SOC 2 · HIPAA · PCI · CMMC · ISO 27001

Compliance management that pulls evidence on autopilot so your audit doesn't eat Q4

SOC 2, HIPAA, PCI, CMMC, ISO 27001, NIST CSF. Drata or Vanta wired into your stack. We design the controls, write the policies, run the gap assessment, and sit beside your auditor when they ask the hard questions.

180+ SOC 2 audits passed 90 days avg gap-to-ready Zero failed control opinions, 24 mo 6 pre-vetted audit firms
Run my free compliance gap assessment Talk to a GRC engineer →

No credit card. Read-only review of your current control coverage. 1-page gap report back inside 5 business days.

0
SOC 2 audits passed
across our client base
0
HIPAA-covered clients
currently under retainer
Zero
Failed control opinions
in the last 24 months
0
Average gap-to-ready
once remediation is funded
Service tiers

Three lanes for compliance management. One contract. Pricing the CFO can sign without a meeting.

Every tier runs the same playbook: scope, gap, remediate, evidence, audit. The difference is how many frameworks you're carrying, how often we sit down with your team, and whether you want a named GRC analyst attached to your account.

Compliance Starter
One framework end to end. Drata or Vanta included. Monthly working session with your team.
$1,950/mo
Annual agreement · 12-month minimum
  • One framework: SOC 2, HIPAA, PCI, CMMC, ISO 27001, or NIST CSF
  • Drata or Vanta license + integrations included (no separate bill)
  • Policy library: 38 policies drafted to your environment
  • Quarterly user-access reviews and vendor reviews run for you
  • Monthly 60-minute working session with a GRC engineer
  • Audit firm referral (we have 6 pre-vetted CPAs and C3PAOs)
Start Starter →
Most chosen
Compliance Pro
Built for businesses carrying two frameworks at once with auditor-day support baked in.
$3,450/mo
Annual agreement · 12-month minimum
  • Up to two frameworks (e.g. SOC 2 + HIPAA, or ISO 27001 + PCI)
  • Everything in Starter, plus a weekly 30-minute working session
  • On-call audit-day support: GRC engineer joins your fieldwork sessions live
  • Tabletop exercises (incident response, ransomware, vendor outage) twice a year
  • Cyber insurance questionnaire completed on your behalf
  • Dedicated Slack or Teams channel with 4-hour response SLA
Start Pro →
Enterprise GRC
For multi-framework programs, complex vendor estates, or board-reporting requirements.
Custom
Scoped by framework count & control population
  • Multi-framework: 3+ frameworks managed under a single control library
  • Named GRC analyst dedicated to your account, on-camera weekly
  • Board-level reporting: quarterly risk register, KRI dashboard, audit committee deck
  • Vendor risk program: TPRM intake, SIG/CAIQ reviews, annual re-assessments
  • Continuous control monitoring with named-person remediation owners
  • M&A diligence support and post-deal control integration
Scope Enterprise →
The compliance stack we actually run · no white-label mystery boxes
Drata Continuous monitoring Vanta Continuous monitoring Secureframe Multi-framework GRC Hyperproof Control management AuditBoard Internal audit & SOX ServiceNow GRC Enterprise GRC OneTrust Privacy & vendor risk LogicGate Risk Cloud Tugboat Logic Policy & evidence Strike Graph SOC 2 automation ZenGRC Compliance ops Trustero AI evidence collection
Framework coverage · in plain numbers

Seven frameworks. Pre-vetted auditors. Realistic timelines. The same numbers we put in proposals.

Every framework has a different control count, a different evidence bar, and a different auditor culture. Here is what we actually deliver across the seven we run most often. Numbers are the floor for a 50-to-300 seat company starting from a baseline IT environment.

