I’m working on a SOC 2 readiness platform and wanted to get perspectives from people who’ve actually been through SOC 2, either in-house or while helping other companies.
From what I’ve seen, teams still struggle most with task planning over time, follow-ups, and turning evidence into something that’s actually audit-ready. Many end up with a mix of spreadsheets, shared folders, and last-minute report building, even when they’re using dedicated tools.
I’m curious: - Where did SOC 2 preparation break down most for you? - What parts felt overly manual or fragile? - If you’ve used tools like Vanta, Drata, or others, what did they do well and what didn’t they?
I recently launched a new version of a platform I’m building (https://www.lumoar.com) that focuses on automating task scheduling and generating pre-audit / gap analysis reports directly from controls and evidence, but I’m more interested in learning where the real gaps still are.
Would appreciate any candid experiences or advice.