Thanks!! There are some fairly good OS models for the core stuff (PII, SSNs etc) out there already (Presidio, Spacey), so folks that need an OS option have one to start with. Detecting the more complex stuff can sometimes need a little iteration, but I could definitely imagine a world where we publish that in the future
On SOC 2, we used Drata, and spoke to Vanta, Laika and a few others. The price Vanta initially quoted us was waaaay higher than the other two, and between Laika and Drata we went with Drata mostly because there seemed to be more automation in Drata. In the end, the Drata live support was incredible and hard to imagine how we would have gotten the certification so fast without. We started our infra on DO, and so the most painful part of SOC 2 for us was the migration we did to AWS to take advantage of AWS' many security features. My main advice would be take full use of the Drata live support (I'd guess Vanta have something similar), but maybe on a deeper level - when you're doing SOC 2, don't focus on the certification: focus on the policies and technology that actually makes your company secure. In the end, that's what enterprises really care about, especially for the ones that have given us 300 question long questionnaires!
Our AWS migration wound up taking about 4 weeks, getting all the policies in place took about 8 weeks (which overlapped with about 2 weeks of the migration), and then the audit itself was a couple weeks as well
On SOC 2, we used Drata, and spoke to Vanta, Laika and a few others. The price Vanta initially quoted us was waaaay higher than the other two, and between Laika and Drata we went with Drata mostly because there seemed to be more automation in Drata. In the end, the Drata live support was incredible and hard to imagine how we would have gotten the certification so fast without. We started our infra on DO, and so the most painful part of SOC 2 for us was the migration we did to AWS to take advantage of AWS' many security features. My main advice would be take full use of the Drata live support (I'd guess Vanta have something similar), but maybe on a deeper level - when you're doing SOC 2, don't focus on the certification: focus on the policies and technology that actually makes your company secure. In the end, that's what enterprises really care about, especially for the ones that have given us 300 question long questionnaires!