Terminal.skills
Use Cases/Prepare Your Startup for SOC 2 Compliance with AI

Prepare Your Startup for SOC 2 Compliance with AI

Run a gap analysis against SOC 2 trust service criteria and generate a prioritized remediation plan from your codebase.

Development#security#owasp#vulnerabilities#audit#secrets
Works with:claude-codeopenai-codexgemini-clicursor
security-audit
cicd-pipeline
code-reviewer
$

The Problem

The sales team just lost a $240K annual contract because the prospect required SOC 2 Type II certification. "Come back when you're certified." That conversation has happened three times this quarter — $420K in potential ARR sitting behind a compliance checkbox.

Enterprise buyers don't negotiate on SOC 2. It gates the conversation. Without it, a startup doesn't even get to demo.

SOC 2 consultants charge $30,000-80,000 and the process takes 6-12 months. For a startup with 8 engineers and $2M runway, that's a brutal combination of expensive and slow. The audit examines five trust service criteria across the entire infrastructure. Most startups discover they're failing 40-60% of controls on day one — and the hardest part isn't fixing things, it's knowing what needs fixing. The codebase has no access logging, CI/CD has no approval gates, encryption at rest isn't configured, and the data retention policy doesn't exist.

The Solution

Using the security-audit, cicd-pipeline, and code-reviewer skills, the approach is to run a gap analysis against actual code and infrastructure (not a theoretical checklist), map every failing control to specific files and configurations, implement the technical fixes that cover the most controls, and generate auditor-ready evidence documentation.

Step-by-Step Walkthrough

Step 1: Run the SOC 2 Gap Analysis

Analyze this codebase against SOC 2 Type II criteria. Focus on security,
availability, and confidentiality.

The gap analysis maps each trust service criterion to the actual state of the codebase:

Security (CC6.x):

ControlStatusFinding
CC6.1 — Logical accessFailingNo RBAC — all authenticated users can access all endpoints
CC6.3 — Audit loggingFailingNo logging for data access events
CC6.6 — Encryption at restWarningUsing default DB settings, encryption not confirmed
CC6.7 — Encryption in transitPassingTLS 1.2+ enforced across all endpoints

Availability (A1.x):

ControlStatusFinding
A1.1 — MonitoringFailingNo health checks, no monitoring, no status page
A1.2 — RecoveryFailingSingle-region deployment, no verified backups

Confidentiality (C1.x):

ControlStatusFinding
C1.1 — Data classificationFailingPII mixed with non-sensitive data, no field-level controls
C1.2 — Data retentionFailingNo retention or deletion policy exists

Bottom line: 4 out of 18 controls passing. Estimated remediation: 14-18 engineering days.

This is where most startups stall — they see the list and feel overwhelmed. But the controls aren't equal. Some take 30 minutes to implement and cover multiple criteria. Others require a 30-day evidence collection window that should start immediately.

Step 2: Implement Audit Logging

Add audit logging that satisfies CC6.3 — who accessed what, when, from where.

Audit logging is the highest-leverage fix because it satisfies CC6.3 directly and provides evidence for several other controls. The middleware captures every data access event:

typescript
// src/middleware/audit-logger.ts
interface AuditEvent {
  userId: string;
  action: 'CREATE' | 'READ' | 'UPDATE' | 'DELETE';
  resource: string;
  ipAddress: string;
  userAgent: string;
  timestamp: Date;
}

// Append-only table, partitioned by month, 90-day retention
// Sample entry:
// {"userId":"usr_8f2a","action":"READ","resource":"customers","ip":"10.0.1.45"}

The audit logger gets wired into all 23 route files. The audit_logs table is append-only — no UPDATE or DELETE permissions, even for admins. Partitioned by month for query performance and set to 90-day retention by default.

CC6.3: now passing.

Step 3: Add Role-Based Access Control

Implement RBAC: admin (full access), manager (team data), member (own data only).

The RBAC middleware is 94 lines and enforces a three-tier permission matrix across all 34 API routes:

  • member — can only access their own data
  • manager — can read team-level data, cannot modify system settings
  • admin — full access to all resources

Eighteen tests verify the permission boundaries:

typescript
// Permission enforcement examples:
// member cannot access other users' data -> 403 + audit log entry
// manager reads team data, cannot modify settings -> 403
// unauthorized request -> 403 + audit log entry (not 401, to avoid leaking endpoint existence)

Every permission denial generates an audit log entry — the audit logging from Step 2 automatically captures access control evidence.

CC6.1: now passing.

Step 4: Harden CI/CD for Change Management

Update CI/CD to meet SOC 2 change management: required reviews, security scan,
approval gate, deploy audit trail.

SOC 2 change management (CC8.1) requires that every production change is reviewed, approved, and logged. The CI/CD pipeline gets four additions:

  • Branch protection: 1 approving review required, status checks must pass, signed commits enforced, no direct push to main
  • Security gates: SAST scan and CVE dependency check run on every PR
  • Production approval: Deploy requires explicit approval in the pipeline
  • Deploy audit trail: Every deployment is logged with version, deployer, approver, and timestamp
json
{
  "version": "v2.14.0",
  "deployer": "carlos@co",
  "approver": "sarah@co",
  "timestamp": "2026-02-17T14:23:01Z",
  "status": "success"
}

A weekly compliance check verifies that branch protection rules are still active and flags any bypass attempts — because someone disabling branch protection for a "quick fix" would break the control.

CC8.1: now passing.

Step 5: Generate the Compliance Evidence Report

Generate a SOC 2 readiness report with compliance status and auditor-ready evidence.

After four days of implementation work, the compliance posture looks fundamentally different:

Trust CriteriaBeforeAfter
Security2/8 passing7/8 passing
Availability1/4 passing3/4 passing
Confidentiality0/4 passing3/4 passing
Overall4/18 (22%)15/18 (83%)

Three items remain:

  • Vendor risk assessment — 2 days of work, reviewing third-party service security postures
  • Disaster recovery test — 1 day, document a recovery procedure and execute it
  • Data deletion evidence — requires a 30-day evidence window (start this immediately)

The readiness report includes all evidence an auditor will ask for: audit log samples, RBAC documentation, CI/CD configuration exports, encryption certificates, and the deploy audit trail.

Real-World Example

The CTO ran the three-skill analysis on Monday. The gap analysis found 14 of 18 controls failing. By Wednesday, audit logging, RBAC, and encryption were in place — 8 controls fixed. Thursday, CI/CD hardened with approval gates and deploy audit trails — 3 more controls. Friday, the remaining manual items were documented and the 30-day evidence collection window started.

The startup engaged an auditor three weeks later with the auto-generated readiness report. The auditor's comment: "surprisingly mature controls for this size company." The observation period started immediately — no remediation delays.

Five months later: SOC 2 Type II report in hand. Total cost: $12,000 in auditor fees instead of the $55,000 consultant quote. First enterprise deal closed within two weeks of certification — a $180K annual contract that pays for the entire compliance effort six times over.