For SOC 2 readiness · CISO · GRC · DevSecOps · regulated SaaS teams

SOC 2 evidence
from your code.
One slash command.

Q: How much of the 13 buckets is automatic vs manual?

Roughly 70% AUTO (deterministic from the structural graph) and 30% TODO templates the team fills in. AUTO covers: CC6 (auth flow + RBAC matrix from code), CC7 (incident-response data flow, observability hooks), CC8 (change management from git history), C1 (sink reachability for confidential data paths), PI1 (processing integrity proofs), P1 (PII flow lineage). TODO covers: CC1-CC5 (governance prose), A1 (availability runbook narrative).

Type this in your AI agent ›

/argos-soc2-prep

Claude Code · Cursor · Cline · Aider · Continue · Zed — any MCP-compatible agent.

A 13-bucket SOC 2 evidence package generated from your codebase in 5-15 minutes — mapped 1:1 to AICPA Trust Services Criteria 2017 (CC1-CC9 + A/C/PI/P). Every claim cites file:line. Auditor-grade structural proofs, not written attestation. Pairs with Vanta, Drata, and SecureFrame. Standards: AICPA TSC 2017, CIS Controls v8, ISO 27001 Annex A, NIST 800-53. $0 per retrieval, local-first, sub-millisecond P99.

Free evidence pack → Multi-framework page How it works

01The problem

SOC 2 readiness used to take a quarter. The auditor still didn't trust the spreadsheet.

Every regulated SaaS team approaching their first SOC 2 Type II runs the same pattern: 4-6 weeks of evidence collection, eight engineers reading old Slack threads to reconstruct what the access-control policy actually looked like in code, and a Confluence page nobody updates between audits. The Big 4 auditor reads the policy attestation, asks "show me the code path", and the team spends two more weeks producing screenshots that age in 30 days.

Vanta, Drata, and SecureFrame solve the GRC workflow — they collect evidence, track control owners, automate the policy attestation. What they don't do is walk your call graph. The CC6 logical-access proof, the CC7 incident-response data flow, the C1 confidential-data sink reachability — those still come from engineering doing manual archaeology, every quarter, forever.

"Auditor said our CC6.1 evidence was 'narrative-heavy'. They wanted the actual code paths every authenticated route flows through. That was 47 endpoints across three services. The team grep-walked it for 11 days."
— VP Engineering, Series B SaaS (anonymized, post-Type II)

02How SOC 2 prep works today

4-6 weeks. 8 engineers. ~$80K of evidence work that ages in 90 days.

GRC platform spits out a control list. Vanta / Drata maps the policies to TSC 2017. Each control needs evidence — and "evidence" means more than a checkbox.
Per CC control, manual code archaeology. CC6 logical access: trace every requireAuth() middleware, list every public endpoint, prove uniformity. CC7 system operations: walk the incident-response wiring. CC8 change management: dig through git history. 30-90 minutes per control × 70-150 controls = ~150 hours.
Spreadsheet column "Where it flows". Per privacy / confidentiality control: trace PII / customer-data sources to every sink. Miss two paths. Auditor catches one. Re-run.
Build the auditor walkthrough deck. 80 slides. Screenshots of code. Narrative paragraphs. Re-shot every quarter because the codebase moved.
Auditor ships the report 6 weeks later. Three "exceptions" because two paths were missed and one control had stale evidence. Remediation is another two weeks.

Math per Type II cycle: 150h × $250/h = ~$38K internal evidence work + $80-150K auditor invoice + $30-60K/year GRC platform license. The artifacts produced have negative shelf life — next year's audit, you start over because the code moved.

03How Argos changes it

One slash command. 13 buckets. Auditor-ready PDF.

$ argosbrain ingest .
✓ ingested 1,847 files, 14,032 symbols, 89,447 call-graph edges  (8.1s)

[in your AI agent — Claude Code / Cursor / Cline / ...]
> /argos-soc2-prep

Phase 1/4 · Discovery
✓ framework: Express + Postgres + Redis + Auth0
✓ 47 authenticated endpoints, 12 public, 3 admin-only
✓ PII sources: 8 (request bodies + JWT claims + DB columns)

