Day 0 — kickoff
We need three things before the clock starts:
- Read-only access to the staging environment
- Org chart + control owners — who answers questions about identity, change management, BC/DR
- Last audit report (if any) — we won't repeat work that's still valid
Day 1–4 — automated baseline
Nessus + ZAP + Burp Suite Pro run in parallel. Cloud config audited against CIS benchmark. SSL Labs / header sweep. Output goes into a tracker; severity is preliminary.
Day 5–8 — manual review
Senior analysts walk the auth flow, the privileged operations, the data-export endpoints, the admin panel. Findings reviewed against SOC 2 trust services criteria. Anything that maps to CC6 (logical access), CC7 (system operations), CC8 (change management), or A1 (availability) gets explicit narrative.
Day 9–11 — remediation pairing
We drop into the customer's chat and pair with their engineers on fixes. Our role is reviewer, not implementer. The customer ships fixes; we validate.
Day 12–13 — re-test + report
Final scan to confirm closure. Severity-ranked PDF generated, with framework-mapped narrative paragraphs ready for the auditor.
Day 14 — certificate
Signed, date-stamped certificate in the customer's hand. If the deal closes by end of day, we did our job.
Why this works
SOC 2 isn't a 14-day project — it's a years-long posture commitment. But for the evidence package the auditor wants in a Type II review, two weeks of focused work covers it. The trick is bringing senior analysts who've done this enough times to know what's required and what's noise.