Be careful about SOC2 tooling that (1) asks you to do new stuff, or (2) that wants to become part of the fabric of how you manage hosts day-to-day.

Re (1): SOC2 is about adherence to a stated portfolio of controls. Different companies use different controls to reach the same control objectives. Almost all of the control objectives can be met with straightforward best-practices engineering, like having a carefully managed and logged SSO (a reason Okta is so popular), or --- I'm not exaggerating here even a little bit --- being able to describe the basic features of Github to an accountant. I've seen tooling that asks people to install all sorts of random security tooling on desktops and (worse) on servers; having been in SOC2 interviews with major-firm auditors, I can say with confidence none of them know what the fuck any of that shit means.

Re (2): SOC2 is not your security program. SOC2 has no good advice for your security program. Any competently run security program can, with enough grueling documentation, achieve SOC2. The very last thing in the universe you want is "SOC2" literally installing itself on your machines.

I think there's a lot of value in things that help you build and fill out checklists that will allow you to quickly and easily satisfy SOC2 IRL questionnaires; also just to keep yourself organized. But remember that the engineering should come from your engineering team, not from the absolute randos who build prefab SOC2 checklists.

The policy docs are just filler. Auditors never look at them in any detail. They look for last revised date and last review date. Have bought $150 bundle online and submitted as-is without even replacing a single parameter and audit went fine.

but Vanta/Tugboat won't actually do the reviews and training and HR and executive reviews you need. Basically their deal is that they cut volume discounts with the audit firms and then take the rest. They have nice dashboards, don't get me wrong, but only their hand picked auditors will accept them. Others will require you to manually package up the same evidence anyway and upload to their IRL evidence system.

Vanta at least made me sign a separate contract with the auditor, so I’m not sure they’re making money on the difference. The policy docs indeed don’t seem very closely scrutinized, and I’d prioritize the service that can automate more for you. Vanta provided its own client monitoring application which exists alongside JAMF and seems to cover the same controls.

It's more that there is a market price for SOC2 that auditors can charge, and they are adding $20-25K to the price tag, so they need the auditors to subsidize that. At least when I talked to these firms, you could not bring your own audit firm. You had to go with theirs. Nothing wrong there and kudos to them for innovating on the pricing/biz dev, but you can pocket that savings yourself by negotiating the same price drop directly with the audit firm, and using your own scripts or open source to collect evidence. Vanta and Tugboat have nice UIs definitely. It's just the difference between buying a Honda vs. Mercedes. Not everyone cares about paying the lowest amount for a solution. If your budget affords high end convenience, go for it.

Christina, Vanta founder here. Can confirm we don’t make money on any difference, and no money changes hands between us and auditors. It’s just a lower price for customers.

Would you mind sharing where you bought the bundle?

I think this depends on your internal resources. TugBoat and Laika are more project management tools, a great question to ask is if you integrate with my Infrastructure, how many controls within the SOC2 framework are you actually automating. Vanta has been around awhile but I’ve heard mixed feedback from auditors as well as companies that use the tool. I’d recommend looking into Drata, they have the most automation and great auditor relationships. Happy to provide an intro to one of their audit partners that I used to work with to learn more from their perspective.

We did a Type 1 audit with Tugboat last year. I came away quite impressed - the default templates are a great starting point, and the evidence tasks are basically a giant todo list to assign and grind through. It turned a complex project with lots of unknowns into a much more straightforward project.