Vulnerability scanning for your SOC 2 program
SOC 2 is an audit report from a licensed CPA firm that examines whether your controls meet the AICPA Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. A SOC 2 vulnerability scan gives you dated evidence that you monitor and fix issues on your internet-facing systems.
What SOC 2 actually checks.
A Type I report covers your controls at a point in time. A Type II report covers the same controls operating over a period, usually three to twelve months. The Common Criteria include logical access controls under CC6 and ongoing vulnerability monitoring and incident detection under CC7.1.
Auditors expect to see evidence that you scan internet-facing systems for vulnerabilities, track what you find, and remediate it on a schedule. A recurring web application scan with dated reports is one of the artifacts that supports those criteria. That is the slice of SOC 2 a security scanner can help you cover.
How AuditWard supports your SOC 2 work.
AuditWard runs a SOC 2 web application scan with real pentest tooling, then tags each finding to the criteria it relates to. The table below maps the capabilities a scan gives you to the Common Criteria control areas auditors most often ask about for external web systems.
| Control area | What a scan can evidence | How AuditWard helps |
|---|---|---|
| CC7.1 vulnerability monitoring | That you scan for vulnerabilities on a recurring basis and keep a record of each run. | Generates a dated PDF report per scan that serves as evidence of ongoing vulnerability monitoring. |
| CC6 logical and physical access | That transport and access weaknesses on the web surface are detected and addressed. | Flags TLS, security-header, cookie, and CORS weaknesses that map to access and transmission controls under CC6. |
| CC7.1 finding-to-criteria mapping | Which Trust Services Criteria a given issue relates to, finding by finding. | Tags each finding to SOC 2 at the finding level so you can show an auditor the criteria a given issue maps to. |
| Methodology and scope | What tooling ran, in what version, and what it actually checked. | Lists the tools and versions that ran (curl, testssl.sh, Nuclei, Nmap, Gobuster, nslookup, WhatWeb) with raw tool output appendices. |
| Tracked remediation | That findings are scored, prioritized, and worked through a documented process. | Provides per-finding remediation guidance, CVSS scoring, and references so you can demonstrate a tracked remediation process. |
For the full picture of what the scanner probes and how findings are triaged, see the website security scanning pillar.
The checks that map to SOC 2.
These are the web application checks that most often turn into SOC 2 evidence. They cover transport security, header and cookie hardening, exposure of files and secrets, and outdated software. Each finding carries a severity, a CVSS score, and a remediation note.
Transport security
TLS and SSL configuration and protocol checks via testssl.sh, covering weak ciphers and deprecated protocols on your HTTPS endpoints.
Headers and cookies
Missing or weak HTTP security headers (HSTS, CSP, X-Frame-Options) via curl, plus insecure cookie flags (Secure, HttpOnly, SameSite).
CORS and exposure
CORS misconfiguration detection, plus exposed directories, sensitive files, and secret or credential exposure.
Services and versions
Open port and service-version enumeration via Nmap, with outdated-software fingerprinting via WhatWeb and Nuclei.
What AuditWard does not do.
AuditWard does not make you SOC 2 compliant and issues no report or opinion. SOC 2 is an audit performed by a CPA firm. A scan covers only your external web surface, so read these limits before you treat any output as audit-ready.
Not an auditor
SOC 2 is an audit performed by a CPA firm. AuditWard is a scanner, not an auditor, and produces no SOC 2 report or opinion.
External surface only
A scan covers only the external web surface. It does not test the many non-technical CC controls such as HR, change management, vendor management, physical security, and policies.
Tags are a convenience
The SOC 2 tags are produced by an LLM as a convenience. They are not a control mapping reviewed or attested by an assessor, so confirm scope with your auditor.
Not full Type II coverage
AuditWard does not perform authenticated testing of internal systems, nor does it provide continuous monitoring across a full Type II observation period on its own.
For card payment work, note that AuditWard is not a PCI Approved Scanning Vendor. An external ASV scan is still required, which we cover on the PCI DSS page.
What to do with the evidence.
Run the scan on a schedule, file each dated PDF report as evidence for CC7.1, and track every finding to closure in your GRC tool or ticketing system. When an auditor tests the control they sample the report itself, along with the finding tags and the remediation notes attached to it.
Scan your internet-facing app on a recurring cadence so the dated reports line up with your Type II observation period.
Attach each PDF report and its finding tags to the relevant control in your GRC tool, so the artifact is ready when the auditor samples it.
Work each finding to closure using its CVSS score and remediation note, and keep the ticket trail as proof of a tracked process.
Team plans include compliance export, which packages the findings and their framework tags so you can hand them straight to your auditor. Exploring other frameworks? See ISO 27001 and the full compliance overview.
SOC 2 scanning questions.
Does AuditWard make my product SOC 2 compliant?
No. SOC 2 compliance comes from a report issued by a licensed CPA firm after they examine your controls. AuditWard is a scanner that helps you find and evidence security issues for the technical controls a scan can observe. It supports your SOC 2 work and does not stand in for the audit.
Which SOC 2 criteria does a scan help with?
Mostly CC7.1, ongoing vulnerability monitoring and incident detection, and parts of CC6, logical access and transmission controls. A dated scan report and per-finding tags give you artifacts that support those Common Criteria for your internet-facing web surface.
Can I show AuditWard reports to my SOC 2 auditor?
Yes. The dated PDF report lists the tools and versions that ran, includes raw tool output appendices, and carries per-finding remediation guidance and CVSS scores. That is the kind of artifact auditors sample for vulnerability monitoring. Confirm the exact scope and cadence with your auditor.
Are the SOC 2 tags an official control mapping?
No. The SOC 2 tags are produced by an LLM as a convenience to point you at the relevant criteria. They are not a control mapping reviewed or attested by an assessor, so treat them as a starting point and confirm scope with your auditor.
Does a SOC 2 vulnerability scan replace a penetration test?
No, it complements one. AuditWard runs automated checks against your external web surface and does not perform authenticated testing of internal systems. Many SOC 2 programs run both an automated scan and a periodic manual penetration test.
How often should I run a SOC 2 web application scan?
Run it on a recurring cadence that lines up with your Type II observation period, commonly monthly or quarterly, plus after significant changes. The point is a continuous trail of dated reports rather than a single scan, so the evidence covers the whole period under audit.