Getting SOC 2 compliant is one of those things that sounds straightforward until you actually start doing it. You need a penetration test, but the pentest firm does not do audits. You need an auditor, but the audit firm does not do security testing. You need someone to help you fix the gaps, but your consultants do not talk to your testers, and neither of them talks to your auditor. You end up project-managing three to five different vendors, coordinating timelines, translating between teams, and hoping everything lines up before your deadline.
We built Lorikeet's SOC 2 compliance package to eliminate that problem entirely. Through our partnership with Accorp Partners CPA LLC, we deliver the complete SOC 2 journey, penetration testing, remediation guidance, vulnerability scanning, and formal audit, all coordinated through a single point of contact. One engagement. One timeline. No vendor wrangling.
The SOC 2 Compliance Journey
Before we get into how our package works, it helps to understand the full SOC 2 process. Most companies underestimate the number of steps involved, which is why timelines slip and costs balloon.
Phase 1: Readiness Assessment
Before you can pass a SOC 2 audit, you need to understand where you stand. A readiness assessment evaluates your current security posture against the SOC 2 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy). The output is a gap analysis: here is what you have, here is what you need, and here is what needs to change.
This phase is critical and frequently skipped. Companies that jump straight to the audit without a readiness assessment are the ones who discover control gaps during the audit itself, which leads to delays, exceptions, and qualified reports.
Phase 2: Gap Remediation
Once you know what the gaps are, you fix them. This might involve implementing new security controls, updating policies and procedures, configuring monitoring and alerting, deploying endpoint protection, or establishing incident response processes. The scope of remediation varies enormously depending on your starting maturity.
This is where many companies stall. They get the readiness report, realize they have 40 items to fix, and do not know where to start or how to prioritize. Good compliance guidance is not just telling you what is missing. It is telling you what to fix first, how to fix it efficiently, and which controls are going to get the most scrutiny from your auditor.
Phase 3: Security Testing
SOC 2 auditors expect to see evidence of security testing. This typically includes both vulnerability scanning and penetration testing. The pentest validates that your security controls actually work against real-world attacks. The vulnerability scan demonstrates ongoing monitoring. Together, they provide the evidence your auditor needs to assess the operating effectiveness of your security controls.
Phase 4: Formal Audit
The audit itself is conducted by a licensed CPA firm. The auditor evaluates your controls against the Trust Service Criteria, reviews evidence (including your pentest report and scan results), interviews key personnel, and tests a sample of your controls. For SOC 2 Type I, this is a point-in-time assessment. For SOC 2 Type II, the auditor evaluates controls over a period of time, typically 3 to 12 months.
Phase 5: Report and Attestation
The final deliverable is the SOC 2 report, which includes the auditor's opinion, a description of your system, the trust service criteria evaluated, and the results of testing. This is the document you share with prospects, customers, and partners to demonstrate your security posture.
Why Companies Struggle with SOC 2
The process above is well-documented. So why do so many companies struggle with it? In our experience working with growing organizations, the pain points are remarkably consistent.
Fragmented Vendors
The biggest problem is vendor fragmentation. Most companies end up working with a pentest firm, a separate audit firm, a compliance consultant, and possibly a separate vulnerability scanning vendor. None of these vendors coordinate with each other. You become the project manager, relaying information between teams that have never worked together and do not understand each other's processes or timelines.
When the pentest firm finds issues that need to be fixed before the audit, but the auditor has already started their review, things get complicated fast. When the compliance consultant recommends controls that the pentest later reveals are insufficient, you waste time and money implementing things twice.
Unclear Requirements
SOC 2 is a framework, not a checklist. The Trust Service Criteria are principles-based, which means there is interpretation involved in how they apply to your specific organization. Companies that do not have compliance experience often over-engineer some controls and under-engineer others. They implement elaborate access management processes but forget to set up audit logging. They write detailed security policies but do not actually follow them.
