SOC 2 is a sales document that happens to be about security. That sounds cynical, but it’s the framing that makes a 90-day plan rational: 83% of enterprise buyers now require SOC 2 from their SaaS vendors, 91% at companies with 5,000 or more employees, per Vanta’s State of Trust data. The same source reports that 67% of certified startups closed deals specifically because they had SOC 2, at a median deal size of $120K. When a six-figure contract is parked behind a security questionnaire, compliance stops being overhead and starts being pipeline.
Why SOC 2 is pipeline, not overhead
Ninety days is enough to get a focused SaaS team to a Type I report. Not comfortable. Enough. It works when you run the project like an engineering sprint with a fixed scope, and it fails when you treat it as a documentation exercise floating alongside feature work. We’re gmware, a custom software development firm in Austin, TX with engineering centers in Bangalore and Mohali, India, and SOC 2 prep lands on our desk in two shapes: teams racing a deal deadline, and teams cleaning up after flunking a buyer’s questionnaire. This plan is written for the first group, and to keep you out of the second.
Here’s the shape of the 90 days; the rest of this post fills in the detail.
| Phase | Weeks | What gets done |
|---|---|---|
| Scope and gap assessment | 1 to 3 | Pick your Trust Services Criteria, inventory systems, run the gap analysis, shortlist platform and auditor |
| Remediate and automate | 4 to 9 | Close control gaps, wire evidence collection into your SDLC |
| Audit | 10 to 13 | Pen test, readiness review, Type I fieldwork, then start the Type II window immediately |
The 90 days, in three phases
Why enterprise buyers require SOC 2
Because it outsources their vendor risk review. An enterprise security team can’t deep-audit every SaaS tool the business buys, so procurement standardizes on an independent report: show us a SOC 2 and we’ll skip the bespoke interrogation. That’s why the requirement climbs with company size. Bigger companies buy more software and have less patience per vendor. The demand is visible in the tooling market too: compliance automation grew from $850M in 2025 to a projected $1.3B in 2026.
A SOC 2 report doesn’t prove you’re secure. No report can. It proves you run the controls you claim to run, verified by a third party, and for procurement that’s the difference between “trust us” and “here’s the evidence.” The report usually pays for itself in shortened sales cycles long before it prevents an incident.
(Pedants will tell you SOC 2 is an attestation, not a certification. The pedants are right. It changes nothing about your sales cycle.)
Type I vs Type II: which report buyers accept
Type I attests that your controls were designed and in place on a specific date. Type II attests that they operated over an observation window. That makes Type I the fast one (it’s what this 90-day plan produces) and Type II the durable one buyers treat as the real answer.
| Report | What it attests | When you can have it | What buyers do with it |
|---|---|---|---|
| Type I | Controls designed and in place at a point in time | At the end of this 90-day plan | Accept it to keep a deal moving, usually with a Type II commitment attached |
| Type II | Controls operated effectively over an observation window | After Type I, plus the window you agree with your auditor | Treat it as the standing answer; expect a fresh one every year |
Type I vs Type II at a glance
Most buyers with a deal in flight will take a Type I plus a dated commitment to Type II. So make the move that costs nothing and saves a quarter: start your Type II observation window the same week your Type I lands. The window only counts while evidence is being collected, so every week you delay the start is a week added to the far end.
What SOC 2 actually costs
Two of the cost lines can be benchmarked and two have to be quoted. The benchmarkable ones: a standalone risk assessment runs $1K to $5K at market rates, and a penetration test runs $3K to $15K for a small-company scope, with the broader market norm at $5K to $35K once web, API, mobile, network, and cloud scopes stack up.
The two cost lines you can benchmark
| Cost line | What it covers | What we can benchmark |
|---|---|---|
| Gap / risk assessment | Where you stand against the criteria | $1K to $5K |
| Penetration test | Expected by most auditors and buyers | $3K to $15K small scope; $5K to $35K market norm |
| Compliance automation platform | Evidence collection, monitoring, policy templates | Annual subscription, quote-driven |
| Auditor (licensed CPA firm) | Readiness review plus the audit itself | Quote-driven; scope and window length set the price |
| Engineering remediation | SSO, MFA, logging, access reviews, offboarding | The biggest variable: your gap count times your stack |
| Ongoing operation | Keeping evidence green after the report | Managed-IT providers price SOC 2 support at $25 to $60 per user/month, a 20-40% bump |
You’ll notice we haven’t quoted platform or auditor fees. They move with headcount, integrations, and audit window, and any post that hands you a single number without asking scoping questions is guessing. Get two or three quotes for each, since the spread itself is informative. The line that actually blows budgets is remediation, and that’s precisely the line the 90-day plan exists to control.
