SOC 2 Type 2 evidence for two controls you collect by hand
Most of a SOC 2 Type 2 observation window is spent keeping evidence current. Two control areas eat the most manual time: continuous monitoring of your external attack surface, and security awareness. HailBytes ASM and HailBytes SAT each produce the auditor-ready evidence for one of them — and both run in your own AWS or Azure account.
Two products, two control areas
This is not a GRC platform and it is not a compliance dashboard. Each product operationalizes one control area and exports the evidence your auditor reviews for it.
HailBytes ASM → Continuous monitoring (CC7)
ASM scans your internet-facing assets on a schedule and tracks vulnerabilities over time. That history is the evidence behind SOC 2 common criteria CC7.1 (vulnerability detection) and CC7.2 (monitoring for anomalies): scheduled external scan history, a discovered-asset inventory that changes over the window, and the vulnerability findings plus their remediation trail.
HailBytes SAT → Security awareness (CC1.4, CC2.2)
SAT runs phishing simulations and security-awareness training with completion logs. That record is the evidence behind CC1.4 (commitment to competence) and CC2.2 (internal communication of objectives and responsibilities): phishing-simulation campaign history, training completion logs, and branded completion records you can drop straight into the binder.
The control mapping
Mapped to the 2017 Trust Services Criteria. A single product does not satisfy a control end to end — it contributes the evidence an auditor expects to see for that control.
| Product | Control area | SOC 2 common criteria | Evidence produced |
|---|---|---|---|
| HailBytes ASM | Continuous monitoring of the external attack surface | CC7.1, CC7.2 | Scheduled external scan history, discovered-asset inventory over time, vulnerability findings and the remediation trail |
| HailBytes SAT | Security awareness and internal communication | CC1.4, CC2.2 | Phishing-simulation campaign history, training completion logs, branded completion records |
Need the full picture? The compliance & security page maps both products across fourteen frameworks (SOC 2, NIST CSF 2.0, HIPAA, PCI DSS 4.0, ISO 27001, LGPD and more).
What this is — and what it isn’t
We are precise about this on purpose, because your auditor will be too.
What’s true
- The products produce evidence for and operationalize these control areas.
- ASM gives a defensible, timestamped record of external attack-surface monitoring and vulnerability handling.
- SAT gives completion logs and campaign history for the awareness program.
- Both export an evidence package you hand your auditor.
What we never claim
- That a product “makes you compliant,” is “audit-proof,” or lets you “pass the audit.” Your controls and your auditor determine the outcome.
- Any guarantee of an audit result.
- That HailBytes itself is SOC 2 certified — see our own posture below.
HailBytes’ own posture: HailBytes is in a SOC 2 Type 2 direct audit engagement, in late-stage contracting (target attestation 2026-H2 to 2027-Q1, contingent on observation-window completion). That is a separate fact from the product evidence above and is documented for your vendor due diligence on the procurement & trust FAQ.
Evidence from infrastructure you already control
Both products are Bring-Your-Own-Cloud. They deploy in your own AWS or Azure account, so the evidence comes from infrastructure you control and you add one fewer subprocessor to the binder.
No shared data plane
Scan output and training records stay in your tenant. There is no HailBytes-hosted copy of your evidence to disclose in vendor review.
Built for the window, not the demo
A 30-day free trial, and both products can be paused between audit windows so they don’t burn hours when you don’t need them running.
Procurement you already have
Roughly $0.50/hour, billable through AWS Marketplace or Azure Marketplace on a contract you already hold — single-invoice, no new MSA.
Take two control areas off the manual pile
Start a trial on either product, or walk through the evidence each one exports with us first.