What SOC 2 is and where web security fits
SOC 2 is a reporting framework from the American Institute of Certified Public Accountants. An independent CPA firm examines a service organization and reports on how well its controls meet the Trust Services Criteria. Those criteria cover five categories. Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security category is mandatory and is known as the Common Criteria, often written as CC1 through CC9. The other four are optional and only included when they apply to the service.
Most of the Common Criteria deal with organizational matters such as governance, risk assessment, access reviews, vendor management, and incident response. A scanner cannot speak to any of that. A focused set of the criteria, however, lands squarely on your public web and transport layer. CC6 expects you to protect data and restrict access, which on the web means enforcing encryption in transit with TLS and HSTS. The Common Criteria also expect secure configuration of the systems you expose, which on the web means correct security headers, a sound Content Security Policy, hardened cookies, and clean DNS records. CC7 expects you to monitor your systems and detect change. Those are exactly the controls SiteSecurityScore can observe from the outside and help you evidence.
Be clear on the boundary. SiteSecurityScore is a technical evidence tool for the web and transport layer. It does not grant SOC 2 compliance, replace an auditor, or cover the organizational controls. Use it to demonstrate the specific technical controls below, then rely on your policies, processes, and auditor for the rest.
SOC 2 Common Criteria mapped to SiteSecurityScore checks
The table below maps the SOC 2 control areas that touch web and transport security to what SiteSecurityScore actually checks. A green check means the scanner directly produces evidence for that area. An amber Partial means it covers part of the area but leaves a gap that other tooling has to fill. A red cross means the area sits outside what any web scanner can observe and belongs to your organizational controls.
Encryption of data in transit
| Control area | SiteSecurityScore |
|---|---|
| TLS and SSL configuration analysis | |
| Strict Transport Security (HSTS) enforcement | |
| Certificate validity and chain verification | |
| Encryption of internal service-to-service traffic | Partial |
Secure configuration of web endpoints
| Control area | SiteSecurityScore |
|---|---|
| Security headers (CSP, X-Frame-Options, Referrer-Policy) | |
| Content Security Policy directive review | |
| Cookie security (HttpOnly, Secure, SameSite) | |
| CORS and cross-origin configuration | |
| DNS records (SPF, DKIM, DMARC, CAA) |
Continuous monitoring and change detection (CC7)
| Control area | SiteSecurityScore |
|---|---|
| Automated daily scans of public configuration | |
| Email alerts on posture or certificate changes | |
| Historical scan records over the audit period | |
| Monitoring of internal systems and infrastructure logs | Partial |
Vulnerability identification on the configuration layer
| Control area | SiteSecurityScore |
|---|---|
| Detection of missing or weak security headers | |
| Weak TLS protocol and cipher detection | |
| Misconfigured cookies and CORS flagging | |
| Application code and dependency vulnerabilities | Partial |
Access control and organizational policies
| Control area | SiteSecurityScore |
|---|---|
| User access provisioning and reviews | |
| Security awareness training and HR controls | |
| Change management approvals and ticketing | |
| Vendor risk and incident response procedures |
The access control and organizational rows are intentionally marked as not covered. No external web scanner can verify how you provision accounts, train staff, approve changes, or manage vendors. Those controls live in your identity platform, ticketing system, HR records, and policy documents, and your auditor reviews them directly.
How SiteSecurityScore helps your SOC 2 evidence
Auditors work from evidence, not assertions. For the web and transport controls, SiteSecurityScore gives you three kinds of evidence that map cleanly to how a SOC 2 examination is run.
Point in time scan reports
Each scan records the exact state of your TLS, HSTS, security headers, CSP, cookies, and DNS at that moment, with a letter grade and findings. That is the snapshot a Type I review or a control walkthrough needs.
Continuous monitoring records
Daily automated scans plus email alerts build a trail across the whole audit period. A Type II report tests whether controls operated over months, and this history shows your secure configuration held over time.
PDF reports for auditors
Export a clean PDF of any scan and hand it straight to your auditor or drop it into your evidence repository. No screenshots or manual write-ups of header values required.
