~/soc2-domain-evidence

> SOC 2 domain evidence

evidence for SOC 2 CC6.x domain controls

a signed, hash-chained PDF + JSON sidecar covering the SOC 2 CC6.x domain-related controls — TLS, email authentication, security headers, transport hardening — for one root and up to 100 CT-discovered subdomains. for SOC 2 prep teams, audit responders, and the consultants and MSPs who run the engagement.

what auditors ask

SOC 2 Trust Services Criteria 2017, with the points-of-focus (PoF) revisions from 2022.

  • is data in transit protected by a valid, current TLS certificate? (SOC 2 CC6.1 · ISO 27001 A.8.24 · NIST SC-8(1))
  • does this domain publish an SPF record limiting authorised senders? (SOC 2 CC6.7 · ISO 27001 A.8.20 · NIST SC-8)
  • does this domain enforce a DMARC policy (quarantine or reject)? (SOC 2 CC6.7 · ISO 27001 A.5.14 · NIST SC-8)
  • are outgoing emails DKIM-signed under a published selector? (SOC 2 CC6.7 · ISO 27001 A.8.24 · NIST SC-8)
  • are HSTS, CSP, X-Frame-Options, and related headers configured? (SOC 2 CC6.6 · ISO 27001 A.8.23 · NIST SC-7(8))
  • are cross-origin policies appropriately restrictive at this origin? (SOC 2 CC6.6 · ISO 27001 A.8.23 · NIST AC-4)
  • does this domain enforce MTA-STS to prevent SMTP downgrade attacks? (SOC 2 CC6.7 · ISO 27001 A.8.24 · NIST SC-8)
  • is DNSSEC signing enabled for this zone? (SOC 2 CC6.6 · ISO 27001 A.8.20 · NIST SC-20)

what you get

  • 10 dossier checks + 5 paid checks (MTA-STS, TLS-RPT, DNSSEC, WHOIS, CT log)
  • up to 100 CT-discovered subdomains, each with DNS / TLS / headers
  • severity-graded findings + plain-English remediation
  • ISO-8601 UTC timestamps, SHA-256 hash + Ed25519 detached signature
  • JSON sidecar for machine consumption + signed manifest
  • public, versioned methodology document linked from each pack

what this is not

the Evidence Pack is supporting technical evidence for public-facing domain controls. it is not a SOC 2 audit report and does not replace an auditor; it gives them less to chase. it is not a penetration test, not a risk register, and not a substitute for compliance tooling like Vanta, Drata, or SecureFrame — those tools manage the audit programme; the pack documents the public domain surface they reference.

pricing

one-shot evidence packs from $29. monitoring subscriptions for daily re-scans, regression alerts, and monthly fresh packs from $19 / month.

buy a signed pack →

framework references map to SOC 2 TSC 2017 and ISO/IEC 27001:2022. older versions (TSC 2014, ISO 27001:2013) have approximate equivalents — the methodology page documents the mapping.