The 90-day plan, week by week
This plan assumes one accountable owner, scope limited to the Security criteria (add Availability or Confidentiality later if buyers push), and engineers with real allocation, not nights and weekends.
| Weeks | Focus | Done looks like |
|---|---|---|
| 1 to 2 | Scope and inventory: systems, data flows, vendors, access | Scope doc written; platform and auditor shortlisted |
| 3 | Gap assessment against the Security criteria | Ranked gap list with effort estimates |
| 4 to 6 | Identity: SSO everywhere, MFA enforced, RBAC, automated offboarding | No shared logins; access maps to roles |
| 7 to 8 | SDLC and infrastructure: branch protection, change management through PRs, centralized logging, alerting, backups | Deploys leave evidence without anyone trying |
| 9 | Policies, vendor register, first access review | Policies people have actually read; vendor list with agreements attached |
| 10 | Penetration test; fix the criticals | Clean retest on critical findings |
| 11 to 12 | Readiness review with the auditor; close evidence gaps | No surprises left on the list |
| 13 | Type I fieldwork | Report in hand; Type II window starts |
Weeks 4 to 6 are where plans die. SSO rollouts touch every team and every tool, and the long tail of apps that gate SSO behind a plan upgrade (the “SSO tax”) surfaces real money nobody budgeted. Have that fight in week 1, not week 5, or the schedule slips a month while procurement argues with your IdP vendor.
Where Vanta and Drata stop
Compliance automation platforms earn their fee. They integrate with your cloud, identity provider, and repos; they monitor controls continuously; they collect evidence automatically and replace the screenshot-folder quarter that used to eat an engineer whole. The category’s growth tells you how many teams decided the subscription beats the manual version.
What the platforms don’t do is implement anything. The dashboard tells you MFA isn’t enforced on three admin accounts; an engineer still has to enforce it without breaking the deploy pipeline. It flags overdue access reviews; someone still has to run them, document exceptions, and revoke what fails. In the SOC 2 work we’ve done, the split is consistent: the platform handles watching, engineers handle changing. Buy the platform, and staff the other half, because the audit happens on the other half.
What evidence engineering is
Evidence engineering is building your SDLC so audit evidence generates itself as a side effect of normal work. It’s the difference between a sprint you survive once and a control set that runs cheaply forever. Concretely: change management becomes pull requests with required review and CI gates, which you already run, so the evidence is your git history. Access reviews become a scheduled job that exports who-has-what into a ticket, and the review is the ticket trail. Offboarding becomes an automation triggered by your HR system instead of a checklist someone remembers most of the time. Logs ship to one place, retention set once.
Do this and the Type II window, the part teams dread, turns boring, because none of the evidence was ever hand-made. Skip it and you’ve signed up to re-run the screenshot quarter annually. In our view this is the only part of SOC 2 that’s a genuine engineering problem, and it’s the part worth doing well.
When 90 days is the wrong target
Often, honestly. If you don’t have SSO and the budget fight for it hasn’t happened yet, that fight is your real timeline. If your product sprawls across legacy infrastructure nobody fully maps, weeks 1 to 3 will uncover scope that doesn’t fit in 13 weeks, and it’s better to learn that in week 3 than week 11. And if no buyer is actually asking yet, don’t sprint at all: spread the same work over six months at lower intensity and start the platform subscription later.
The subtler failure mode is rushing controls you won’t keep running. A Type I earned on freshly painted controls sets up a painful Type II. Auditors notice controls that began existing two weeks before fieldwork and quietly stopped a month after. Don’t start the observation window until the controls have stopped wobbling. The 90-day target is for teams with deal pressure, a mapped stack, and real engineering allocation. It’s a sprint, not a default.
Whether SOC 2 covers HIPAA or cyber insurance
No, but the overlap is real money. Marsh McLennan data shows carriers deny 41% of cyber-insurance applications on first submission, with missing MFA and EDR the top reasons, and both controls sit inside a normal SOC 2 scope, so finishing this plan converts the insurance application from a remediation project into paperwork. We’ve broken the full carrier checklist down in our cyber insurance requirements guide.
HIPAA is a different instrument entirely: it’s law, not a market attestation, and a SOC 2 report won’t satisfy it. If you handle PHI you need both, and our HIPAA telehealth app cost breakdown itemizes what that compliance engineering adds to a build.
The controls matter beyond the paperwork, too. 88% of SMB breaches involve ransomware, and average SMB breach losses run about $254K, more than most teams’ entire compliance budget. The report gets you through procurement. The controls are what the report was supposed to be about.
Why the controls outlast the report
How gmware runs a SOC 2 sprint
We’re engineers, not auditors. A licensed CPA firm issues your report, and we don’t sell audits. What we do is the half the platforms can’t: the remediation engineering (SSO and MFA rollouts, IAM cleanup, logging pipelines) and the SDLC and infrastructure work (change management in CI/CD, infrastructure-as-code, backups and alerting) that turns a gap list into a passed audit. Our Austin leads run scoping and auditor coordination on US hours while our Bangalore and Mohali teams clear the remediation backlog. That’s how a 90-day plan survives contact with a live feature roadmap.
One caveat we give every prospect: if a vendor builds your product, that vendor’s security posture is inside your audit scope. Ask the hard questions early. Our 22-question vendor checklist covers what to ask and what good answers sound like.
Racing a deal that needs SOC 2? Tell us what your stack looks like and we’ll give you a straight answer on scope, cost, and whether 90 days is realistic for you, within 48 hours.