Frameworks · SOC 2 Type I & Type II
The deal is waiting
on your SOC 2.
Procurement asked for your SOC 2 report and the deal went quiet. You don't have a security team — you have engineers who should be shipping product. Lionfish runs your SOC 2 program in the Cyber Tackle Box™: policies, controls, evidence, and the employee training auditors actually probe — with practitioners who answer the hard questions, so your team stays on the roadmap.
What SOC 2 really costs — and really pays
Sources: AICPA TSP 100; soc2auditors.org 171-firm fee dataset; Secureframe compliance benchmark surveys (vendor-published). Your numbers depend on scope — we'll estimate them free on the first call.
Who this is for
Built for the team that has revenue on the line
SOC 2 isn't a legal mandate — it's a sales gate. It lands on you the day a big customer's security team says "send the report."
- ✓B2B SaaS founders and CTOs with an enterprise deal (or a whole pipeline) stalled in security review — and no dedicated security hire.
- ✓Scale-ups with a first security hire who needs leverage: one person can't write 30 policies, chase evidence, and run awareness training alone.
- ✓MSPs, fintechs, and data processors whose customers' auditors are now asking about the vendors' vendors.
Sound familiar?
The pain we hear on every first call
- !The questionnaire graveyard. Every stalled security review costs weeks of pipeline — and the same questions come back on every deal.
- !Checkbox tools left you alone. Automation platforms collect evidence, then leave you to interpret findings, fix gaps, and face the auditor solo.
- !It never ends. Type II renews every year. Without a system of record, next year's audit starts from scratch.
The platform
How the Cyber Tackle Box™ runs your SOC 2 program
One platform runs the whole program — and the same evidence backbone serves ISO 27001, HIPAA, and NIST when your customers ask for those next.
Policy Templates
The 20–40 policies auditors expect, pre-built and mapped to the Trust Services Criteria — tailor them to your stack instead of writing from a blank page.
Objectives
Every criterion tracked against a target date and an owner, so "are we ready for the audit?" has a live, honest answer.
Remediation & POA&Ms
Gaps become assigned, dated work items driven to closure — not rows in a spreadsheet nobody opens.
Evidence, Organized
Controls, artifacts, and screenshots in one system of record your auditor can follow — timestamped, assigned, exportable.
Playbooks
Step-by-step runbooks for onboarding, access reviews, incident response, and vendor management — the operational proof Type II demands.
Training Built In
Security awareness training your auditor will actually credit — 52 modules including music-based training people finish — inside the same platform.
Why Lionfish
A platform with humans attached
Practitioners, not just software
Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.
One system of record
Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.
Veteran-owned & battle-tested
SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.
Straight answers
SOC 2 questions we answer every week
How much does SOC 2 certification cost?
Audit fees alone typically run $15K–$70K for a Type II with a specialist firm, and total first-year programs commonly land between $30K and $150K including readiness, tooling, and internal time. Right-sized preparation is the biggest lever: showing up ready cuts both the audit scope and the consultant hours. We scope your real number free on a 30-minute call.
What's the difference between SOC 2 Type I and Type II?
Type I is a point-in-time report on whether your controls are designed properly. Type II tests whether they actually operated over a window of typically 3–12 months — which is why enterprise customers usually insist on Type II, and why the calendar, not the paperwork, sets your timeline. Many companies do Type I first to unblock a deal, then roll into Type II.
How long does SOC 2 take?
Type I: roughly 3–8 months end to end. Type II: 6–20 months, because the observation window is a hard floor. The practical answer: start the program the week the first enterprise prospect asks, not the quarter the deal is dying.
We already use Vanta/Drata — why Lionfish?
Automation platforms are good at collecting evidence and bad at everything that actually fails audits: interpreting findings, writing defensible policies, changing employee behavior, and answering the auditor's follow-ups. Lionfish pairs the platform with practitioners who work by, with, and through your team — and our training is real curriculum from a state-accredited school, not a checkbox LMS.
Get in touch
Get your SOC 2 moving this week
Tell us about the deal that's waiting and the stack you run. You'll get a straight readiness estimate — timeline and budget — within one business day.
- 1We reply within one business day — usually faster.
- 2A 30-minute call with someone who can actually answer your questions.
- 3A straight recommendation — even if it's that you don't need us yet.
Prefer to skip the form? Book a time directly or call 1-877-732-6772.