Originally published on arkensec.com My last SOC 2 Type II kickoff call lasted 82 minutes. The auditor asked for seven specific artifacts in the first ten, and I had four of them. The other three β evidence of vulnerability scan cadence on a defined schedule, documented remediation SLAs with timestamps, and a current third-party penetration test report β cost three weeks and $14,000 to produce mid-engagement. I've now sat in twelve of these kickoffs across both sides of the table. The same thing breaks every time. Evidence velocity, not documentation, is what blocks Series A SaaS from SOC 2 Type II. Closing the velocity gap saves six months and $20Kβ$50K. What "evidence velocity" actually means SOC 2 Type II readiness means your control environment can produce timestamped, auditor-legible evidence of every in-scope control operating consistently across a multi-month observation period β typically six months on a first audit, twelve on subsequent ones. Readiness is not whether your policies exist.β¦
