We build SOC 2 practices.
Type I and Type II audits, delivered on the first attempt. For B2B SaaS. Async by default.
Built for the audit, not for the slide deck.
Most SOC 2 readiness work is theatre — a sales kickoff, a policy template pack, and a calendar full of meetings that produce conclusions every senior engineer on your team already had. We do the opposite. We embed with your existing tooling, draft policies against your real stack, wire the evidence collection your auditor will request, and hand you a Type I packet that withstands the walkthrough.
Policies + Annex set
All 28 policies your auditor will request, mapped to the SOC 2 trust criteria (CC1.x through CC9.x). Drafted to your actual stack — not a template you'll spend a month rewriting.
Evidence pipeline
Logging, access reviews, vendor monitoring, change management, and incident response wired into the tooling you already operate. Auditor-readable from day one of fieldwork.
Pre-audit walkthrough
A full Type I dry run against the trust criteria before the real auditor arrives. The gaps that would have produced a qualified opinion get closed before they cost you the report.
Most readiness work is overpriced or underdelivered.
Vanta and Drata sell platforms that automate evidence collection. They are excellent at that and we use them in many engagements. They do not draft your policies, defend them in the auditor walkthrough, or remediate your control gaps. Big-four consultancies will run the full engagement — for six figures, three months of meetings, and a rotating bench of junior staff. We sit between: principal-led, fixed-scope, async-by-default. Designed for technical founders who want SOC 2 done by someone who understands what their auditor is looking at.
Start with a scoping memo.
Send a brief describing your current SOC 2 state and target audit date. You'll receive a written scoping plan and fixed quote within two business days — yours to keep, regardless of whether you engage us.