Framework Controls covered Auditor pre-vetted Evidence automated Avg time to ready
SOC 2 Type II 150 controls (Trust Services Criteria) 6 firms 92% 90 days
HIPAA 54 standards (Security, Privacy, Breach Notification) 4 firms 85% 60 days
PCI-DSS Lvl 1 277 sub-requirements (v4.0) 3 QSAs 78% 120 days
CMMC Lvl 2 110 NIST 800-171 controls 2 C3PAOs 74% 180 days
ISO 27001 93 Annex A controls (2022 revision) 3 certification bodies 88% 120 days
NIST 800-171 110 controls (DoD subcontractor baseline) 2 RPOs 74% 150 days
NIST CSF 108 subcategories (CSF 2.0) Self-attest + advisory 90% 45 days

"Evidence automated" is the share of controls where Drata or Vanta pulls evidence on a schedule with no human in the loop. The remainder is policy, manual review, and design controls. Ask for the sample evidence packet.

Audit case file · anonymized

Two months out from a SOC 2 renewal. 38 control gaps. Zero qualified opinions on Day 1 of fieldwork.

A 240-employee SaaS in Austin had its annual SOC 2 Type II renewal scheduled and a Drata dashboard that lit up red. Their previous GRC vendor had walked. Here's what the next 60 days looked like. Names changed, timing real.

SOC 2 Type II renewal · 38 gaps · Resolved

"Skyline Workflow" SaaS · 240 employees · Austin, TX

Engagement start: 60 days before observation period close · Stack: Vanta, AWS, Okta, Jira, GitHub · Auditor: regional CPA firm, returning
  1. Day 1 Gap walkthrough. Pulled the Vanta dashboard, mapped 38 failing controls against the auditor's prior-year findings letter. Top blockers: log retention, vendor reviews, secure SDLC, BCP test, and 12 missing policies.
  2. Day 3 Wrote and shipped 12 missing policies drafted to their actual environment, not Vanta templates. CTO approved 9 in one sitting, kicked 3 to legal.
  3. Day 7 Deandre Williams (Chicago) ran the BCP tabletop with their leadership team. 90-minute session, evidence captured for CC7.5.
  4. Day 14 CloudTrail and AWS Config retention bumped from 30 to 365 days. Vanta integration re-pointed. 11 controls flipped green that day.
  5. Day 21 Vendor review program launched. 42 third-party vendors inventoried, top 14 critical vendors completed SIG-Lite, the rest tiered to annual review cadence.
  6. Day 35 Quarterly user-access review run across Okta, AWS, GitHub, Jira. Found 7 ex-contractors still in 1Password, 3 stale GitHub admin tokens. All revoked, evidence captured.
  7. Day 55 All 38 controls green. Auditor pre-walk: read-only Vanta access shared, prior-year findings letter answered point-by-point. No new asks.
  8. Day 61 Day 1 of fieldwork. GRC engineer on the Zoom. Zero qualified opinions, zero exceptions. Auditor closed in 11 days, half the previous year's run time.
  9. Day 90 Clean SOC 2 Type II report delivered. Two enterprise deals that had stalled in security review closed within the next 3 weeks. Client moved to Compliance Pro to add HIPAA for a healthcare integration.
Outcome: SOC 2 Type II renewed clean, 60 days from a 38-gap fire drill. Two engineers on their team got 80% of their week back. Auditor called the engagement "the cleanest fieldwork they'd run that quarter."
Frameworks we run end to end

Eight frameworks. One control library. Map a control once, satisfy four audits.

Most compliance vendors silo your controls per framework. We map every control once into a unified library, then re-use it across SOC 2, HIPAA, PCI, ISO, and NIST. Add a new framework later? You're already 60 to 80 percent of the way there.