Phase 2/4 · 13-bucket synthesis (parallel, 1:1 with TSC 2017)
✓ 01-CC1 · control environment        TODO template
✓ 02-CC2 · communication              TODO template
✓ 03-CC3 · risk assessment            TODO template
✓ 04-CC4 · monitoring                 partial — observability hooks
✓ 05-CC5 · control activities         partial — git-blame ownership
✓ 06-CC6 · logical access controls    AUTO — 47 endpoints + RBAC matrix
✓ 07-CC7 · system operations          AUTO — incident-response wiring
✓ 08-CC8 · change management          AUTO — git history scan
✓ 09-CC9 · risk mitigation            partial
✓ 10-A1  · availability               TODO template (runbook narrative)
✓ 11-C1  · confidentiality            AUTO — sink reachability for PII
✓ 12-PI1 · processing integrity       AUTO — input validation map
✓ 13-P1  · privacy                    AUTO — PII flow lineage

Phase 3/4 · Render (v0.26.0 — built into argosbrain)
✓ argosbrain delivery render ./out/SOC2-Evidence
✓ 62 pages, A4, branded, file:line citations across 14 buckets
✓ SOC2-Evidence.pdf written  (1.4 MB)

Phase 4/4 · Coverage matrix
- AUTO (structural)        9 buckets — deterministic
- partial (LLM + review)   3 buckets — confidence-labeled
- TODO templates           4 buckets — fill in 30-60 min total

Total: 12 minutes. Auditor coverage: ~70% on day one.

The CC6 walkthrough the auditor actually reads:

CC6.1 — Logical access controls (TSC 2017, mapped 1:1)

Sources: 47 authenticated endpoints, 12 public, 3 admin-only.
Evidence: every request lifecycle traced from route handler to
DB / external API call.

⚠ 1 finding requires remediation:
  api/admin/export.ts:23 → DB query without role-check middleware
   ├── 3-hop call chain bypasses requireAdmin()
   └── reachable from authenticated non-admin users

✓ 46 of 47 endpoints structurally enforce auth uniformly
✓ RBAC matrix: 4 roles × 47 endpoints, deterministic
✓ JWT validation: every protected route confirmed (file:line)
✓ Session lifecycle: documented across 8 sources

EVIDENCE PACK
  reproducible: yes (deterministic over canonical AST hash)
  file:line citations: 47 endpoints + 23 middleware hooks
  call-graph paths: 47
  ingest hash: blake3:9f2c...8b1a
  framework tag: SOC 2 TSC 2017 · CC6.1
  cloud calls: 0 · LLM calls: 0 · audit-friendly: yes

One control auto-attested with structural proof. One finding flagged with the exact file:line to fix. Re-run on every CI build to catch regressions before the auditor does.

04Side-by-side

The math for one Type II cycle.

Metric	Today (GRC + grep)	With `/argos-soc2-prep`
Evidence collection time	4-6 weeks · 8 engineers	5-15 minutes · one engineer
Internal evidence cost	~$38K (150h × $250)	$0 retrieval + ~$2 LLM prose
TSC 2017 buckets	"the spreadsheet from last year"	13 buckets, 1:1 with AICPA
Coverage automation	Manual narrative	~70% AUTO · 30% guided TODO
Reproducibility	No (manual screenshots)	Yes · re-run any time, byte-identical
Re-run on next quarter	Rebuild from scratch	One CLI call · cached behind content hash
Pairs with Vanta / Drata / SecureFrame	N/A	Yes — exports as supporting artifact
Standards	AICPA TSC narrative	AICPA TSC 2017 · CIS v8 · ISO 27001 · NIST 800-53

Numbers based on the reference SaaS repo (Express + Postgres, 14k symbols). Same engine drove the Kubernetes 1.32.0 audit (38,771 symbols, 4.2s ingest). For multi-framework runs (HIPAA + PCI-DSS + FedRAMP), see /compliance.

05What you get

13 buckets. Mapped 1:1 to AICPA TSC 2017. Branded PDF + Markdown source.

