Compliance · SOC 2 (TSC 2017)
SOC 2 website security checklist — Trust Services Criteria mapping
SOC 2 reports are written against the AICPA's Trust Services Criteria (TSC), which include broad principles that map to dozens of controls auditors will sample evidence for. Scorifya doesn't replace your SOC 2 audit, but the public-posture portion of your security and confidentiality criteria — TLS configuration, secure-header coverage, public vulnerability disclosure — produces the same kind of repeatable evidence that auditors expect to see. This page maps Scorifya's scan checks to the TSC criteria that come up most often in pre-audit walkthroughs.
Scope
Scope: Scorifya scans the public surface of a hostname you submit. It does not access internal systems, validate access controls, evaluate vendor management, or audit change management. Use scan output as evidence for the Common Criteria subset around external-facing web infrastructure.
Control mapping
Each control below references the framework requirement and lists the Scorifya scan checks that produce supporting evidence.
CC6.1 — Logical and physical access (transmission protection)
The entity implements logical access security software, infrastructure, and architectures over protected information assets.
Scorifya checks:
CC6.6 — Logical access for external users
The entity implements logical access security measures to protect against threats from outside the system boundaries.
CC6.7 — Restrict transmission, movement, and removal of information
The entity restricts the transmission, movement, and removal of information to authorized internal and external users.
Scorifya checks:
CC7.1 — Detection and monitoring of vulnerabilities
The entity uses detection and monitoring procedures to identify changes that could result in vulnerabilities being introduced.
CC7.4 — Incident response (external researcher coordination)
The entity responds to identified security incidents by executing a defined incident-response program.
Scorifya checks:
C1.1 — Confidentiality (cookie protection)
The entity identifies and maintains confidential information to meet the entity's commitments and system requirements.
Important caveats
- SOC 2 is an attestation report issued by a CPA firm — Scorifya cannot make you SOC 2 compliant on its own.
- The auditor will sample evidence across all selected criteria, including many areas (HR controls, change management, vendor management) that an external scanner cannot evaluate.
- Scan output is one piece of repeatable evidence that demonstrates the design and operating effectiveness of public-facing controls.
Run a scan to produce evidence
Submit any URL you're authorized to test. The scan output (TLS posture, header coverage, DNS hygiene) is repeatable and dated, which is exactly what auditors expect for evidence of design and operating effectiveness.