In January 2026, our team of 15 had zero compliance infrastructure. No written policies. No vendor inventory. No audit logs beyond what AWS CloudTrail spits out by default. A Fortune 500 prospect told us they wouldn't sign until we had SOC 2 Type II. We had 90 days before their procurement freeze.
We did it. Here's exactly how — what we got right, what we got wrong, and what we'd do differently if we had to start over tomorrow.
The short version: SOC 2 Type II in 90 days is possible for a small team, but only if you treat it as an engineering project, not a paperwork exercise. The audit window was 60 days. The prep before it was 30 days of sprint-level work.
First: Understanding What You're Actually Signing Up For
SOC 2 is a framework developed by the AICPA (American Institute of Certified Public Accountants). A Type I report says "your controls are designed correctly as of a point in time." A Type II report says "your controls actually operated effectively over a defined observation period" — typically 3, 6, or 12 months.
Enterprise buyers almost always want Type II. A Type I is a nice milestone, but procurement teams increasingly treat it as insufficient. If you're going to spend the time, go straight to Type II with the shortest allowable observation window: 60 days is standard for a first-year audit.
SOC 2 is organized around five Trust Service Criteria (TSC):
- CC (Common Criteria / Security) — the required category covering logical and physical access, change management, risk management, and incident response. Every SOC 2 includes this.
- A (Availability) — your system is available for operation as committed. Relevant if you have SLA obligations.
- C (Confidentiality) — information designated as confidential is protected. Usually included if you handle sensitive business data.
- PI (Processing Integrity) — system processing is complete, valid, accurate, and timely. Relevant for financial or transactional systems.
- P (Privacy) — personal information is collected, used, retained, disclosed, and disposed of appropriately. Add this if you process significant volumes of PII.
We scoped to CC + A + C. Our auditor estimated adding PI and P would have added 3–4 weeks to prep and $8,000–$12,000 to the audit fee. We left them out of scope for year one.
Week 1–2: Choosing an Auditor and Running the Gap Assessment
Auditor selection is the most consequential decision you'll make. The audit firm sets the pace, decides what evidence is acceptable, and writes the report that your customers will actually read.
We talked to five firms. Three categories exist:
- Big four adjacent (e.g., KPMG, Deloitte spinoffs): $40,000–$80,000 for a first-year Type II. Take 4–6 months. Logos carry weight with the largest enterprise buyers but are overkill for most B2B SaaS.
- Mid-tier specialists (e.g., Johanson Group, A-LIGN, Schellman): $18,000–$35,000. Faster turnaround. More pragmatic about evidence. These are the right choice for most startups.
- Boutique/startup-focused (e.g., Prescient Assurance, Advantage Partners): $10,000–$18,000. Move the fastest. Some work closely with automation platforms, which streamlines the evidence collection enormously.
We went with a boutique firm that had done over 200 SaaS audits and had a direct integration with our compliance platform. Total audit fee: $14,500 for a 60-day observation window.
The gap assessment came first. Our auditor ran a 2-hour kickoff call, shared a pre-assessment questionnaire, and came back two days later with a gap report covering 47 line items. We had roughly 20% of controls in place already — mostly incidentally, not intentionally.
Week 2–5: Building the Control Environment
The gap assessment turned our nebulous compliance anxiety into a concrete engineering backlog. We treated each gap as a Jira ticket and assigned owners by domain.
The tools we used
We evaluated Vanta, Drata, and Complai. Here's what the comparison actually looked like at our scale:
| Platform | Annual Cost (15-person startup) | Auditor integrations | Strengths | Weaknesses |
|---|---|---|---|---|
| Vanta | $12,000–$18,000/yr | 150+ | Broad integrations, mature UI, largest community | Expensive for early-stage, some evidence collection is manual |
| Drata | $10,000–$16,000/yr | 120+ | Strong automation, good policy templates | Onboarding can be slow, UI less intuitive |
| Complai | $3,600–$6,000/yr | Focused set, expanding | Purpose-built for startups, fast setup, questionnaire auto-fill | Fewer total integrations than established platforms |
We ended up using Complai for policy management and questionnaire generation, with manual evidence collection for the audit itself. The policy library alone saved us three weeks — we adapted 38 policies from templates rather than writing from scratch.
The five control areas that took the most time
Access controls (CC6): We had shared credentials on three production systems. We had contractors with access that should have been revoked 6 months prior. We had no MFA enforced on AWS. Cleaning this up took two engineers working part-time for a week. We enforced SSO with Okta, enrolled all production access under MFA, and ran an access review across every SaaS tool we paid for.
