What we cover, and what we don't.

Honest scope. We'll tell you in week one if your stack or trust criteria are outside our experience.

Trust Services Criteria

Craine Technical delivers against the AICPA Trust Services Criteria as scoped for your engagement. All engagements include Security; Availability, Confidentiality, Processing Integrity, and Privacy are added based on your customer commitments.

CC1 — Control EnvironmentCC2 — Communication & InformationCC3 — Risk AssessmentCC4 — Monitoring ActivitiesCC5 — Control ActivitiesCC6 — Logical & Physical AccessCC7 — System OperationsCC8 — Change ManagementCC9 — Risk Mitigation

Stacks we know

Craine Technical drafts controls against the production stacks listed below. Engagements run faster when the stack is familiar; we'll tell you before scoping if yours isn't.

AWS · GCP · AzureKubernetes · Nomad · ECSGitHub · GitLabDatadog · Sumo · CloudWatchOkta · WorkOS · Auth0Postgres · Snowflake · BigQuery

Partner auditors

Who issues your report.

Craine Technical is a readiness firm. The SOC 2 attestation report itself is issued by an independent CPA firm. We coordinate with established auditors during fieldwork and can refer clients to firms we've worked alongside, including A-LIGN, Schellman, KirkpatrickPrice, and Prescient Assurance. You're welcome to use your own auditor if you have an existing relationship — our process accommodates either path.

Out of scope

What we don't do.

We don't deliver SOC 1, ISO 27001, FedRAMP, or HITRUST. Adjacent frameworks share controls with SOC 2 but require different artifacts and different auditor relationships. If you need those, we'll refer you to firms we trust.

We don't act as your auditor. Craine Technical is a readiness firm. The SOC 2 attestation report is produced by an independent CPA firm — we coordinate with them, we don't replace them.

We don't sell platforms. We work with Vanta and Drata when the fit is right. We're not a reseller, we're not on commission, and we'll tell you when the platform isn't worth the line item.

Cost frame

The market, named.

Comparable readiness engagements at the three tiers of the market. Pricing reflects readiness consulting only — the audit fee is separate and goes to your independent CPA firm.

BIG FOUR READINESS

$40,000 – $80,000

10–14 weeks
Rotating team of 3–5
Firm-name premium

Best when you need a recognizable firm's name on the procurement document. Cost reflects firm overhead rather than deliverable depth.

BOUTIQUE READINESS FIRMS

~$18,000 typical

14–22 weeks
One consultant + handoffs
Established track record

Reliable for standard scope. Slower because the lead consultant manages multiple engagements in parallel, with junior associates handling drafting.

CRAINE TECHNICAL

$8,500 – $18,500

6–10 weeks
One principal, start to finish
Engineered artifacts

Fixed-scope pricing, async-first communication, no handoffs, no team rotation, no scope creep. Designed for technical founders who want SOC 2 done by someone who understands their auditor's questions.

Sample deliverable

Control mapping matrix excerpt.

From the template library used in Type I readiness engagements. Each engagement produces a matrix customized to the client's stack, scoped trust criteria, and risk surface. The excerpt below spans the access control (CC6), system operations (CC7), and change management (CC8) sections of the AICPA 2017 Trust Services Criteria.

Criterion	Control ID	Implementation	Evidence Source	Cadence
CC6.1	CRA-AC-001	Multi-factor authentication enforced on all production and administrative systems via SSO with WebAuthn or TOTP second factor.	IdP admin export; SSO configuration snapshot	Monthly
CC6.2	CRA-AC-002	New user access requires documented manager approval prior to provisioning; ticketed workflow with automated provisioning hooks.	Joiner tickets with approval timestamps	Per onboarding event
CC6.2	CRA-AC-003	Access revocation within 24 hours of termination via HRIS-to-IdP integration; offboarding checklist with named owner.	HRIS termination record; IdP deactivation log	Per offboarding event
CC6.3	CRA-AC-004	Role-based access control with documented job-to-role mapping; least privilege enforced via IdP group membership and IaC-defined IAM policies.	Role mapping document; IAM policy export	Quarterly
CC6.6	CRA-AC-005	Quarterly user access reviews; manager attestation required for continued access; revocations tracked through standard change tickets.	Signed review attestations; revocation tickets	Quarterly
CC7.2	CRA-OP-001	Centralized log aggregation across application, infrastructure, and security domains with 365-day hot retention and longer-term archival.	Log platform configuration; retention policy and archival policy exports	Annual configuration review
CC7.3	CRA-OP-002	Documented incident response procedure with severity classification, on-call rotation, and required postmortem within 5 business days of resolution.	IR runbook; on-call schedule; postmortem records	Quarterly tabletop; per incident
CC8.1	CRA-CM-001	All production code changes require reviewed pull request and passing CI; branch protection enforced on main with required approvals.	Repository branch protection settings; PR audit trail; CI run records	Quarterly review of branch protection settings

Tool categories shown are stack-agnostic. Actual deliverables reference your specific IdP, HRIS, log platform, and repository tooling. Control ID prefix (CRA-) is the firm's internal namespace; client-side ID conventions may differ.

Begin an engagement

Start with a scoping memo.

Send a brief describing your current SOC 2 state and target audit date. You'll receive a written scoping plan and fixed quote within two business days — yours to keep, regardless of whether you engage us.