SOC 2 Type II Automation for Self-Hosted Infrastructure
SOC 2 Type II proves your controls worked over an entire audit period — not just on audit day. For self-hosted infrastructure this means 6-12 months of continuous, structured evidence collection. Moltbot automates 6 of 10 Trust Service Criteria out of the box.
Trust Service Criteria Mapping
Management commitment, board oversight, organizational structure, competence, accountability.
Internal and external communication of security policies and obligations.
Risk identification, analysis and response.
Ongoing evaluation of controls effectiveness.
Policies and procedures to ensure controls are carried out.
Restrict access to authorized users.
Detect and mitigate software failures and security incidents.
Manage system changes to prevent security degradation.
Identify, select and develop risk mitigation activities.
System available for operation and use as committed.
Evidence Collection Runbook
# Moltbot SOC 2 evidence collection — automated daily moltbot audit collect \ --criteria CC3,CC4,CC5,CC6,CC7,CC8 \ --output /audit/evidence/$(date +%Y-%m-%d)/ \ --format structured-json \ --tamper-hash sha256 # Evidence collected: # - Access logs: who accessed what, timestamp, action # - Change logs: all deployments with approver # - Alert logs: security events and response times # - Scan reports: vulnerability findings + remediation dates # - Backup tests: recovery test results with RTO/RPO # - Patch compliance: systems × CVE × patch date # Review evidence dashboard moltbot audit dashboard --period 2025-01-01/2025-12-31
Frequently Asked Questions
What is the difference between SOC 2 Type I and Type II?
SOC 2 Type I: point-in-time assessment — auditor verifies controls are designed adequately at a specific date. SOC 2 Type II: period-based assessment (typically 6-12 months) — auditor verifies controls operated effectively throughout the entire period. Type II is significantly more valuable for enterprise customers because it proves sustained compliance, not just a snapshot. For self-hosted infrastructure, Type II requires continuous evidence collection throughout the audit period.
Which SOC 2 Trust Service Criteria are mandatory?
Only Security (CC1-CC9) is mandatory. The other four criteria are optional: Availability (A1), Processing Integrity (PI1), Confidentiality (C1), Privacy (P1-P8). Most B2B SaaS companies pursue Security + Availability + Confidentiality. For AI/ML systems handling sensitive data, Privacy criteria are increasingly expected. Choose based on what your customers require.
How does Moltbot help automate SOC 2 compliance?
Moltbot automates evidence collection for 6 of 10 Trust Service Criteria: CC3 (vulnerability scans, risk register), CC4 (SIEM alerts, control failure notifications), CC5 (patch management enforcement, access reviews), CC6 (MFA enforcement, access audit logs), CC7 (incident detection, backup testing), CC8 (CI/CD security scanning). Manual work remains for CC1, CC2, CC9 (governance/organizational) and audit preparation.
What evidence do I need for a SOC 2 Type II audit?
Auditors sample evidence across the audit period. Required evidence typically includes: access control logs (who accessed what, when), change logs (all system changes with approvals), security alert logs (incidents detected and responded to), vulnerability scan reports (showing issues were addressed within SLA), backup test results (proving recovery works), training completion records, vendor assessment records, and incident postmortem documents. Moltbot provides structured, tamper-evident logs for all technical evidence.