Code-level first pass against the SOC 2 Trust Services Criteria — logical access, change management, monitoring, incident recovery, and data lifecycle controls an auditor will actually test, checked from your repo before you pay for the real audit.
This audit evaluates 31 checks across six sections mapped to the SOC 2 Trust Services Criteria (2017, with 2022 points of focus) — logical access (CC6.1-6.3), system boundaries and supply chain (CC6.6-6.8), change management (CC8.1), vulnerability management and monitoring (CC7.1-7.2), incident readiness and recovery (CC7.3-7.5, A1), and data lifecycle (C1). It is deliberately scoped to the engineering half of SOC 2 readiness, the technical controls that are visible in a repository. Policies, HR processes, vendor management, and access reviews live outside your codebase and still need doing. A high score here means your code and its committed evidence would hold up under the technical portion of an audit. It does not mean you are SOC 2 compliant, and no tool that only reads a repository can honestly tell you that.
31
Total Checks
3
Delivery Formats
4
Categories
1
Versions
Included
Never included
Initial release. 31 checks across six TSC-mapped sections: 16 reused battle-tested patterns from the existing catalog plus 15 new patterns closing the change-management, IaC-exposure, access-lifecycle, and evidence-pointer gaps identified in the verified SOC 2 TSC gap analysis (docs/compliance/soc2-tsc-gap-analysis.json). Honest scoping: covers the repo-checkable engineering half of SOC 2 readiness only; never claims compliance. Severity distribution 6 critical / 12 high / 6 medium / 7 low-info (weight 121; critical 49.6%, warning 44.6%, info 5.8%, all within audit-build-guide bands).
Copy the prompt in your preferred format above.
Paste into your AI coding tool (Claude Code, Cursor, Bolt, etc.).
Let the AI run all checks. Review the structured JSON output it produces.
Submit the JSON telemetry block to AuditBuffet for scoring and benchmarks.
Paste your JSON telemetry to get scores and benchmarks.
Submit Results