SOC 2
What it is — SOC 2 (System and Organization Controls 2) is a framework developed by the American Institute of Certified Public Accountants (AICPA) for managing customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type II reports assess whether an organization’s controls operated effectively over a period of time (typically 6–12 months).
Appsec relevance — Several Common Criteria (CC) within the Trust Services Criteria require vulnerability management, system monitoring, and risk assessment — areas where DAST and ASM provide direct evidence for auditors.
How Detectify Supports SOC 2
| Trust Services Criterion | What it requires | Detectify Capability | Coverage |
|---|---|---|---|
| CC3.2 | The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed | CVSS-based vulnerability scoring, categorization by CWE and OWASP Top 10, historical trend data across scheduled scans. Covers web and API vulnerability risk; broader operational and business risks require additional assessment | Partial |
| CC7.1 | The entity uses detection and monitoring procedures to identify configuration changes that introduce new vulnerabilities | 24/7 Surface Monitoring with change detection, scheduled vulnerability scanning, integrations for alerting (Slack, PagerDuty, Jira, ServiceNow) | Full |
| CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets | Detects authentication bypass (CWE-287 , CWE-306 ), access control vulnerabilities (CWE-284 , CWE-285 ), and authorization flaws (CWE-862 , CWE-863 ) | Partial |
| CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries | Application Scanning and API Scanning detect exploitable vulnerabilities in internet-facing systems; Surface Monitoring identifies exposed services | Full |
| CC7.2 | The entity monitors system components for anomalies that indicate malicious acts, natural disasters, or errors | Surface Monitoring detects changes in external attack surface (new domains, ports, technologies); not a full system monitoring solution | Partial |
| CC8.1 | The entity authorizes, designs, develops, configures, documents, tests, approves, and implements changes | API-triggered scanning in CI/CD detects vulnerabilities introduced by changes; does not replace change management processes | Partial |
| CC6.3 | The entity authorizes, modifies, or removes access to data and technology based on roles | Detects access control vulnerabilities but does not implement RBAC. Note: Detectify itself provides multi-team RBAC for its own platform | Partial |
What Detectify Covers
Detectify provides strong evidence for SOC 2 controls related to vulnerability management (CC3.2), security monitoring (CC7.1), and external threat mitigation (CC6.6). Scheduled scans with historical data demonstrate ongoing risk assessment. Surface Monitoring’s continuous asset tracking supports system monitoring requirements (CC7.2).
SOC 2 auditors look for evidence that vulnerability management is an ongoing process, not a point-in-time exercise. Detectify’s scheduled scanning, finding lifecycle tracking, and historical reporting provide this evidence.
The organizational controls (CC1.x, CC2.x, CC5.x) that cover governance, communication, and control activities are outside the scope of technical security testing tools.
Complementary Tools You May Need
- GRC platform — For CC1.x governance and CC5.x control activities documentation
- SIEM — For comprehensive CC7.1–CC7.2 security event monitoring
- IAM — For CC6.1 logical access implementation
- Change management — For CC8.1 change control processes
- Endpoint and network security — For CC6.6 protection beyond web applications
- SAST — For code-level vulnerability analysis