At some point in every deal, a prospect asks for your SOC 2, or you ask for a vendor's. Everyone treats the answer as a yes/no on "are they secure." It isn't. A SOC 2 report answers a much narrower question than the one people think they're asking, and the gap between those two questions is exactly where risk hides.
Let me be blunt about what a clean SOC 2 actually certifies, because the marketing has muddied it.
What the report actually says
A SOC 2 Type II is an attestation that a set of controls the vendor themselves chose to put in scope operated effectively over a past window — typically six to twelve months. That's it.
Read that again, because three words carry all the weight:
- The vendor chose the scope. If a control isn't in scope, the auditor never looks at it. A company can pass SOC 2 and still ship code with critical vulnerabilities in an area the audit didn't cover.
- Operated, not tested against attack. Auditors interview people, review policies, and sample evidence to confirm controls existed and ran. They do not attack your systems, probe for injection flaws, or try to bypass authentication. As one security firm put it, SOC 2 "produces no security findings." A penetration test tries to break in. A SOC 2 audit checks that you have a policy saying you should lock the door.
- A past window. The report covers, say, January through December of last year, and you might be reading it months after that. The environment kept moving — new systems, new subprocessors, new config. The industry's patch for this gap is the "bridge letter," which is just the vendor attesting to itself in the meantime.
A SOC 2 is a rearview mirror, not a windshield. It tells you what a subset of controls looked like during a window that already closed. It says nothing about whether the vendor can be breached today.
The part that should end the "we're SOC 2 certified" reflex
If the structural limitations weren't enough, 2025 delivered a live demonstration of how fragile the trust chain is. A compliance-automation vendor, Delve, was accused of generating faked SOC 2 reports: allegations included reports issued before any evidence was gathered, pre-filled risk assessments, fabricated board-meeting minutes, and boilerplate reused across clients with just the logo swapped.
The whole system rests on a chain of trust — the vendor trusts the auditor, you trust the report, everyone assumes the audit actually happened. When that assumption breaks, a clean report is evidence of nothing. Even setting scandals aside, the lesson holds: collecting a report is not risk management.
What I'd actually do
None of this means SOC 2 is worthless. It's a reasonable baseline and a fine forcing function for a company to write down its controls. The mistake is treating the badge as the finish line. Whether you're buying or building:
If you're evaluating a vendor:
- Read the scope, not the cover page. Which Trust Services Criteria? Which systems? What did the auditor actually test — and what's conspicuously absent?
- Check the dates. When did the audit period end, and how stale is the report you're holding? The further out, the less it tells you about today.
- Ask for what SOC 2 doesn't cover. A recent independent penetration test, their vulnerability-management process, how they handle a critical CVE. Those answers are worth more than the certificate.
If you're pursuing SOC 2 yourself:
- Build the controls for real, then get audited. If your security degrades the day after the audit window closes, you optimized for the report, not for safety — and that's exactly the failure mode auditors can't catch.
- Make it continuous. Real assurance is monitoring, testing, and evidence that reflects your current environment — not an annual scramble to look good for a window.
The bottom line
SOC 2 answers "did these chosen controls operate during a past period." Security answers "can we be compromised right now." Those are different questions, and no amount of clean attestation closes the gap between them.
Use SOC 2 as a baseline and a starting conversation. Just stop mistaking the badge for the thing it's a proxy for — because your attackers certainly don't care what's framed on your compliance page.
- compliance
- SOC 2
- governance
- vendor risk
- security



