SOC 2 Reports

Automate SOC 2 evidence collection and report generation by mapping your knowledge graph to compliance controls.

Overview

The SOC 2 reporting system leverages the knowledge graph as a continuous source of compliance evidence. Every discovery run captures resource configurations, relationships, and changes that map to SOC 2 control requirements. Reports are generated automatically, eliminating manual evidence collection and reducing audit preparation time.

Continuous compliance monitoring

Unlike periodic snapshots, Knowledge Tree continuously monitors your infrastructure, so your SOC 2 evidence is always up to date. No more scrambling for screenshots during audit season.

Evidence collection

The system automatically collects evidence across five trust service criteria:

TSC category	Evidence collected
Security	Security group rules, IAM policies, network ACLs, encryption at rest
Availability	Resource uptime, redundancy configuration, backup status
Processing integrity	Resource configuration snapshots, change history
Confidentiality	Data classification tags, encryption settings, access controls
Privacy	PII detection tags, data retention policies, access audit logs

Control mappings

Knowledge Tree includes pre-built mappings from resource types to common SOC 2 controls. Custom mappings can be defined via YAML:

# Mapping: AWS S3 bucket to SOC 2 controls
mappings:
  - resource_type: aws_s3_bucket
    controls:
      - id: CC6.1
        description: Logical access controls
        check: bucket.block_public_access == true
      - id: CC6.7
        description: Encryption of data at rest
        check: bucket.encryption != null
      - id: CC7.2
        description: Monitoring of security events
        check: bucket.logging.enabled == true

Automated reports

Reports are generated on demand or on a schedule (e.g., monthly). Each report includes:

Executive summary -- overall compliance status by TSC category
Control evidence -- for each control, the specific resources and configurations that satisfy it
Exceptions -- resources that fail one or more control checks
Remediation guidance -- actionable steps to resolve exceptions
Trend data -- compliance trends over the reporting period

Reports can be exported in multiple formats:

PDF -- auditor-ready formatted report with evidence summaries
CSV -- raw evidence data for custom analysis
JSON -- machine-readable format for integration with GRC tools

Auditor access

The SOC 2 report system supports a dedicated auditor portal that grants read-only access to evidence and reports:

Time-limited access -- auditor access tokens expire after the audit period
Evidence trails -- cryptographic hash of each evidence snapshot for integrity verification
Read-only API -- auditors can query evidence via the API with restricted permissions
Export controls -- reports can be watermarked and access-logged

Not a substitute for audit

While Knowledge Tree automates evidence collection, it does not replace the need for an independent SOC 2 audit. The system provides the evidence layer that your auditor will review against control criteria.

Configuration

# config.yaml
compliance:
  soc2:
    enabled: true
    control_mappings:
      - "./soc2-mappings.yaml"
    evidence_collection:
      schedule: "0 0 * * *"
      retention_days: 730
    reporting:
      schedule: "0 0 1 * *"
      formats: [pdf, csv, json]
      auditor_portal: true