Continuous evidence for CC6 (logical access) and CC7 (system operations).
See your SOC 2 (Trust Services Criteria) readiness in 60 seconds. Free, no signup.
SOC 2 is the dominant trust report North-American enterprise buyers ask for. The Common Criteria expect ongoing, observable evidence — not point-in-time screenshots. External monitoring directly evidences several CC6 and CC7 criteria.
SaaS providers, MSPs and any service organisation that processes customer data and needs to demonstrate trust to enterprise buyers (especially in North America).
Each row links a SOC 2 (Trust Services Criteria) clause to the external check we perform and the evidence it produces. Mappings are reviewed by our compliance team and updated when standards change.
| SOC 2 (Trust Services Criteria) clause | What it requires | How we evidence it |
|---|---|---|
TLS-1 CC6.7 Restricted transmission of data | The entity restricts the transmission, movement and removal of information to authorised channels using encryption. | Encrypted transport (TLS 1.2+) We verify the certificate chain, expiry, supported TLS versions and cipher suites on every public hostname. |
EMAIL-1 CC6.6 Logical access — boundary protection | The entity implements logical access security measures to protect against threats from sources outside its boundaries, including email. | Email authentication (SPF / DKIM / DMARC) We resolve and validate SPF, DKIM and DMARC records, including DMARC enforcement policy and reporting addresses. |
WEB-1 CC6.6 Boundary protection | Hardened web-facing services and response headers form part of the external boundary protection. | Secure HTTP response headers We test for HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy and X-Content-Type-Options on the live site. |
DNS-1 CC7.1 System monitoring | The entity uses detection and monitoring procedures to identify (1) changes to configurations, and (2) susceptibilities to vulnerabilities. | DNS hygiene & DNSSEC We resolve A, AAAA, MX, NS, CAA and DNSSEC records and flag anomalies, dangling records and missing controls. |
REP-1 CC7.2 Anomaly detection | The entity monitors system components for anomalies indicative of malicious acts, natural disasters or errors. | Reputation & threat intelligence We cross-check the domain and its IPs against VirusTotal, Shodan, Spamhaus, URLhaus and Google Safe Browsing. |
BREACH-1 CC7.3 Incident response — communications | The entity evaluates security events to determine whether they could or have resulted in an incident. | Credential exposure monitoring We query Have I Been Pwned for breaches involving the monitored domain and surface affected accounts. |
EXP-1 CC6.1 Logical access controls | Logical access security software, infrastructure and architectures are implemented to support objectives. | Exposed files & admin panels We probe for publicly accessible .env, .git, backups, admin panels and other sensitive paths that should never be reachable. |
SUB-1 CC3.2 / CC9.2 Risk identification & vendor management | Identify risks across the entity — including externally exposed assets and third-party vendors loaded on your public surface (analytics, chat, payments, CDNs). The data flow map evidences vendor scope from the outside. | Third-party data flow map (subdomains & external services) We enumerate subdomains via Certificate Transparency logs, fingerprint every third-party service they load (analytics, payments, chat, CDNs, tag managers, ad networks, fonts) and map where browser-side data flows. This is the externally-observable evidence regulators ask for under supplier, supply-chain and processor-inventory clauses. |
External monitoring is one part of compliance. These areas need other evidence — typically from your GRC platform, HR system, or internal logging:
One scan. Every clause on this page evaluated against your live domain. Auditor-ready PDF in your inbox.
Annex A controls auto-evidenced from the public attack surface.
Article 21 cybersecurity measures + Article 23 incident reporting.
Information security in Dutch healthcare — technische maatregelen.
Article 32 security of processing + Article 33 breach notification.
Digital Operational Resilience Act for financial entities.
External requirements for any business handling cardholder data.
We use strictly necessary cookies to run the site, and — only with your consent — analytics and marketing cookies (Google Analytics, Google Tag Manager) to improve the product. You can change your choice anytime via "Cookie preferences" in the footer. Privacy Policy · Sub-processors