Audit Surprises
Perhaps the most painful scenario: you think you are ready, you start the audit, and the auditor identifies control gaps you did not know about. Now you need to fix things mid-audit, which delays the timeline, increases costs, and sometimes requires the auditor to extend the observation period. This almost always happens when security testing and audit preparation are not coordinated.
Timeline Creep
SOC 2 projects have a way of taking longer than expected. The readiness assessment takes a month. Remediation takes three months instead of two. The pentest schedule slips because the vendor is booked. The auditor needs additional evidence. Before you know it, a six-month timeline has become a year, and the enterprise deal you were trying to close has gone to a competitor.
The core issue: SOC 2 compliance requires security expertise, audit expertise, and project management working in coordination. When these are spread across multiple vendors with no shared accountability, the process breaks down.
The Lorikeet + Accorp Partners Approach
Our SOC 2 compliance package solves the vendor coordination problem by bringing everything under a single engagement. Lorikeet Security handles the security testing and remediation guidance. Accorp Partners CPA LLC handles the formal audit and attestation. We work together with a shared timeline, shared context, and a single point of contact for the client.
What Lorikeet Handles
- Penetration testing. Manual, expert-driven testing of your applications, networks, and cloud environments, delivered through our PTaaS platform with real-time findings
- Vulnerability scanning. Continuous monitoring through our attack surface management platform to identify known vulnerabilities and misconfigurations
- Security validation. Testing your security controls to ensure they actually work as designed, not just that they exist on paper
- Remediation guidance. When we find issues, we provide specific, technical guidance on how to fix them. Not generic recommendations, but actionable steps tailored to your technology stack
- Retesting. After you fix the findings, we verify the fixes are effective before the audit begins
- Evidence collection. We provide audit-ready evidence packages that map our findings to the Trust Service Criteria your auditor will evaluate
What Accorp Partners CPA Handles
- Formal SOC 2 audit. The official examination of your controls against the Trust Service Criteria, conducted by licensed CPAs
- Trust service criteria evaluation. Assessment of your controls across Security, Availability, Processing Integrity, Confidentiality, and Privacy (as applicable to your engagement)
- Attestation report. The formal SOC 2 report that you share with customers, prospects, and partners
- Type I and Type II support. Whether you need a point-in-time assessment or a full observation period report
What We Do Together
- Coordinated timeline. Security testing and audit preparation happen on a shared schedule so nothing falls through the cracks
- Shared context. Our testers and the audit team understand each other's processes and requirements, so pentest findings map directly to audit evidence needs
- Single point of contact. You work with one team that manages the entire process, instead of coordinating between separate vendors
- No surprises. Because we do the security testing before the audit begins, control gaps are identified and remediated before the auditor starts their review
Typical Timeline
Every SOC 2 engagement is different, but here is a representative timeline for a growing company going through the process for the first time:
| Phase | Timeline | Key Activities |
|---|---|---|
| Readiness Assessment | Weeks 1-3 | Evaluate current controls, identify gaps, define scope and trust service criteria |
| Gap Remediation | Weeks 3-10 | Implement missing controls, update policies, configure monitoring, deploy security tooling |
| Penetration Testing | Weeks 8-10 | Manual pentest of applications and infrastructure, vulnerability scanning, findings delivered in real-time |
| Remediation + Retesting | Weeks 10-12 | Fix pentest findings, verify fixes, prepare evidence packages |
| Audit (Type I) | Weeks 12-14 | Formal audit of controls at a point in time, evidence review, personnel interviews |
| Report Delivery | Weeks 14-16 | Final SOC 2 report issued by Accorp Partners CPA |
For SOC 2 Type II, add the observation period between the remediation phase and the final audit. The observation period is typically 3 to 12 months, during which the auditor evaluates the ongoing effectiveness of your controls.
Note that the penetration testing phase overlaps with the later stages of gap remediation. This is intentional. By testing while remediation is still in progress, we can identify issues that need to be addressed before the audit starts, rather than discovering them during the audit itself.