SOC 2 Type II
The default ask from B2B procurement. Trust Services Criteria across security, availability, confidentiality, processing integrity, privacy.
HIPAA
Healthcare PHI safeguards. BAA-ready vendor reviews, annual risk analysis, workforce training records, breach notification runbook.
PCI-DSS v4.0
Cardholder data environment scoping, segmentation validation, quarterly ASV scans, annual penetration test for Level 1 merchants.
CMMC Level 2
110 NIST 800-171 controls for DoD subcontractors. Registered RPO. C3PAO referrals for assessment.
ISO 27001
2022 Annex A controls. ISMS scope definition, Statement of Applicability, internal audit cycle, surveillance audit prep.
NIST CSF 2.0
The framework cyber-insurance carriers actually score against. Six functions: Govern, Identify, Protect, Detect, Respond, Recover.
GDPR
EU data protection. Records of processing, DPIA workflow, DSAR response, sub-processor inventory, EU-US data transfer mechanisms.
CCPA / CPRA
California privacy. Consumer rights workflow, opt-out signal honoring, data minimization, vendor data processing agreements.
The humans on call

When your auditor pings at 4 PM on a Friday, these are the people who pick up.

Our GRC bench is staffed in-house across Tampa, Orlando, and Chicago. Every analyst holds at least one current GRC certification (CISA, CISM, ISO 27001 LA, or HCISPP) and has carried a real client through audit fieldwork before they take a lead role.

MS
Miguel Santos
Lead SOC Analyst · Orlando
CISSP GCIH GCFA
PV
Priya Venkatesh
Incident Response Lead · Tampa
OSCP GCIH CRTO
DW
Deandre Williams
Compliance Engineer · Chicago
CISA CISM ISO 27001 LA
MC
Marcus Chen
Virtual CISO · Atlanta
CISSP CISM CCSP
AK
Aisha Khan
GRC Analyst · Orlando
CISA HCISPP CIPP/US
JR
Jordan Reyes
Auditor Liaison · Tampa
CPA CISA PCI QSA
FAQ · the ones that actually block the sale

Five questions. Honest answers.

Do we still need an external auditor?

Yes, for SOC 2, ISO 27001, PCI-DSS Level 1, and CMMC Level 2 you need a third-party CPA firm or C3PAO. We do not issue the report. What we do is run the program, write and maintain the policies, collect the evidence, sit beside you in fieldwork meetings, and answer auditor questions in real time so your team is not buried for six weeks. We work with 6 pre-vetted audit firms across SOC 2, HIPAA, PCI, and CMMC. You can also bring your own.

How is this different from just buying Drata or Vanta?

Drata and Vanta are tools. They will not write your policies, design your controls, train your engineers, run a tabletop exercise, or sit on a Zoom with your auditor when a control fails on Day 2 of fieldwork. We deploy the tool you pick (or pick one with you), wire it into your stack, write the 30 to 60 policies a SOC 2 needs, fix every red control on the dashboard, and run the audit alongside you. The tool is roughly 15% of the work. The other 85% is what we do.

What if our existing security stack isn't ready?

That is the normal starting point. The first 30 days is gap assessment: we map your current controls to the framework, surface the gaps (typically MFA on every admin account, log retention, asset inventory, vendor reviews, change management, BCP/DR), and rank them by audit-blocker risk. Then we remediate together. Most clients arrive with 60 to 70% of controls already in place and 30 to 40% missing. We have walked clients from zero to SOC 2 Type II ready in 90 days.

Will you write our policies or just review them?

We write them. You get a starting library of 38 policies (information security, access control, incident response, vendor management, change management, data classification, BCP/DR, secure SDLC, acceptable use, and the rest) drafted to your environment, not generic templates. You review, redline, and sign. We then maintain them annually as part of the retainer. Clients on the Pro and Enterprise tiers also get tailored runbooks for the controls that need procedure, not just policy.

How fast can we be SOC 2 ready from zero?

From a standing start with no security program, 90 days to Type I observation window and another 90 days of evidence to issue Type II. If you already have MFA, EDR, log management, and a basic policy library, we have hit Type I in 45 days. The bottleneck is rarely the tooling. It is policy approval cycles inside your company and getting every employee through security awareness training. We pre-stage all of that on day one so the clock does not start late.

Stop losing two engineers to evidence collection.

Our free compliance gap assessment maps your current controls to your target framework, surfaces the audit blockers (the ones that fail you on Day 1), and sends a 1-page gap report inside five business days. Read-only review. No tool installs. No sales call attached.

Run my free compliance gap assessment Or call (888) 574-5120