A practical workflow looks like this. Run a scan to capture a baseline and fix anything the report flags using the copy and paste recommendations. Turn on daily monitoring so the posture is checked every day and you are alerted the moment a header or certificate changes. When the audit window opens, export PDF reports and pull the monitoring history to show the controls operated continuously. The technical evidence is then ready, and you spend your time on the organizational controls that need human attention.
Continuous monitoring as CC7 evidence
A single scan proves one day. SOC 2 Type II asks whether controls operated across a period that is often six to twelve months. One snapshot cannot answer that, which is why continuous monitoring matters for the CC7 system operations criteria.
SiteSecurityScore monitoring runs automated scans of your TLS and SSL certificates, security headers, Content Security Policy, DNS records, and cookies every day. When anything changes or a new issue appears, you receive an email alert immediately. The result is a continuous record that your secure configuration stayed in place and that your team detected and responded to change, which is precisely the kind of operating evidence a Type II examiner samples.
Automated daily scans
Every monitored site is scanned once per day covering TLS, headers, CSP, DNS, and cookies, building the audit trail.
Email alerts on changes
Get notified when a certificate nears expiration, a security header is removed, or your posture drifts.
Scan your site and set up monitoring
Run a free scan to capture your web and transport security baseline, then turn on daily monitoring so your SOC 2 technical evidence stays current across the whole audit period. No account required to start.
Frequently asked questions
Does SiteSecurityScore make me SOC 2 compliant?
No. SiteSecurityScore does not make you SOC 2 compliant on its own. SOC 2 compliance is awarded by an independent CPA firm after an audit that reviews your people, processes, and technology against the Trust Services Criteria. What SiteSecurityScore does is help you evidence specific technical controls on the web and transport layer, such as encryption of data in transit, secure configuration of public endpoints, and continuous monitoring. Those are pieces of evidence an auditor reviews, not the certification itself.
Which SOC 2 criteria does SiteSecurityScore map to?
SiteSecurityScore maps most directly to the Security category, also called the Common Criteria. It supports CC6 logical and physical access controls where they touch encryption of data in transit (TLS and HSTS), CC7 system operations where it provides continuous monitoring and change detection on your public web configuration, and the secure configuration expectations that run through the Common Criteria. It does not cover organizational controls like access reviews, vendor management, or HR policies.
Can I use SiteSecurityScore scan reports as SOC 2 audit evidence?
Yes, as point in time technical evidence. A SiteSecurityScore scan report shows the state of your TLS configuration, HSTS, security headers, cookies, and DNS records at the moment of the scan, with a letter grade and findings. You can export a PDF report and hand it to an auditor to demonstrate that your public endpoints enforce encryption in transit and secure configuration. Pair it with daily monitoring records to show that posture is maintained over the audit period, not just on one day.
Does SiteSecurityScore cover the organizational controls in SOC 2?
No. SiteSecurityScore is a web security scanner, so it stays on the technical web and transport layer. It does not cover organizational controls such as access provisioning and deprovisioning, background checks, security awareness training, change management approvals, incident response procedures, or vendor risk management. Those controls require policies, ticketing systems, HR records, and governance evidence that sit outside what any external scanner can see.
How does continuous monitoring help with SOC 2?
SOC 2 Type II audits look at how controls operate over a period, often six to twelve months, not just on a single day. The CC7 criteria expect you to monitor systems and detect changes. SiteSecurityScore runs automated daily scans of your TLS, headers, CSP, DNS, and cookies, and emails you an alert when something changes, such as an expiring certificate or a removed security header. That trail of daily scans and alerts is useful evidence that your monitoring and change detection controls actually operated across the audit window.
Is SiteSecurityScore free to use for SOC 2 evidence gathering?
The core scanner is free. You can run a free website security scan covering security headers, TLS and SSL, DNS records, Content Security Policy, cookies, CORS, and security.txt, with no account required. Paid plans add continuous daily monitoring with email alerts, PDF report exports, REST API access, and higher scan limits, which are the features most useful when you are assembling continuous evidence for a SOC 2 audit.