Compliance platforms track evidence. We do the work behind the evidence.
Every B2B SaaS founder who has pursued SOC 2 knows the story. You buy Vanta or Drata. The dashboard turns green. You feel compliant. Then the auditor asks for the penetration test report, the access review records, and the evidence of incident response exercises — and the dashboard has no answer.
Compliance automation platforms are excellent at tracking what you have. They cannot perform the underlying technical security work your auditor expects. That is where Valtik comes in. We do the security work. Your compliance platform tracks it. Your auditor accepts it.
What we cover
Technical penetration testing
Most SOC 2 auditors require or strongly recommend annual penetration testing as evidence for CC6 (Logical and Physical Access) and CC7 (System Operations). We perform the test, produce the report, and map findings directly to the Trust Services Criteria the auditor will evaluate.
Access control review
- Privileged account inventory and least-privilege validation
- MFA coverage audit across all systems (not just the primary IdP)
- Service account hygiene and secret rotation
- Dormant account identification and remediation
- Quarterly access review process design and template delivery
Encryption audit
- TLS configuration review across all public endpoints
- Encryption-at-rest validation in AWS, GCP, Azure, and SaaS vendors
- Key management posture review (KMS usage, rotation cadence, HSM where applicable)
- Secret management implementation review (Vault, AWS Secrets Manager, Doppler, etc.)
Logging and monitoring validation
- Centralized logging coverage (are security-relevant events actually captured)
- Log retention verification per policy commitments
- Alerting rule review for security events
- SIEM integration validation where applicable
Incident response exercise
Live tabletop exercise simulating a realistic incident (compromised credential, ransomware attempt, data exfiltration). Identifies gaps in your IR plan, trains your team, and produces documentation the auditor can accept as evidence.
Vendor risk management
Review of your vendor inventory, assessment templates, and evidence of actual vendor reviews. Most SOC 2 failures on first audit come from vendor risk management being "on the roadmap" instead of operationalized.
Policy library gap analysis
Review of your written policies against SOC 2 requirements. We work with your compliance platform's policy templates and customize them to match your actual operational reality — because policies that do not match reality are the number one source of audit exceptions.
Timeline
| Phase | Duration | Key outputs |
|---|---|---|
| Scoping and kickoff | Week 1 | Scoping document, Trust Services Criteria selection, evidence collection plan |
| Gap analysis | Weeks 2-3 | Control-by-control assessment against your selected TSC categories |
| Penetration testing | Weeks 4-6 | Internal and external testing, full findings report with TSC mapping |
| Remediation | Weeks 5-10 | Parallel track with testing; we advise and you execute |
| Evidence collection | Weeks 10-12 | Evidence packages ready for auditor handoff |
| Audit handoff | Week 12+ | Introduction to auditor, evidence package transfer, audit begins |
Which Trust Services Criteria to include
SOC 2 requires Security (Common Criteria) always. You select additional criteria based on what your customers ask about. Most B2B SaaS engagements we see:
- Security + Availability + Confidentiality — standard for 80% of B2B SaaS
- Security + Availability + Confidentiality + Privacy — required for platforms handling consumer or health PII
- Security + Availability + Confidentiality + Processing Integrity — required for financial and payment platforms
SOC 2 Type I or Type II?
Type I attests that your controls exist and are designed appropriately as of a specific date. Fast path. Limited credibility with enterprise buyers. Most startups use it as a stepping stone to Type II.
Type II attests that your controls existed, were designed appropriately, AND operated effectively over a period (3-12 months, 6 months standard). This is the real report enterprise buyers want.
Our default recommendation: get Type I in month 3-4 after readiness to answer immediate sales requirements, then Type II covering the next 6-month observation period for the long-term report.
ISO 27001 path if you sell globally
If your customers are EU, UK, or APAC-heavy, SOC 2 is less recognized than ISO 27001. We run combined readiness assessments for companies pursuing both frameworks. The controls overlap is substantial and the incremental cost of adding ISO 27001 after SOC 2 is much lower than starting from scratch. See our ISO 27001 vs SOC 2 comparison for the full decision framework.
Why Valtik
We run SOC 2 readiness as a security engagement, not a compliance engagement. The difference matters. A compliance-led readiness produces binders. A security-led readiness produces an environment that is actually more secure, with documentation that happens to also pass audit.
Our operators have breached enough SOC 2-certified environments to know which controls survive contact with a motivated attacker. We tune the readiness work toward controls that will actually reduce risk — not just pass a checklist.
Common questions
Do we need Valtik if we have Vanta?
Yes. Vanta tracks evidence; it does not generate the evidence. You still need penetration testing, access reviews, incident response exercises, and the technical security work behind the checkboxes. That is what Valtik does.
Can you help with the audit itself?
We do not perform the audit — that would be a conflict of interest. We prepare you for it, recommend auditors we have seen run tight engagements, and stay engaged during the audit to answer technical questions from the auditor on your behalf.
What if the readiness assessment finds major gaps?
We expect it to find gaps — that is the point. We categorize findings as immediate blockers (must fix before audit), near-term (fix during observation period), and advisory (track in your security roadmap). Nobody goes into a first SOC 2 audit with zero gaps identified.