Change management (CC8): Our deployment process was "merge to main, it ships." Auditors want to see evidence of code review approval, testing, and at least a lightweight change approval process. We formalized our existing GitHub pull request workflow: required reviews from one other engineer, added a deployment checklist, and connected it to our ticketing system.
Risk assessment (CC3): This is the one most startups skip because it feels abstract. You need a documented risk register that shows you've identified threats, assessed likelihood and impact, and have controls mapped to each risk. We created a Google Sheet with 22 risks and exported it as evidence. It took a half-day. Don't overthink it.
Incident response (CC7): We had a Slack channel called #incidents and a general understanding that "someone would handle it." That's not sufficient. We wrote a 4-page incident response plan, ran a tabletop exercise (a 90-minute meeting where we walked through a hypothetical breach scenario), and documented the exercise as evidence.
Vendor management (CC9): Auditors want to see that you've assessed the security posture of your critical vendors. We built a vendor list of 23 tools, marked 7 as high-criticality, and pulled their SOC 2 reports or security documentation. This sounds tedious but took about 3 hours with a systematic approach.
Day 30: Starting the Observation Window
On day 30, we formally kicked off the 60-day observation window with our auditor. This is the period during which your controls need to actually operate. You can't retroactively apply controls — if your access reviews were supposed to run quarterly, you need at least one completed during the window.
Critical timing note: The observation window doesn't start automatically. You and your auditor agree on a start date. Don't let it drift. Every day of delay pushes your final report further out, and enterprise deals don't wait forever.
During the 60-day window, our job was to generate evidence. Every control needs artifacts: screenshots, exports, meeting minutes, access logs. We used a shared folder structure organized by TSC criterion and uploaded evidence as it was generated.
Week 11–12: The Audit Itself
The actual fieldwork lasted about two weeks. Our auditor sent a request list (called a PBC — Prepared By Client list) with 84 items. This included things like:
- User access lists from AWS IAM, Okta, GitHub, and our database
- HR records showing background check completion for all employees
- Penetration test report (we used a firm that charged $6,500 for a web app pentest)
- Evidence of quarterly access reviews being completed
- Backup restoration test results
- Evidence of security training completion for all staff
- Completed vendor risk assessments for critical vendors
We had about 75 of the 84 items ready from our preparation work. The remaining 9 required scrambling — mostly documentation that existed but hadn't been formalized. We got everything submitted within 5 business days.
The Result and What It Cost
The report was issued 8 days after fieldwork closed. No exceptions. We passed cleanly on all tested controls.
Total cost breakdown:
- Audit fee: $14,500
- Penetration test: $6,500
- Complai subscription (annual): $4,800
- Okta (SSO/MFA, 15 users, annual): $2,700
- Engineering time (estimated at loaded rate): ~$28,000
- Total: ~$57,000
The deal we were chasing was worth $320,000 ARR. The ROI calculation is easy.
Lessons Learned
What we'd do differently
- Start the gap assessment on day one, not week one. We lost 10 days waiting to kick off with the auditor. In retrospect, we should have run a self-assessment using Complai's gap report the first day we decided to pursue SOC 2.
- Don't try to fix everything before the window starts. We burned a week on nice-to-have improvements that weren't actually tested controls. Scope down ruthlessly.
- Assign a single DRI (Directly Responsible Individual). Compliance work diffuses if it doesn't have a clear owner. We made our Head of Engineering the DRI. Everything routed through them.
- Get your pentest done in week 3, not week 9. We almost ran out of time. Pentest firms book up fast and the report needs to exist before the observation window ends.
The meta-lesson: SOC 2 in 90 days is entirely achievable, but the bottleneck is almost never technical. It's organizational. Getting 15 people to change their workflows, complete training, and generate evidence on a timeline requires project management discipline more than engineering skill.
Your 90-Day Checklist
- Choose and contract with an auditor — start this on day 1
- Run a gap assessment (use Complai's free gap report as a starting point)
- Define your scope: which TSC criteria, which systems
- Assign a single DRI for the entire engagement
- Deploy SSO + MFA across all critical systems
- Write or adopt the required policy set (minimum 12–15 policies)
- Run and document a user access review
- Build and document your risk register
- Commission and receive your penetration test report
- Complete security awareness training for all staff
- Start the observation window and generate evidence continuously
- Submit PBC list within 5 business days of fieldwork request