Menu
Two tiers
The full document package, drafted from your answers and human-reviewed.
- Eight policies, your company spliced in
- System description (SOC 2 Section 3 draft)
- AICPA evidence index and tracker
- Statement of Applicability, asset + data registers
- Pre-scored risk register + management review template
- Pre-filled CAIQ (138 questions) + 60-answer questionnaire bank
- 17 control tests, as a workbook to complete
- 11 evidence kits, 12-month calendar through ISO bridge
- Publishable trust page and three auditor intros
- AGENTS.md so your coding agent can work the package
Everything in Documents, with your control tests verified against your AWS account.
- Everything in Documents
- Read-only AWS scan of your account
- Control tests arrive pre-verified, not blank
- Scan findings feed your gap memo as confirmed gaps
- CAIQ answers overlaid from live evidence
Why $1,500 is the bargain in this category
What getting audit-ready costs elsewhere in 2026
Prices in this category are opaque, but here are honest orders of magnitude from quote requests and customer reports:
| Option | Typical 2026 price |
|---|---|
| Compliance automation platform (Vanta, Drata, Secureframe) | $7,500 to $15,000+/yr |
| AI-native compliance entrants | ~$5,000 to $12,000/yr |
| Readiness consultant (prep only) | $5,000 to $15,000 one-time |
| Regional CPA bundled prep + audit | $20,000 to $40,000 all-in |
| soc2.zip Documents | $1,500 one-time |
| soc2.zip AWS Verified | $2,400 one-time |
Two caveats so the comparison is fair. The platform and AI-native rows are yearly subscriptions that bundle continuous monitoring, so only part of that price is prep; the honest like-for-like is the consultant line. And the audit itself is a separate cost soc2.zip does not change: a Type 1 typically runs $7,500 to $15,000, paid to your auditor.
What soc2.zip compresses is the prep. From scratch, the artifacts in the package represent 144 to 314 hours of internal work; with the package, finishing the documents takes 11 to 25 hours. That residual is work you would do on any path, because no alternative fills in your environment for you.
The package is agent-operable from day one
Every package ships AGENTS.md and a machine-readable manifest so your coding agent can work the package alongside you. In our benchmark, pointing an agent at AGENTS.md and a real buyer codebase closed 25 facts in 7 minutes, each with a cited source and zero fabricated citations. The remaining markers are the ones that genuinely need your environment or your sign-off, not gaps the agent missed.
A human reviews every file before it reaches you
Every package ships a Review Record: a signed inspection sheet listing what the build proved mechanically (conformance, static byte-verification, marker class counts, zero fabricated sources) and what a human checked by hand before sending. It is not a marketing claim; it is a completed form in the zip you can read. The founder signs off on every file before delivery. No automated send without a human pass.
What's in the box
Eight policies
Information Security, Acceptable Use, Access Control, Change Management, Incident Response, Vendor Management, Business Continuity, and Data Classification. Each ties to specific Trust Services Criteria with your company name spliced in.
System description
A SOC 2 Section 3 draft: the description of your system your auditor reads first to set scope. Grounded in your stack answers, with a [USER TO CONFIRM] block anywhere only you can fill in the fact. Consultants charge four figures for this.
Assumptions and provenance register
Every load-bearing fact in the package, listed with its value and how we know it: verified by scan, attested by you, found publicly, or a stated default you sign off on. Nothing in the package is a guess you did not see. Template packs cannot tell you which claims are yours.
AICPA evidence index and tracker
Thirty-three rows covering CC1.1 through CC9.x, AICPA filename convention, owner, status, and the artifact you need for fieldwork, plus a spreadsheet tracker to work it as a punch list.
Pre-scored risk register
A spreadsheet of the risks almost every small SaaS carries before its first audit, each pre-scored on the standard 5x5 likelihood and impact scale and tied to a treatment. Comes with a management-review agenda and signed-minutes template, because the auditor wants proof leadership read it, not just the register.
Scope documents and registers
A Statement of Applicability covering every Trust Services criterion with honest applicability decisions, plus an asset register and a data inventory classified on the same four tiers as the Data Classification Policy, each row traced to your vendor register.
CAIQ Lite, pre-filled
All 138 cells across 17 domains answered against the canonical small-SaaS posture, ready for you to overwrite where reality differs. Send it to procurement teams that ask for SOC 2 before your report is ready.
Seventeen control tests
The tests every SOC 2 auditor expects: branch protection, MFA enforcement, encryption at rest, RDS backups, and the rest. With Documents they ship as a workbook you complete from your environment. With AWS Verified they arrive pre-verified against your AWS account.
Publishable trust page
A self-contained security page you can drop at yoursite.com/security: posture summary, control highlights, subprocessor list, contact. The first artifact with ongoing visible value.
Compliance calendar
The 12-month evidence routine: what runs monthly, quarterly, and annually, which criteria each activity feeds, which file records it, and what the auditor writes if you skip it. Every control in the evidence index also names the artifact an auditor accepts and the exact console or CLI path that produces it.
The recurring-evidence kits
Quarterly access reviews (workbook plus the exact AWS export commands), vendor management (a register seeded from your stack, review log, CUEC worksheet, two questionnaires), onboarding and offboarding checklists whose completed copies are the audit evidence, three scripted incident-response tabletop scenarios with an after-action record, a security training kit (30-minute brief, quiz, completion roster), and a change-management kit with the exact commands to export your full PR population for the audit period. These cover the sample requests that blindside first-time buyers in fieldwork.
