SOC 2 auditors expect external evidence
SOC 2 Type II reports are narrative-heavy. The Trust Services Criteria that an auditor will reliably ask about from the outside are:
- CC6.1 — Logical and physical access controls. External evidence: no unauthenticated admin interfaces exposed on the internet.
- CC6.6 — Boundary protection. Evidence of a perimeter (CDN, WAF, load balancer) between the public internet and service origins.
- CC6.7 — Secure transmission of sensitive information. TLS hygiene, certificate provenance, DMARC/SPF/DKIM posture.
- CC7.1 — Detection of anomalies. For an external auditor, the corollary is whether the organisation can be observed to be monitoring its own external surface.
What Dhara checks, mapped to SOC 2
| Criterion | Passive check | Example finding |
|---|---|---|
| CC6.1 | Unauthenticated admin / management interfaces | admin. subdomain returning login page |
| CC6.6 | Perimeter (CDN/WAF) posture | Origin reachable directly, not behind CDN |
| CC6.7 | TLS hygiene + email-domain authentication | No DMARC policy published on primary domain |
| CC7.1 | Delta over time (subdomain sprawl, version drift) | Three new subdomains since last scan |
Sample SOC 2 finding
medium████-co.example
Missing DMARC policy on primary mail domain
No `_dmarc` TXT record published. Permits spoofed sender addresses originating from the primary domain; downstream impact on phishing-based account takeover of customer-support flows.
What the SOC 2 auditor will actually ask
The auditor will rarely ask for “an external scan.” They will ask for evidence that the control environment has visibility into the external attack surface. A time-stamped Dhara report, plus evidence of how findings were routed to engineering, is usually sufficient for CC7.1; for CC6.x criteria, the report itself is the evidence.