SOC 2 Type 2 Certification

SOC 2 Type 2 Certification

SOC 2 Type 2 Certification

Praetorian is SOC 2 Type 2 certified. An independent third-party auditor has examined the controls supporting the Praetorian Guard Platform (PGP) and issued an unqualified attestation confirming that those controls are both suitably designed and operating effectively over an extended audit period. This gives customers durable, externally verified assurance that the security, availability, and confidentiality controls protecting their data perform as described — not just at a single point in time, but consistently across the audit window.

What Is SOC 2 Type 2?

SOC 2 (System and Organization Controls 2) is an audit framework defined by the American Institute of Certified Public Accountants (AICPA). It evaluates a service organization's controls against the Trust Services Criteria:

  • Security — Protection of systems and data against unauthorized access, disclosure, and damage.

  • Availability — Systems are available for operation and use as committed to customers.

  • Confidentiality — Information designated as confidential is protected throughout its lifecycle.

  • Processing Integrity — System processing is complete, valid, accurate, timely, and authorized.

  • Privacy — Personal information is collected, used, retained, disclosed, and disposed of in accordance with commitments.

A Type 2 report goes further than a Type 1. Where Type 1 evaluates whether controls are appropriately designed at a single point in time, Type 2 tests whether those controls actually operated effectively over a sustained period (typically 6–12 months). It is the more rigorous of the two and the form most enterprise buyers require from vendors handling sensitive data.

Why Customers Should Care

Engaging a security vendor means trusting them with sensitive findings, source code, infrastructure details, and attack-path data. SOC 2 Type 2 certification gives customers concrete reasons to extend that trust:

  • Independent Verification — A licensed CPA firm — not Praetorian — examined the controls and issued the attestation. Customers do not have to take Praetorian's word for it.

  • Evidence Over Time — Type 2 demonstrates that controls were continuously enforced across the audit period, not staged for a one-day review. Operational discipline is what protects customer data day to day.

  • Reduced Vendor-Risk Burden — The SOC 2 Type 2 report directly supports customers' own vendor-risk and third-party-assessment programs, often replacing or shortening lengthy security questionnaires.

  • Regulatory and Contractual Alignment — Many internal policies, customer contracts, and regulatory frameworks (including HIPAA, GLBA, and state privacy laws) either require or strongly prefer SOC 2 Type 2 attestation from service providers handling sensitive data.

  • Confidence in Sensitive Workflows — PGP centralizes the most sensitive artifacts of a security program: vulnerabilities, exploit details, customer architectures, and remediation status. SOC 2 Type 2 provides independent assurance that the controls protecting those artifacts are real and working.

What the Audit Covers

The audit scope includes the controls supporting PGP and the underlying systems used to deliver Praetorian services, including:

  • Access Controls — Identity management, authentication, authorization, and least-privilege enforcement for both employees and customers.

  • Change Management — Reviewed and tested processes for code changes, infrastructure changes, and production deployments.

  • System Operations — Monitoring, incident response, backup, and availability management for production systems.

  • Risk Management — Recurring risk assessments, vendor management, and security awareness programs.

  • Data Protection — Encryption in transit and at rest, key management, and confidentiality controls applied to customer data throughout its lifecycle.

Requesting the Report

The SOC 2 Type 2 report contains confidential auditor and control detail and is provided under NDA. Customers and prospects who require a copy for vendor-risk review, procurement, or audit purposes can request the current report by contacting their Praetorian account team or emailing support@praetorian.com.