SOC 2 Type II evidence that gathers itself.

A B2B SaaS company had passed SOC 2 Type I in 2023 and was due for Type II in 2025. The Type I prep had consumed two senior engineers for three months. We automated 78% of the evidence collection so Type II prep took two engineer-weeks total.

INDUSTRY

B2B SaaS

DOMAIN

SECURITY

DELIVERED

2025

STACK

AWS AUDIT MANAGER·AWS CONFIG·CLOUDTRAIL·SECURITY HUB·SSM·EVENTBRIDGE

RESULTS

What changed, by the numbers.

EVIDENCE AUTOMATED

78%

OF 167 CONTROLS

ENGINEER-WEEKS (PREP)

WAS 24

CONTROL FAILURES (AUDIT)

CLEAN REPORT

CONTINUOUS MONITORING

ACTIVE

NOT POINT-IN-TIME

HOW IT WENT

The Type I prep had been a sprint of screenshots and CSV exports. Engineers had abandoned other work to assemble evidence in the right format for the auditor. The internal nickname was "screenshot week" and it had lasted three months.

For Type II we built around Audit Manager with assessment frameworks mapped to the trust services criteria. Custom evidence-gathering came from Config (configuration controls), CloudTrail (access controls), and Security Hub (finding-based controls). Anything that couldn’t be auto-captured got an EventBridge-triggered ticket with a runbook.

The auditor team noted the change. Evidence packages were complete, timestamped, and continuously generated rather than backfilled. The engagement closed in twelve weeks instead of the projected twenty. Zero control failures.

RELATED · SAME DOMAIN

Other engagements in this space.

ARCO · 2026

Retired eighty IAM users in three weeks.

80 → 0IAM USERS RETIRED

FOSTER · 2025

Two million users migrated, no password resets.

0PASSWORD RESETS REQUIRED

PREVIOUSHEXA — A real-time pipeline that paid for itself in six weeks.NEXT LYRIC — Deploys that the customer doesn’t notice. Not even the canary one.

READY WHEN YOU ARE

Let's get your AWS bill (and architecture) in order.

The discovery call is free. You walk away with at least one concrete idea — even if we never work together.

Or email directly →