The editorial wall
Some of the platforms and firms on this site pay us. That pays for the research and keeps us independent of any single vendor. It also makes the firewall below the most important part of this page.
The point is not that sponsorship is bad. The point is that sponsorship must be visible, constrained, and unable to change the editorial answer a buyer gets.
- Sponsorship buys
- Labeled featured placement on a page the firm already qualifies for (the auditor directory, the software hub, or the service-firm hub), a profile we build and keep current, and a featured slot in the monthly digest.
- Sponsorship does not buy
- A higher rating, a trust or review badge (those are earned, never bought), softer criticism, removal of a weakness, hidden placement, inclusion in a ranking where the firm does not qualify, suppression of buyer corrections, or routing priority over a better-fit firm.
If you find a sponsored review that breaks these rules, email us. We fix the review or end the sponsorship. Those are the only two outcomes.
What we cover
182+ SOC 2 audit firms and 12 compliance automation platforms. Nothing else.
Adjacent frameworks (ISO 27001, HIPAA, PCI DSS, and seven more) show up only where they intersect with a SOC 2 decision. Reference explainers live in our frameworks hub; recurring buyer questions live in the SOC 2 buyer guides. General-purpose GRC tools that are not built for SOC 2 buyers are not here.
The scope stays narrow because broad directories are useless to anyone with a real decision to make. If a tool or firm does not affect SOC 2 scope, cost, readiness, evidence collection, or auditor selection, it does not belong in the core review set.
How we evaluate auditors
The license first. We check active CPA and AICPA standing and, for US firms, the AICPA peer-review record. Where we cannot confirm one, the firm stays listed with a caveat badge and ranks below firms that clear the bar. We flag what we cannot verify, we do not hide it.
Then pricing: a mix of figures firms confirm to us, public sources, and our own estimates, refreshed periodically. We prefer what clients actually pay (direct submissions, shared RFPs, and post-engagement reports) over published rates, and surface ranges rather than point estimates. Where a number is our estimate rather than firm-confirmed, the entry says so.
Then timelines: our estimate of kickoff-to-report duration, drawn from each firm's published engagement descriptions and refined from client interviews where we have them. Vendor marketing estimates do not count.
Then fit. Industries served, company sizes, tech stacks, and co-sourcing partners. A firm that is right for a 200-person fintech is often wrong for a 12-person AI startup. We say which is which.
We also separate what a firm can sign from what it can support. CPA licensing and peer review determine whether a firm can issue a report; the assigned team's cloud, SaaS, security, and platform experience determines whether the engagement will be smooth for a specific buyer.
How we evaluate software
Three rules govern software reviews.
We log in. If a platform refuses a trial or live demo, we write that in the review. Every time.
We cross-check pricing. We check published pricing against buyer-reported quotes where we have them and surface a range rather than a single number. Marketing-site figures are placeholders until real quotes back them.
We find what is broken. Every review has a section on what does not work. If we cannot write one, we have not looked hard enough, and the review is not ready to publish.
How we rate
We do not.
We do not use 5-star scores or 4.3-out-of-5 averages. Star ratings compress too much. A platform that is excellent for your situation remains excellent even if its average score is middling, and a mediocre fit stays mediocre even at 4.8.
Every platform on the software hub is matched to the scenarios it actually fits. Every auditor in the directory has a fit profile: industries, company sizes, strengths, and known gaps. The recommendation is always "this one, for this buyer, for this reason."
Source-class tiers: how much each kind of evidence counts
Four classes of evidence are ranked by weight. Where two sources disagree, the higher tier wins. Cost ranges with their per-entry sources live at /soc-2-audit-cost/sources/.
- Tier 1: regulatory and licensing text
- AICPA peer-review records, board-of-accountancy CPA-license rosters, FedRAMP marketplace listings, CREST registry entries, and AICPA Trust Services Criteria. Treated as fact and cited directly with a permalink to the public registry where possible.
- Tier 2: vendor-published primary documents
- A firm's own service descriptions, a platform's own pricing page, or an audit report shared with us by a buyer under NDA. Heaviest weight after Tier 1. Sourced and dated on the entry.
- Tier 3: buyer-side aggregates
- 500+ RFPs from companies running real SOC 2 selection processes, contributed directly by buyers or anonymized partner programs, plus anonymous-ballpark requests routed through this site. Surfaced as ranges, never as point estimates, and cross-checked against Tier 1 and Tier 2 before publishing.
- Tier 4: signal data
- LinkedIn hiring patterns for enterprise traction reads, G2 and Trustpilot clusters for consistency, and public earnings commentary. Never used on its own, only as a cross-reference to Tier 1, Tier 2, or Tier 3 evidence.
Every price carries a source marker (our estimate versus firm-confirmed), and auditor profiles carry a last-verified date, so you can see how old a number is and where it came from.
What "last verified" means on an auditor profile
Every verified auditor profile carries a Last verified date. That stamp asserts three things on that date: the firm is still operating under the listed name, the AICPA peer-review record we link to is current, and the public-website pricing or scope signals still match what the firm publishes.
It does not assert that the firm's quoted pricing is current to the dollar. Audit fees move with scope, headcount, and timeline. The verified date is for structural facts, not the quote a firm would write today.
Cadence: we aim to re-check every profile at least every six months, and sooner on three triggers: a peer-review status change, a leadership departure flagged by a reader, or a pricing claim being challenged in writing.