DIY SOC 2 vs. Lorikeet + Accorp Package
Most companies that attempt SOC 2 on their own end up spending more time and money than they expected. Here is a side-by-side comparison:
| DIY / Fragmented Vendors | Lorikeet + Accorp Package | |
|---|---|---|
| Vendors to Manage | 3-5 separate firms (pentest, audit, consulting, scanning, tooling) | One coordinated engagement |
| Timeline | 6-12+ months (delays from vendor coordination) | 3-4 months for Type I (coordinated schedule) |
| Project Management | You coordinate everything | Single point of contact manages the process |
| Pentest Findings | PDF report delivered weeks after testing | Real-time findings via PTaaS portal |
| Audit Surprises | Common; pentest and audit are disconnected | Rare; security testing feeds directly into audit prep |
| Remediation Support | Generic recommendations from separate consultant | Specific technical guidance from the team that found the issues |
| Pricing Transparency | Opaque; each vendor quotes separately | Transparent; bundled pricing published at /pricing |
| Ongoing Monitoring | Separate tool or not included | ASM platform available from $476/month |
| Repeat Audits | Start over with vendor coordination each year | Ongoing relationship; renewals are streamlined |
Compliance Automation with Vanta
As a Vanta MSP Partner, Lorikeet Security also integrates compliance automation into the process. Vanta continuously monitors your infrastructure and SaaS tools against SOC 2 requirements, automatically collecting evidence and flagging control gaps. This is not a replacement for manual security testing or a formal audit, but it dramatically reduces the manual effort involved in evidence collection and ongoing compliance maintenance.
When Vanta is part of the engagement, the readiness assessment is faster because we already have visibility into your current control status. Gap remediation is more targeted because we can see exactly which controls are passing and which are failing. And audit preparation is smoother because the auditor has access to continuous evidence rather than point-in-time snapshots.
Beyond SOC 2: ISO 27001 and PCI-DSS
The same coordinated approach applies to other compliance frameworks. Through our partnership with Accorp Partners CPA LLC and Anchorpoint Partners, we also deliver:
- ISO 27001 certification. If you are expanding into European markets or working with enterprise clients that require ISO 27001, we provide the security testing and remediation while our partners handle the formal certification audit. Read more about ISO 27001 for SaaS companies
- PCI-DSS compliance. If you process, store, or transmit payment card data, PCI-DSS compliance is mandatory. Our package includes the required penetration testing (Requirement 11.3), vulnerability scanning (Requirement 11.2), and coordinates with the QSA for the formal assessment. See our PCI-DSS penetration testing guide
- Dual certification. Many companies need both SOC 2 and ISO 27001. Our dual certification approach allows you to pursue both frameworks simultaneously, leveraging overlapping controls to reduce total effort and cost
The efficiency of bundling: SOC 2, ISO 27001, and PCI-DSS share significant overlap in their control requirements. Companies that pursue multiple frameworks through a coordinated package avoid duplicating work across security testing, policy development, and evidence collection. The same pentest report can satisfy requirements for all three frameworks when scoped correctly from the start.
Who This Is For
Our SOC 2 compliance package is designed for companies that:
- Are pursuing SOC 2 for the first time and want to avoid the chaos of managing multiple vendors
- Have had a bad experience with fragmented compliance engagements in the past
- Need to move fast because they have a customer contract or enterprise deal that requires SOC 2
- Want transparency in pricing and timeline, not open-ended consulting engagements
- Need ongoing security monitoring after the audit, not just a one-time checkbox
- Are growing and expect to need annual renewals, making a long-term partnership more efficient than one-off vendor relationships
If any of that resonates, we should talk. You can book a consultation to discuss your specific situation, review our transparent pricing, or explore our full service offerings.
Get SOC 2 compliant without the vendor chaos
One engagement. One timeline. Penetration testing, remediation, and audit all coordinated through a single point of contact. Book a consultation to get started.
