WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA (American Institute of Certified Public Accountants). It evaluates how organizations manage customer data based on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 reports are essential for SaaS companies and service providers handling sensitive data.

What is the difference between SOC 2 Type I and Type II?

SOC 2 Type I evaluates the design of controls at a specific point in time. SOC 2 Type II evaluates both the design AND operating effectiveness of controls over a period (typically 6-12 months). Type II is more rigorous and is what most enterprise customers require. Type I is often used as a stepping stone.

What are the five Trust Service Criteria?

The five TSC are: (1) Security (CC series) — protection against unauthorized access, (2) Availability (A series) — system uptime and disaster recovery, (3) Processing Integrity (PI series) — accurate and complete data processing, (4) Confidentiality (C series) — protection of confidential information, (5) Privacy (P series) — personal information handling. Security is mandatory; others are optional but commonly included.

How long does SOC 2 certification take?

SOC 2 Type I typically takes 3-6 months to prepare for and complete. SOC 2 Type II requires an additional 6-12 month observation period after controls are in place. Total timeline: 9-18 months from start to Type II report. Preparation tools like WarDek can accelerate the technical readiness assessment.

How does SOC 2 relate to ISO 27001 and NIS2?

SOC 2 originated in the US and focuses on service organization trust. ISO 27001 is the international ISMS standard with broader scope. NIS2 is EU-specific regulation. They are complementary: ISO 27001 provides the management framework, SOC 2 provides the audit evidence for US/UK clients, and NIS2 addresses EU regulatory requirements. Having one significantly accelerates compliance with the others.

What can WarDek automate for SOC 2?

WarDek automatically assesses 8 SOC 2 controls through its security scanners: logical access controls (CC6.1), system boundaries (CC6.6), transmission security (CC6.7), monitoring and detection (CC7.1), anomaly detection (CC7.2), change management (CC8.1), availability controls (A1.2), and confidentiality posture (C1.1). A single scan generates an automated Trust Service Criteria assessment.

SOC 2 Type II Compliance Guide — Trust Service Criteria

What Is SOC 2 and Why It Matters

SOC 2 (System and Organization Controls 2) is an auditing framework created by the AICPA (American Institute of Certified Public Accountants). It defines criteria for managing customer data based on five Trust Service Criteria(TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Unlike certifications such as ISO 27001, SOC 2 produces an attestation reportissued by an independent CPA firm. This report is increasingly requested by enterprise buyers during procurement, especially in the United States and United Kingdom. For SaaS companies, a SOC 2 Type II report has become the de facto trust signal — without one, enterprise deals stall or disappear entirely.

The market context is clear: according to the Cloud Security Alliance, over 80% of enterprise RFPs now require SOC 2 or equivalent compliance evidence. Organizations that proactively pursue SOC 2 close deals 40% faster than those who scramble to produce evidence on demand.

SOC 2 Type I vs Type II

SOC 2 comes in two report types, each serving a different purpose in your compliance journey:

Aspect	Type I	Type II
Scope	Design of controls at a point in time	Design + operating effectiveness over a period
Duration	Single date (snapshot)	6–12 month observation window
Cost	$20,000–$60,000	$30,000–$100,000+
Timeline	3–6 months preparation	9–18 months total
Enterprise acceptance	Acceptable as interim evidence	Preferred and often required
Renewal	Not recurring	Annual re-audit required

Most organizations start with Type I to demonstrate that controls exist, then transition to Type II to prove those controls work consistently. Some companies skip Type I entirely if their control maturity is already high.

The Five Trust Service Criteria

SOC 2 evaluates organizations against five Trust Service Criteria. Security (Common Criteria) is mandatory for all SOC 2 reports. The other four are optional but commonly included depending on business context:

1. Security (CC Series) — Mandatory

The Security criterion, also called the Common Criteria, forms the foundation of every SOC 2 report. It covers protection of information and systems against unauthorized access, unauthorized disclosure of information, and damage to systems. The CC series spans 9 categories (CC1 through CC9) with over 30 individual control points covering governance, risk assessment, monitoring, logical access, system operations, and change management.

2. Availability (A Series)

The Availability criterion addresses whether systems are operational and usable as committed. It covers disaster recovery planning, business continuity, incident response, and system monitoring. Key controls include A1.1 (capacity planning), A1.2 (environmental protections and recovery), and A1.3 (recovery testing). This criterion is essential for SaaS companies with uptime SLAs.

3. Processing Integrity (PI Series)

Processing Integrity ensures that system processing is complete, valid, accurate, timely, and authorized. It is particularly relevant for fintech, healthtech, and any service that processes transactions or sensitive calculations. Controls include PI1.1 (processing objectives defined), PI1.2 (input validation), PI1.3 (processing accuracy), PI1.4 (output review), and PI1.5 (error handling).

4. Confidentiality (C Series)

The Confidentiality criterion protects information designated as confidential (trade secrets, business plans, intellectual property, PII governed by contract). Controls include C1.1 (identification of confidential information), C1.2 (disposal of confidential information), and encryption requirements for data at rest and in transit.

5. Privacy (P Series)

The Privacy criterion addresses personal information collection, use, retention, disclosure, and disposal. It aligns closely with privacy regulations like GDPR and CCPA. The P series includes 8 categories covering notice, choice and consent, collection, use/retention/disposal, access, disclosure, quality, and monitoring. Including this criterion strengthens your GDPR compliance narrative significantly.

