[tptacek]

Don't. You are exactly the wrong kind of firm to be pursuing SOC2.

SOC2 is like the corporate GPL of security. It's an infectious secret handshake company security teams swap in lieu of filling out security questionnaires. Nobody savvy takes it seriously.

There will come a time where your business will grow to the point where it makes sense to pay for the secret handshake. The overwhelming most likely scenario in which that happens is a purchase order made contingent on your SOC2 Type I attestation, where the revenue from that purchase order more than pays for the attestation.

Do not ever do a SOC2 speculatively, in the hopes that it will improve your sales prospects. Plenty of successful firms don't have SOC2s. If you're losing sales where SOC2 is a factor, you didn't have those sales to begin with.

[codegeek]

I will add a few more things to this:

- Document your data and security and share that with customers instead. You can say "We don't have SOC2 at the moment but here is all our security and data policy". It works 99% of the time for me.

- Very few companies truly have policy to reject a vendor if they don't have SOC2. Those are usually large enterprise or companies in sensitive areas such as Finance/Healthcare etc. Even then, SOC2 can be waived if you can demonstrate everything else.

Disclaimer: I run a bootstrapped SAAS with low 7 figures in ARR and even though we have ISO27001, we don't have SOC2 yet. However, we take our security/data etc very seriously and have tons of documentation and best practices that we always shafre with a customer who asks. Honestly, we will get SOC2 at some point just for the checklist as I don't really care too much about them otherwise.

[spydum]

Fully agree, the only downside is without a SOC2 you will be asked to fill out an insane 200+ questionnaire. Good news is you have all these great LLM tools you can do this work for you, and just check it over.

[mikeocool]

In my industry they still ask for the questionnaire even if you have a SOC2 report!

[abrookewood]

Yeah, I get this even with SOC2 Type 2 & ISO 27001 ... the requests never stop.

[ezekg]

Just say no. Serious.

[abrookewood]

That all depends on the balance of power ...

[speleding]

I run a low 7 figures SaaS as well. This is the blurb I answer with when asked about SOC2 (yes, yes, AI generated):

"While we follow industry best practices that align closely with the requirements of SOC2 and similar frameworks, we have chosen not to pursue formal certification at this time. Maintaining multiple certifications and undergoing recurring audits across the various regions in which we operate would significantly increase our operational costs and, consequently, the price of our service."

[pseudohadamard]

An extra comment, from someone in an organisation that faced this recently, on dealing with this:

- Be outside the US. "SOC2 is an AICPA certification that is unavailable in this country".

Not sure whether that's actually 100% accurate but they stopped asking after this.

[parliament32]

> It works 99% of the time

I would add the caveat "...as long as you have no competition." If you're in a market where alternatives exist, and they have the certification, you're definitely transparently losing sales.

From the enterprise side, I can tell you vendor certification takes an order of magnitude more time/money/effort when the vendor says "we don't have cert X but here's a mountain of drivel you can paw through to try to assess risk." And not just once, but every single year during vendor reviews. It's just not worth it unless you're legitimately bringing something irreplaceable to the table -- to the point where even our executives know to google "companyname SOC2" before even engaging in a conversation.

[codegeek]

It depends on your target market. If you only sell to enterprise/large companies, you may need SOC2 sooner than later. If you sell to SMBs or startups, this advice works (I sell in this space mostly).

[secos]

| I would add the caveat "...as long as you have no competition." If you're in a market where alternatives exist, and they have the certification, you're definitely transparently losing sales. I wouldn't say that its definitive, but it creates a big challenge. And they 100% will use it against you.

[ozim]

*Plenty of successful firms don't have SOC2s. If you're losing sales where SOC2 is a factor, you didn't have those sales to begin with.*

We do have ISO27k1 and we had "customer/prospect for more" and they have a person that requires us to be "DORA compliant" it is just an excuse I know because we don't fall under DORA (they might be clueless about how it works that's other explanation). They do fall under DORA so they need to make sure they check their suppliers basically have ISO27k1 and are following what we wrote in ISO27k1 documentation.

We got away with not having ISO27k1 for years (filling in forms and proving we are doing good to people that care, I did have to go and talk with CISOs so they trust me I care about stuff) but not since 2025 in Europe, I firmly believe if we wouldn't do ISO27k1 last year, people would just stop talking to us based on feedback I got from business people (excluding pure "let's make an excuse" I wrote about above).

This said - I am not arguing against what tptacek wrote as he is way more experienced than I am, just stating my experience which also is a decade in SaaS. I am working for company that has between 20 and 30 employees so it also makes sense to be ISO27k certified. We deliver b2b to big companies.

[yeutterg]

Plus, even when you have SOC2 (+pen test, +ISO 27001), you'll still have to fill out questionnaires!

[ozim]

But it is a bit easier if you can copy/paste from your existing documents than scramble to make up stuff ;)

[bdangubic]

LLMs FTW

[Nelkins]

Even though I agree SOC2 in practice is of dubious security value, I do think you can lose out on sales if you don't have it. I recently had to choose among a bevy of headless CRM options for a client, and they were adamant that whatever platform we used _had_ to be SOC2 compliant. This narrowed the field significantly and ultimately we went with Strapi solely because of this requirement. I see this come up all the time.

Tools like Vanta (and I'm sure others, Drata maybe, I haven't used them) make SOC2 compliance pretty "easy" in the sense that it's often a mechanical process that doesn't require too much thought. At least for me, it usually involves being in a Slack channel with an auditor, and they're advising you on all the things to do (they want you to "win"/pass, although there is no real pass fail), and then you just need to check the boxes in Vanta.

[tptacek]

I have an extended take on things like Drata and Vanta elsewhere in the thread. I think they're great if you know what you're doing, but dangerous if you don't: the expenses they incur are insidious, because they're not the sticker price of the software or the audit, but rather the unnecessary engineering they lead you to do.

[AndrewKemendo]

+1 and to add to that…this is the correct answer for basically any kind of “enterprise” requirement from a customer as a solo-founder

Don’t make anything harder on yourself before you have to and then at the point that you have to (like needing an authority to operate certificate for a classified network) you’ll have the resources to be able to get what you need

[homeonthemtn]

As someone who had to cobble together a soc2 program - this is mostly true. At a large enough firm, soc2 is useful as a base level of operations integrity which lots of small firms lack.

If you have not reached that level as a firm, a good and recent pen test does the trick.

[varispeed]

> in lieu of filling out security questionnaires.

Isn't that no longer an issue in AI era?

[TrueDuality]

Do you want to trust your company's legal commitment on the output of modern LLMs?

[chadgpt3]

"Move fast and break things" applies even more in business than in software. If you get the revenue and don't suffer a legal penalty, you win. I've worked at companies that didn't outright fake their certifications, but definitely didn't care about following them and just did whatever was needed for the customer to pay up. In fact I'd say that's most companies. This is not a compiler you have to pass, it's a game you play with your customers.

[wahnfrieden]

Superwhisper got SOC2 around the same month they hired their first employee

I would guess they did it for due diligence compliance, not to enhance their security practices. It’s a b2b checkbox.