SOC 2 · AICPA Trust Services Criteria

Vulnerability & patch evidence for SOC 2

Auditors testing the Security criteria want proof you find newly-discovered vulnerabilities (CC7.1) and fix them through change management (CC8.1). IsItPatched produces exactly that from an SBOM — a component inventory, known and actively-exploited CVEs, the minimum safe version, end-of-life tracking, and exportable evidence.

Scan your SBOM → Monitor your components Export SOC 2 pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for the teams chasing a SOC 2 report

SaaS vendors

The report your customers ask for before they sign. Stand up the vulnerability-management evidence without buying a heavyweight platform.

Security & engineering

One place to inventory third-party components, see what's actively exploited, and show a risk-ranked patch process.

Auditors & readiness teams

Hand a clean component inventory, risk-ranked vulnerabilities and a remediation record as CC7.1 / CC8.1 evidence.

SOC 2 Common Criteria → what IsItPatched gives you

Identify vulnerabilities (CC7.1)

Scan a CycloneDX/SPDX SBOM to identify susceptibilities to newly-discovered vulnerabilities across your components — the detection CC7.1 expects.

Scan an SBOM →

Risk-rank what matters

Each component's CVEs ranked by actively-exploited (CISA KEV) and high-EPSS status, so out-of-cycle fixes are justified.

See actively-exploited CVEs →

Patch & change management (CC8.1)

The minimum safe version and a critical-first queue give you a defensible, documented remediation process.

Open your dashboard →

End-of-life & audit evidence

End-of-life tracking flags unsupported components; export a risk register and VEX as control evidence.

End-of-life calendar →

Export your evidence — today, free

Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
CycloneDX VEX document (exploitability + remediation per component)
Software risk register (CSV / print-to-PDF) citing the exact versions you run
A prioritised, known-exploited-first patch queue — your CC7.1 / CC8.1 remediation record

Build your evidence →

Straight with you: a SOC 2 report is issued by a licensed CPA firm after testing controls across security, availability, change management, access, monitoring and more. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps produce the technical-vulnerability and software-inventory evidence under CC7.1 / CC8.1 specifically. It is not an auditor, not an attestation of compliance, and not legal advice. Disclaimer.

SOC 2 — frequently asked

What is SOC 2?

SOC 2 is an attestation report, produced by an independent CPA firm, on how a service organisation meets the AICPA Trust Services Criteria — Security (the mandatory "Common Criteria"), and optionally Availability, Confidentiality, Processing Integrity and Privacy. For most SaaS vendors it is the report customers ask for before they buy. Vulnerability and patch management live mainly in Common Criteria CC7.1 (identify susceptibilities to newly discovered vulnerabilities) and CC8.1 (change management — deploying fixes).

How does IsItPatched help with SOC 2?

It produces the software-vulnerability evidence a SOC 2 auditor looks for under CC7.1 and CC8.1: scan a CycloneDX/SPDX SBOM for an inventory of your third-party components, identify and risk-rank their known and actively-exploited (CISA KEV) vulnerabilities, see the minimum safe version, track end-of-life components, and export a risk register / VEX as part of your control evidence.

Does IsItPatched make us SOC 2 compliant?

No. A SOC 2 report is issued by a licensed CPA firm after testing controls across security, change management, access, monitoring and more. IsItPatched helps with the technical-vulnerability and software-inventory evidence under CC7.1 / CC8.1 specifically. It is informational, built on public data — not an auditor, not an attestation, and not legal advice.

Subject to more than one regime? See all our compliance editions →