A firm can request an off-cycle re-check by emailing hello@soc2auditors.org. Buyers can flag a stale stamp the same way.
Verification cadence triggers
We aim to re-check every profile at least every six months. Four events pull a profile out of that cadence and into an off-schedule re-check.
- Peer-review status change. The directory's source of truth for a CPA firm's standing is the AICPA peer-review database. Any change there pulls the profile into the queue within five business days.
- Leadership departure. Named partners and methodology leads are part of a firm's fit profile. A departure surfaced by a reader, a vendor announcement, or a public filing triggers a re-check.
- Pricing change documented in writing. A quote shared with us, a buyer-side RFP, or a vendor pricing-page update. If the change moves the firm's range by more than 20 percent in either direction, we re-anchor the entry and the cost-sources page.
- Material business event. Funding round, acquisition, merger, regional expansion, or a security incident reported by the firm or its customers. Tier classification or stated capacity may shift.
When we update
We update when something real changes: a pricing shift, a new framework supported, a leadership departure, a security incident, or a feature added or removed. We do not update to hit a publishing calendar.
If nothing meaningful changed in six months, the page keeps its date. Every article carries the date it was last touched and what changed.
Changes to this rulebook:
- July 9, 2026: Opened software monetization to affiliate and referral commissions and reframed the firewall as "money never moves the order." Audit-firm fees stay flat, never a commission or a cut, because a CPA's independence is regulated; on software we now earn a referral commission when a buyer chooses a platform through our links, which never changes the ranking or the review.
- July 1, 2026: Corrected the auditor-inclusion language to the flag-and-demote model (firms we cannot fully confirm are labeled with a caveat and ranked lower, not hidden) and dropped the enforcement-action claim; reframed timeline and software-pricing sourcing as estimate-first; moved trust and review badges to the earned side of the firewall; softened the six-month re-check to a target; replaced the automatic "flagged inline" promise with the per-price source marker we actually ship; renamed the service tier Pro to Featured; and tightened the exposure guarantee to shortlist placement.
- June 22, 2026: Aligned "How we make money" to the live model (Featured and Leader for audit firms, Featured and Category Sponsor for service firms, and sponsored placement), corrected the pricing-source language to reflect firm-confirmed, public, and estimated figures, and fixed the routing claim (the lead matcher reads no payment field).
- May 13, 2026: Added source-class tiers, verification cadence triggers, and how-we-make-money sections. Expanded the sponsorship firewall from four bullets to seven.
- April 2026: First public version. Prior commitments applied internally since launch; this page made them visible and enforceable.
How we make money
How we earn splits by side of the market. Audit firms pay a flat advertising fee, never a commission or a cut of the engagement: a CPA's independence is regulated, and we will not put a price on it. On the software side we run flat-fee sponsorship and we earn a referral commission when a buyer chooses a platform through our links, disclosed wherever those links appear. What money never buys, on either side, is the answer: not a rating, not a softer review, not a "best for" a product does not fit, not priority over a better-fit firm. The order is editorial and fit-first. The firewall above is the whole game.
- Featured and Leader, for audit firms
- An audit firm pays a flat advertising fee: Featured at $2,000/mo (billed quarterly, cancel any quarter) or Leader at $5,000/mo (one-year term, one firm per niche). It buys a profile we build and keep current, labeled placement on the pages buyers read and in the answers AI gives, and a monthly visibility report. The guarantee is an exposure floor, not a delivered lead: a paid firm is placed on at least a set number of fitting buyer shortlists each month, or that month is free. It is a shortlist placement, never a promise of signed deals. Buyers are never charged and never see paid status as a quality signal, and the lead matcher reads no payment field: fit and verified quality decide who surfaces, never who paid. See the tiers and how the guarantee works.
- Featured and Category Sponsor, for service firms
- Readiness, pentest, vCISO, ISO 27001, and compliance firms, the ones that prepare you for an audit but do not sign the report, pay a flat fee for an enhanced, labeled listing: Featured at $600/mo or sole Category Sponsor at $1,500/mo. Service firms are a separate pool from auditors and are not in the lead matcher, so the fee buys a badge and labeled placement only, never sort order or routing. See the service-firm tiers.
- Sponsored placement on the software hub
- Occasional sponsored slots on specific pages: a software-hub section, a comparison page, or a directory category. Labeled in line with the listing. The label is the deal: sponsorship does not move a rating or rewrite fit-profile copy. Ask about sponsored placement.
- Affiliate and referral commissions, on software
- Some outbound links to compliance platforms are affiliate or partner-program links. If you start a trial or buy through one, the platform may pay us a referral commission, at no extra cost to you. This is software only, never audit firms, whose fee stays flat by design. It changes nothing about the list: the same platforms sit in the same fit-first order, with the same review, whether or not a link pays. We disclose it wherever those links appear.
Corrections
Wrong price, stale license status, factual error, disputed quote? Email hello@soc2auditors.org. Screenshots help for pricing disputes; a recent quote beats our aggregated range every time.
We respond within two business days. Factual corrections go live within five. We do not silently edit; every correction gets a dated note at the bottom of the affected article so a reader can see what changed and when.
Disagreements on judgment calls, including which platform fits which scenario or how we read a weakness, are fair game to argue, and sometimes we revise. Email the argument.
Peter Korpak, founder.
Questions about a specific review, a partnership, or a pricing submission: hello@soc2auditors.org.