Be careful about SOC2 tooling that (1) asks you to do new stuff, or (2) that wants to become part of the fabric of how you manage hosts day-to-day.
Re (1): SOC2 is about adherence to a stated portfolio of controls. Different companies use different controls to reach the same control objectives. Almost all of the control objectives can be met with straightforward best-practices engineering, like having a carefully managed and logged SSO (a reason Okta is so popular), or --- I'm not exaggerating here even a little bit --- being able to describe the basic features of Github to an accountant. I've seen tooling that asks people to install all sorts of random security tooling on desktops and (worse) on servers; having been in SOC2 interviews with major-firm auditors, I can say with confidence none of them know what the fuck any of that shit means.
Re (2): SOC2 is not your security program. SOC2 has no good advice for your security program. Any competently run security program can, with enough grueling documentation, achieve SOC2. The very last thing in the universe you want is "SOC2" literally installing itself on your machines.
I think there's a lot of value in things that help you build and fill out checklists that will allow you to quickly and easily satisfy SOC2 IRL questionnaires; also just to keep yourself organized. But remember that the engineering should come from your engineering team, not from the absolute randos who build prefab SOC2 checklists.
Re (1): SOC2 is about adherence to a stated portfolio of controls. Different companies use different controls to reach the same control objectives. Almost all of the control objectives can be met with straightforward best-practices engineering, like having a carefully managed and logged SSO (a reason Okta is so popular), or --- I'm not exaggerating here even a little bit --- being able to describe the basic features of Github to an accountant. I've seen tooling that asks people to install all sorts of random security tooling on desktops and (worse) on servers; having been in SOC2 interviews with major-firm auditors, I can say with confidence none of them know what the fuck any of that shit means.
Re (2): SOC2 is not your security program. SOC2 has no good advice for your security program. Any competently run security program can, with enough grueling documentation, achieve SOC2. The very last thing in the universe you want is "SOC2" literally installing itself on your machines.
I think there's a lot of value in things that help you build and fill out checklists that will allow you to quickly and easily satisfy SOC2 IRL questionnaires; also just to keep yourself organized. But remember that the engineering should come from your engineering team, not from the absolute randos who build prefab SOC2 checklists.