CC1 · Control environment — TODO template (governance prose; engineering org chart, code-of-conduct references).
CC2 · Communication — TODO template (incident communication channels; engineer onboarding evidence).
CC3 · Risk assessment — TODO template (threat-model references; sink-reachability summary auto-imported from /argos-security-reviewer).
CC4 · Monitoring — partial AUTO (observability hooks detected: log emitters, metric exporters, error-tracking integrations + their wiring).
CC5 · Control activities — partial AUTO (file ownership map via git-blame; code-review enforcement signals).
CC6 · Logical access controls — AUTO. Every authenticated endpoint inventoried, RBAC matrix generated (roles × endpoints), JWT validation paths confirmed, session lifecycle documented. The biggest TSC win.
CC7 · System operations — AUTO. Incident-response data flow walked. Observability wiring confirmed. Logging coverage by service.
CC8 · Change management — AUTO. Git history scan for required PR review, branch protection signals, change-frequency-by-file heat map. Pairs with the agent's git access.
CC9 · Risk mitigation — partial AUTO (sink reachability for known risk classes; dependency-hygiene cross-reference).
A1 · Availability — TODO template (uptime runbook, failure-mode narrative; engineering pulls from internal SRE docs).
C1 · Confidentiality — AUTO. Sink reachability for confidential-data sources (customer data, secrets, PII). Every flow proven structurally — no path slips through.
PI1 · Processing integrity — AUTO. Input validation map (every state-changing endpoint), data-transformation lineage, integrity-check coverage.
P1 · Privacy — AUTO. Full PII flow lineage from sources to sinks — what's logged, what's emailed, what's stored, what's shared with third parties. Pairs with /argos-pii-flow-mapper.

Branded PDF rendering (cover page, A4, Inter + JetBrains Mono) and the Markdown source are both produced by argosbrain delivery render — built into the CLI as of v0.26.0.

06FAQ

The questions every CISO and SOC 2 lead asks.

Does this replace Vanta, Drata, or SecureFrame?

No — it complements them. GRC platforms track POLICY (do you have an access-control policy written down). ArgosBrain proves IMPLEMENTATION (does the code actually enforce that policy). Most regulated SaaS teams use both: Vanta for evidence collection workflow, ArgosBrain for the code-level deterministic proofs that auditors increasingly demand. Export ArgosBrain evidence packs into your GRC tool as supporting artifacts.

Which Trust Services Criteria are covered?

All 13 buckets, mapped 1:1 to AICPA Trust Services Criteria 2017: CC1 control environment, CC2 communication, CC3 risk assessment, CC4 monitoring, CC5 control activities, CC6 logical access, CC7 system operations, CC8 change management, CC9 risk mitigation, plus A1 availability, C1 confidentiality, PI1 processing integrity, P1 privacy. Output structure follows the auditor's request-for-evidence template.

How much of the 13 buckets is automatic vs manual?

Roughly 70% AUTO (deterministic from the structural graph) and 30% TODO templates the team fills in. AUTO covers: CC6 (auth flow + RBAC matrix from code), CC7 (incident-response data flow, observability hooks), CC8 (change management from git history), C1 (sink reachability for confidential data paths), PI1 (processing integrity proofs), P1 (PII flow lineage). TODO covers governance prose (CC1-CC5) and the availability runbook narrative (A1).

Will my auditor accept structural proof?

Yes. Outputs are deterministic, byte-reproducible across runs, and contain file:line citations plus the exact call-graph path. Auditors increasingly prefer structural proof over written attestation — it's faster for them to validate. The evidence pack format mirrors AICPA SOC 2 sample templates and the AICPA TSC 2017 reference structure. The 13-bucket layout matches what most Big 4 firms ask for in the request-for-evidence.

How is this different from /compliance?

/compliance is the multi-framework page — HIPAA + SOC 2 + PCI-DSS + FedRAMP + SOX, structural proofs across all five frameworks. /soc-2-compliance (this page) is the SOC 2-specific orchestrator that produces a 13-bucket evidence package mapped 1:1 to TSC 2017. Use /argos-compliance-proofs when you need cross-framework structural proofs in one ingest. Use /argos-soc2-prep (this page's skill) when SOC 2 Type I / II is your immediate audit pressure and you want a single-framework deliverable on the auditor's desk.

Air-gapped deployment for SOC 2 Type II readiness?

Yes. Local-first by default. Pro and Enterprise tiers support fully air-gapped deployment — no source code leaves the network, no LLM in the retrieval path, no telemetry. Free tier transmits no source code, no file paths, no query content. The retrieval path is deterministic in-process Rust over local bincode storage. The SOC 2 evidence pack itself never touches the network.

How long does the package take to generate?

5-15 minutes for a small-to-medium SaaS repo (under 250k LOC). Initial ingest dominates the time budget; the orchestration phases are sub-second per bucket. Re-runs after a code change are typically 1-3 minutes thanks to content-hash skip — only the changed files re-ingest, the rest of the graph is reused. The auditor walkthrough that used to take 4-6 weeks of evidence collection collapses to a coffee break.

SOC 2 evidencefrom your code.One slash command.