Questionnaire answer bank
Sixty pre-written security-questionnaire answers across twelve topics, including AI and LLM data handling, each pointing at the package artifact that backs it. Built for the SIG-Lite-style requests procurement teams send before your report exists.
Pen test brief and ISO 27001 bridge
A scoping brief and remediation tracker that make your annual penetration test usable as audit evidence, and a SOC 2 to ISO 27001:2022 crosswalk so the same package gives you a head start when a deal asks for ISO next.
Three auditor intros
Curated to your industry, team size, and timeline. Includes cost ranges, tier, accreditations, best-fit notes, and copy you can use to email them.
Agent-readable from intake to delivery
Have your coding agent prepare the intake from sources it can access inside your environment. The delivered package closes the loop with AGENTS.md and a machine-readable manifest, so Claude Code or Codex can fill remaining [USER TO CONFIRM] markers with a cited source per fill. You review and sign; the guardrails forbid fabricated evidence.
Who this is for
- Series A/B SaaS founders who just had a SOC 2 question gate a deal and need real artifacts in days, not quarters.
- 10 to 80 person engineering orgs who do not want a five-figure subscription just to produce policy templates and a system description.
- CTOs running de-facto compliance who would rather edit a defensible draft than start from a blank Notion page.
Who this isn't for
If you need a continuous-monitoring platform, automated vendor reviews, or a compliance team of record, you want Vanta or Drata. We make the artifacts; they run the ongoing program. Plenty of buyers use both: the package replaces the one-time prep grind, the platform handles the monitoring.
Frequently asked
What is the difference between Documents and AWS Verified?
Both ship the same documents. AWS Verified adds a read-only scan of your AWS account, so your 17 control tests arrive already verified, scan findings show up in your gap memo as confirmed gaps instead of guesses, and your CAIQ answers are overlaid from live evidence. Documents ships the control tests as a workbook you complete yourself.
How does the AWS scan work, and is it safe?
You create a read-only IAM role and paste in a trust-policy snippet scoped with a unique ExternalId we generate for you. We never get write access, the scan only reads configuration, and you can revoke the role the moment we deliver. If you would rather not connect anything, buy Documents.
What is the evidence routine?
The most common way a first audit goes sideways is not missing documents, it is missing evidence: the auditor samples a random week and asks for the access review record, and there isn't one. The package ships a 12-month compliance calendar and ready-to-run kits for each recurring activity (quarterly access reviews, vendor management, onboarding/offboarding, incident tabletops, security training, change management), plus a per-control evidence spec naming the artifact an auditor accepts and the exact console or CLI path that produces it. Each activity produces a dated, signed artifact the first time you run it. You still run the activities; we make each one a short, scripted routine instead of a research project.
Can my coding agent fill this in?
Yes, by design. The zip ships AGENTS.md and a machine-readable manifest, so you can drop it into your repo and point Claude Code or Codex at it. The recipes cover filling [USER TO CONFIRM] markers from your codebase and AWS account with a cited source per fill, preparing the quarterly access review, completing the control-test workbook, and drafting questionnaire answers. The guardrails are strict: the agent never fabricates evidence or dates, leaves anything unverifiable as a marker, and never signs anything; every artifact keeps its human sign-off.
Will my auditor accept this?
The package is shaped against AICPA Trust Services Criteria with the 2022 points of focus. Auditors do not grade policies; they grade whether you can prove the controls behind them. The package is a starting point that puts you most of the way there, and the system description and evidence index are exactly what they ask for first.
What if my stack isn't AWS?
Buy Documents; the package works for any stack. The renderers swap tool names where they can, and anything we cannot ground in your inputs renders as a [USER TO CONFIRM] token. You do not ship a guess. The AWS Verified scan is AWS-only today.
Does it help with ISO 27001 too?
It is a SOC 2 package first. But it ships a SOC 2 to ISO 27001:2022 crosswalk that maps every criterion to the matching ISO clause and Annex A control, with per-criterion notes on which package artifacts you can reuse. If a deal asks for ISO next year, you start from a mapped inventory instead of zero.
How long does it take?
About five minutes on the intake. We pre-fill what we can verify from public sources before you open it, so you answer only what we cannot find ourselves; your coding agent can prepare the answers for you. We render and review the package, then email it to you as an attachment within 3 business days. Keep your copy; we can re-send on request within 12 months.
Refund policy?
If the package does not pass your sniff test within 7 days, reply to your delivery email and we refund. We would rather know what was off than keep your money from someone who would never buy again.
Who's behind this?
Peter Korpak, the same person who runs the SOC 2 auditor directory at SOC2Auditors.org. About 6,000 people use the directory and guides every month, we have matched 200+ companies with auditors, and the package distills 100+ conversations with buyers and audit firms about what fieldwork actually asks for. It is a focused product for a sliver of the readiness market underserved by the big platforms.
See a sample package
Open the actual package, including a sample read-only AWS scan report so you can see the AWS Verified tier. This is the canonical sample persona, [USER TO CONFIRM] tokens and all. Tell us where to send it, and browse the cover page below.
Ready when you are.
One short intake, pre-filled where we can verify. Delivery in 3 business days. From $1,500, one payment.