeline gatesMonth 5-6: EvidenceContinuous evidence collectionAutomated compliance checksIncident response drillsMonth 7+: AuditType II observation periodAuditor reviews evidenceControls proven over timeStart with SSO/MFA + encryption. Everything else builds on that foundation.
Vendor risk management: continuous assessment instead of annual questionnaireTraditional approach: annual questionnaire, stale by month 2. Modern approach: continuous monitoring of SOC2 reports, breach feeds, dependency scans. Risk score updated automatically, alerts on posture changes.Vendor Risk: Annual Questionnaires Are FictionAnnual Questionnaire200-question spreadsheet, once a yearStale by month 2. Vendor self-reports.No verification. Checkbox compliance.Security theaterContinuous MonitoringSOC2 reports + breach feeds + dep scansRisk score updated automaticallyAlert on vendor posture changesEvidence-based trustTrust but verify. Continuously.

Vendor Risk Management at Scale

Vendor risk assessment is a SOC 2 requirement that doesn’t scale by hand. Each vendor needs a risk assessment, a look at their security docs, and ongoing monitoring. With 50 SaaS vendors and annual review cycles, 10-15 assessments will quietly expire every year if you’re tracking them manually. Nobody notices until the auditor does.

The practical approach: pick vendors who have their own SOC 2 Type II reports and share them. For vendors without SOC 2, use a standardized security questionnaire (SIG Lite is the standard) and set review intervals based on data sensitivity and access level. Automate renewal reminders so assessments don’t expire without anyone noticing. The security program tie-in is direct: vendor risk becomes a tracked obligation with a deadline, not a calendar item someone might remember.

One trick that saves real time: during vendor evaluation, check if the vendor shares their SOC 2 report through a trust center portal. This cuts out the manual NDA and report request cycle that adds 2-3 weeks to vendor onboarding.

When SOC 2 Should Wait

Invest in SOC 2 nowDefer it
Prospects require it before contract signatureNo customer has asked for it
You process or store customer data at scaleYour product handles no sensitive data
SSO covers most of your application estateDozens of apps with separate user stores
CI/CD pipelines already enforce change managementEngineers deploy from laptops via kubectl
You have budget for a compliance platformThe security team is one person wearing four hats

Going for SOC 2 before SSO coverage and CI/CD discipline are in place turns the audit into theater instead of documentation. Get the foundations right first. The controls should already be useful before the auditor shows up.

The Compliance Drift Window The time between finishing an audit and the point where controls have drifted back to how things were before. Without continuous enforcement, this window is usually 2-4 months. By the next audit, the team is scrambling again because the controls were never part of the daily workflow. Closing it means making the compliant path the default path. Not a mode you switch into when the auditor is coming.

What the Industry Gets Wrong About SOC 2 Compliance

“Buy a compliance platform and check the box.” Compliance platforms collect and organize evidence. They don’t create the controls. A platform that ingests screenshots of manually configured resources just automates the documentation of non-compliance. You have to build the controls into your infrastructure first.

“SOC 2 is a security certification.” SOC 2 is a trust framework covering security, availability, processing integrity, confidentiality, and privacy. Security is one of five Trust Service Criteria. Teams that treat SOC 2 as purely a security exercise miss availability and processing integrity requirements entirely.

“You need a dedicated compliance team.” What you need is engineering discipline. If your CI/CD pipeline already enforces PR review, your IdP already logs access events, and your scanners already run on schedule, the compliance team’s job shrinks to organizing evidence that already exists. Hiring more people isn’t the answer when the infrastructure can do the work.

Our take Build the CI/CD audit trail first. Every production change flowing through a pipeline with who-committed, who-approved, what-tests-passed, and when-deployed satisfies the change management TSC automatically. The audit trail is a byproduct of the pipeline, not a separate evidence collection exercise. This single control covers more SOC 2 requirements than any other engineering investment, and it makes your deployment process more reliable whether an auditor ever looks at it or not.

Six weeks to audit, and this time nobody scrambles. Access reviews run automatically through the IdP integration. The deployment trail is immutable in Object Lock storage. The evidence platform already has everything the auditor needs. Three engineers stay on feature work instead of collecting screenshots. The contract signs on schedule because the controls were running all year, generating evidence as a side effect of doing the job well.

Your SOC 2 Audit Starts in Six Weeks

Scrambling for SOC 2 evidence six weeks before audit is compliance as afterthought. Technical controls that satisfy requirements as natural output of how infrastructure operates mean audit prep drops from 400 hours to under 40.

Engineer Compliance

Frequently Asked Questions

What is the difference between SOC 2 Type I and Type II?

+

Type I checks that your controls are designed right on a single date. Type II covers a 6-12 month window and checks that controls actually worked the whole time. Type II carries more weight because it proves ongoing discipline. Most procurement teams require Type II before signing contracts above a certain deal size. Start with a 6-month Type II observation period to get your report as fast as possible.

What are the SOC 2 Trust Service Criteria?

+

SOC 2 covers five Trust Service Criteria: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Most B2B SaaS companies go for Security alone or Security plus Availability. Security covers logical access, change management, risk assessment, and incident response. Customer requirements drive which extra categories you add, and each one tacks on about 2-4 weeks of audit scope.

Which technical controls satisfy the most SOC 2 requirements?

+

Seven controls cover the most ground: MFA for all system access, SSO for applications, audit logging to immutable storage (S3 Object Lock), RBAC with documented provisioning and deprovisioning, vulnerability scanning with SLAs (30-day critical, 90-day high), endpoint management with encryption and remote wipe, and CI/CD-enforced change management. These seven hit the widest range of Security TSC requirements.

How do you automate SOC 2 evidence collection?

+

Most evidence comes from infrastructure tooling, not screenshots. CloudTrail proves API activity. SSO logs prove access provisioning. Scanner outputs prove scanning cadence. CI/CD logs prove change management. Compliance platforms like Vanta and Drata plug into these sources and collect evidence nonstop. Teams with automated collection cut evidence prep from weeks to days per audit cycle.

What is the biggest mistake companies make pursuing SOC 2?

+

Treating it as a project rather than a program. Companies implement controls for the audit window, collect the report, and let controls drift within 90 days. Auditors detect evidence gaps that suggest controls were only active during the observation period. Companies with consistently clean audits operate controls year-round because those controls are genuinely useful security practices, not theater.