8 Key Controls WarDek Automates

WarDek's automated security scanning maps directly to SOC 2 Trust Service Criteria controls. A single scan evaluates 8 critical control areas, generating evidence you can present to your auditor:

Control Reference	Control Name	What WarDek Checks
CC6.1	Logical Access Controls	Authentication mechanisms, session management, cookie security flags (Secure, HttpOnly, SameSite), access control headers
CC6.6	System Boundaries	Security headers (CSP, X-Frame-Options, X-Content-Type-Options), CORS configuration, resource isolation, clickjacking protection
CC6.7	Transmission Security	TLS configuration (protocol version, cipher suites, certificate validity), HSTS enforcement, mixed content detection, certificate chain validation
CC7.1	Monitoring and Detection	Security header presence indicating monitoring capability, error handling configuration, information disclosure prevention, server version exposure
CC7.2	Anomaly Detection	Rate limiting headers, bot protection indicators, abuse prevention mechanisms, suspicious pattern detection capabilities
CC8.1	Change Management	Subresource Integrity (SRI) on scripts and stylesheets, version pinning evidence, deployment configuration indicators, asset integrity verification
A1.2	Availability Controls	CDN and caching configuration, redundancy indicators, DNS configuration (multiple nameservers, DNSSEC), response time baseline measurement
C1.1	Confidentiality Posture	Data exposure in HTML source, sensitive information in headers, directory listing prevention, backup file exposure, API key leakage detection

After scanning, WarDek generates a Trust Service Criteria Assessmentthat maps each finding to the corresponding SOC 2 control. This serves as a readiness baseline — helping you identify gaps before engaging an auditor, and providing continuous evidence during the Type II observation window.

SOC 2 Readiness Roadmap for SaaS Companies

Achieving SOC 2 compliance is a structured process. Here is a practical roadmap tailored to SaaS organizations:

Phase 1: Scoping and Gap Analysis (Weeks 1–4)

Define which Trust Service Criteria apply (Security is mandatory; most SaaS include Availability and Confidentiality)
Identify system boundaries — which infrastructure, applications, and third-party services are in scope
Run an automated baseline scan (WarDek) to identify technical gaps against SOC 2 controls
Document your current control environment and identify missing policies

Phase 2: Remediation and Control Implementation (Weeks 5–16)

Implement missing technical controls (encryption, access management, monitoring, logging)
Draft required policies: Information Security Policy, Access Control Policy, Incident Response Plan, Change Management Policy, Business Continuity Plan, Risk Assessment Methodology
Deploy monitoring and alerting systems for continuous evidence collection
Configure automated vulnerability scanning on a recurring schedule
Train employees on security awareness and incident reporting

Phase 3: Type I Audit (Weeks 17–24)

Engage a CPA firm experienced in SOC 2 for technology companies
Provide evidence of control design (policies, configurations, architecture diagrams)
Auditor evaluates whether controls are suitably designed to meet TSC criteria
Address any findings or exceptions identified in the draft report
Receive your SOC 2 Type I report — immediately shareable with prospects

Phase 4: Observation Period and Type II (Months 7–18)

Operate controls consistently for 6–12 months while collecting evidence
Run regular WarDek scans to generate continuous compliance evidence
Document incidents and their resolution (even zero-incident periods need documentation)
Conduct internal audits and management reviews at least quarterly
Auditor tests operating effectiveness through sampling and inquiry
Receive your SOC 2 Type II report — the gold standard for enterprise trust

Relationship with ISO 27001, NIS2, and GDPR

SOC 2 does not exist in isolation. Modern compliance programs typically involve multiple frameworks, and understanding their overlap reduces duplicated effort:

Framework	Origin	Focus	Overlap with SOC 2
ISO 27001	International (ISO)	Information Security Management System (ISMS)	~60–70% control overlap. ISO 27001 Annex A maps well to CC series controls.
NIS2	European Union	Network and Information Security for critical sectors	~50% overlap on technical measures (Article 21 maps to CC6, CC7, A1 controls).
GDPR	European Union	Personal data protection and privacy rights	~40% overlap. SOC 2 Privacy criterion (P series) directly supports GDPR Article 32 compliance.
OWASP Top 10	OWASP Foundation	Critical web application security risks	Directly supports CC6 (access control) and CC7 (monitoring) evidence collection.

The key insight: building one compliance program accelerates all others. An organization with ISO 27001 certification can achieve SOC 2 in roughly half the time, because the management system, policies, and many technical controls are already in place. Similarly, SOC 2 evidence directly supports NIS2 Article 21 requirements for technical and operational measures.

WarDek's multi-framework scanning approach recognizes this reality. A single scan generates findings mapped to SOC 2, NIS2, and OWASP simultaneously — eliminating the need to run separate assessments for each framework and providing a unified compliance dashboard.

Common SOC 2 Pitfalls to Avoid

Starting too late:Enterprise prospects expect SOC 2 evidence during evaluation. Starting after a deal is on the line means 6–18 months of delay.
Scoping too broadly: Include only systems that process, store, or transmit customer data. Over-scoping increases cost and timeline without proportional benefit.
Treating it as a checkbox: SOC 2 is an ongoing program, not a one-time project. Controls must operate continuously, not just during audit windows.
Ignoring vendor management: Your SOC 2 scope includes critical subservice organizations (hosting providers, payment processors). Ensure they have their own SOC 2 reports.
Manual evidence collection: Manually gathering screenshots and logs for 100+ controls is unsustainable. Automate evidence collection from day one using tools like WarDek.
Choosing the wrong auditor: Select a CPA firm experienced in technology and SaaS. Industry expertise significantly reduces friction and back-and-forth during the audit.

SOC 2 Type II — Complete Guide for SaaS Companies