Safeguard
Compliance

SOC 2 Type II reporting for AppSec vendors and buyers

A SOC 2 Type II badge isn't enough due diligence for AppSec vendors. Here's what to actually check in the report—scope, exceptions, and subservice carve-outs—before you trust one.

Marina Petrov
Compliance Analyst
8 min read

When an AppSec vendor asks your security team to trust it with source code access, scan results, and vulnerability data, "trust us" isn't a control — a SOC 2 Type II report is. Yet a surprising number of procurement conversations still treat SOC 2 as a checkbox: does the vendor have "a SOC 2," yes or no, next question. That question is the wrong one. A vendor can hold a SOC 2 Type II report that covers six months of a single AWS region while your production scans run through three regions and a shared multi-tenant queue the report never mentions. For buyers evaluating incumbents like Veracode alongside newer supply-chain security platforms, the real diligence work starts after you've confirmed a report exists: which Trust Services Criteria are in scope, how long the observation period ran, what exceptions the auditor noted, and whether the system description matches the product you're actually buying. This post walks through what SOC 2 Type II means for AppSec tooling specifically, what to ask incumbent vendors, and where Safeguard's approach to compliance evidence differs.

What Is SOC 2 Type II, and Why Does It Matter More for AppSec Vendors Than Most SaaS?

SOC 2 Type II matters more for AppSec vendors because these products sit deeper in the software supply chain than typical SaaS — they ingest source code, dependency manifests, container images, and sometimes CI/CD credentials, then produce findings that inform release decisions. The American Institute of CPAs (AICPA) defines SOC 2 around five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. A Type I report attests that controls were suitably designed at a single point in time; a Type II report attests that those controls actually operated effectively over an observation window, typically 3 to 12 months, with 6 and 12 months being the most common ranges vendors choose. For a SAST/DAST/SCA vendor, that distinction is not academic: a scanner that touches your entire codebase needs a report proving controls held up over months of real operation, not a snapshot taken the week before the sales call. Buyers should always ask which window the current report covers and request the actual PDF, not a marketing summary — a one-page "SOC 2 compliant" badge on a trust page is not audit evidence.

Does Veracode Publish a SOC 2 Type II Report, and What Should You Verify in It?

Veracode, like most established enterprise AppSec vendors, makes SOC 2 Type II attestation available to prospective customers through its trust and security documentation, typically gated behind an NDA request rather than posted publicly in full. That gating is standard practice — the report itself contains system architecture and control details that vendors reasonably treat as sensitive — but it means buyers can't rely on a badge alone and need to actually request and read the document. When you get the report, check four things specifically: the report period (a report dated 14 months ago with no bridge letter is effectively expired for renewal decisions); the scope boundary (does it cover the core scanning platform, or just a support ticketing subsystem carved out for the audit); the subservice organizations listed (cloud infrastructure providers are almost always excluded via the "carve-out method," meaning the vendor's own report doesn't vouch for AWS or Azure's controls — you inherit that dependency separately); and the exceptions section, where auditors note any control that didn't operate as designed during the period. A report with zero exceptions across a 12-month window is a stronger signal than one with unremediated exceptions from the prior cycle carried forward.

How Long Does It Take an AppSec Vendor to Get SOC 2 Type II Certified, and What Does That Timeline Tell Buyers?

A first-time SOC 2 Type II typically takes 9 to 15 months end to end: roughly 2-4 months to design and implement controls, then a mandatory 3-12 month observation period (most vendors run 6 months for their first report), followed by 4-8 weeks for the auditor to test evidence and issue the report. That timeline matters to buyers evaluating a newer entrant against an incumbent: if a vendor was founded in 2023 and shows you a SOC 2 Type II report dated early 2024, the observation window was necessarily short — often the minimum viable 3 months — which is legitimate but worth knowing when you're comparing it to a 15-year-incumbent's 12-month report. Conversely, don't assume tenure alone equals rigor. Ask every vendor, incumbent or not, for their audit firm's name (Big Four and mid-market firms like A-LIGN, Prescient, or Schellman all issue valid reports, but the firm's specialization in SaaS/security audits is worth knowing), and ask whether the report has ever lapsed between cycles. A gap of more than a few weeks between one report's end date and the next one's start date, without a bridge letter covering the interim, is a documentation hole your procurement file shouldn't accept silently.

What Are the Most Common Gaps Buyers Miss When Reviewing an AppSec Vendor's SOC 2 Report?

The most common gap is buyers reading the auditor's opinion letter and stopping there instead of reading the system description and control matrix in Section III and IV, where the actual scope limitations live. A vendor's opinion letter can say "no exceptions noted" while the system description quietly excludes a newer product line, a recently acquired subsidiary, or an on-premises deployment option from the audit boundary entirely — meaning the clean opinion doesn't apply to the exact product you're deploying. Second, buyers frequently skip the subservice organization section, missing that critical controls (encryption key management, physical data center security, network segmentation) were performed by AWS, Azure, or GCP and are documented only in those providers' own SOC 2 reports, not the vendor's. Third, for AppSec tools specifically, buyers rarely check whether the Confidentiality criterion is even in scope — Security is mandatory under SOC 2, but Confidentiality (which covers how source code and scan findings are protected, retained, and destroyed) is optional, and some vendors' reports don't include it. If your risk assessment cares about how long a vendor retains your uploaded source code after contract termination, that answer typically comes from the Confidentiality criterion, not Security.

Is SOC 2 Type II Enough on Its Own, or Should Buyers Ask for More?

SOC 2 Type II is necessary but not sufficient for AppSec vendor risk assessment, because it attests to control operation, not to the technical quality or coverage of the security product itself. A vendor can have an immaculate 12-month SOC 2 Type II report and still ship a scanner with high false-negative rates or delayed CVE feed updates — SOC 2 says nothing about detection efficacy. Mature buyers pair the SOC 2 report with complementary evidence: ISO 27001 certification for a broader ISMS view, a recent penetration test summary (ideally within the last 12 months), and — specifically for supply chain security vendors — an SBOM for the vendor's own product, since an AppSec tool that can't produce a bill of materials for itself is asking you to trust exactly the practice it's supposed to help you enforce elsewhere. It's a fair, increasingly common question in RFPs: "show us your own SBOM and vulnerability disclosure process," and a vendor's answer to that question often reveals more about its security culture than the SOC 2 badge does.

How Safeguard Helps

Safeguard treats compliance evidence as part of the product, not a separate sales artifact. Customers get direct access to our current SOC 2 Type II report and control matrix, scoped to the exact production environment their scans run in, with no carve-outs hidden in a system description they have to hunt for. We publish our own SBOM, maintain a documented vulnerability disclosure process for our own platform, and keep bridge letters current between audit cycles so there's never an undocumented gap in coverage — the same standard we'd expect an AppSec vendor to hold if we were the buyer. Because Safeguard is built around software supply chain risk, our platform also helps your team operationalize this whole review: track vendor SOC 2 renewal dates, flag lapsed reports or missing Confidentiality-criterion coverage across your AppSec and dependency tooling stack, and centralize the SBOMs and attestations you collect from every vendor — including incumbents like Veracode — so vendor risk review stops living in a spreadsheet nobody updates after the initial procurement cycle. If you're building or refreshing an AppSec vendor risk questionnaire, we're happy to share the specific control mapping we use internally as a starting template.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.