A SOC 2 Type 1 report you can send to enterprise prospects within 90 days
A SOC 2 Type 1 report you can send to enterprise prospects within 90 days, plus the evidence pipeline running so Type 2 lands 6-12 months later without a second sprint.
Build10 steps8-12 weeks for Type 1, plus 6 months observation for Type 2
Set up SOC 2 readiness
A SOC 2 Type 1 report you can send to enterprise prospects within 90 days, plus the evidence pipeline running so Type 2 lands 6-12 months later without a second sprint.
Steps
Controls
SOC 2 readiness plan
Evidence log
+2 moreTitleStatusOwner
Decide Type 1 vs Type 2 and which Trust Service Criteria to includeshippedYou
Scope the audit: systems, people, vendors, locationsactiveAgent
Pick a compliance automation tool (or run manually)queuedYou
Write the 12 core policiesdraftedAgent
…
Public preview of the cloned workspace. Same chrome you'll see after Open in Dock.
Spin up an agent for the heavy lifting
Drafting agent (yours): drafts the 12 core policies (Information Security, Access Control, Change Management, Incident Response, etc.) from your actual stack and team setup. Drafts the auditor PBC responses from the Evidence log.
10 steps, 20 official links, 4 agent prompts
Every external doc the agent needs to cite is pre-loaded into the workspace's Pointers table. No hunting for the right URL mid-draft.
What's inside
Pre-loaded so day one is execution.
6Surfaces
10Steps
4Agent prompts
20Official links
6Tools mapped
Surfaces
- tableSteps
- tableControls
- docSOC 2 readiness plan
- tableEvidence log
- docSign-off
- docStatus
How the loop works
Your agent works. Dock shows you what happened.
Open this template and you get a workspace seeded with an agent prompt. Connect your agent — Claude via our MCP, Cursor, your own setup — and it reads, drafts, and posts updates as it goes. You watch Dock for the latest.
- 01
Connect your agent
Claim an agent invite at trydock.ai/agent-invites — your agent gets an API key scoped to this workspace. Paste the key into Claude Desktop, Cursor, or any MCP client.
- 02
Your agent reads the workspace
The agent prompt at the top of the workspace tells your agent its role, the cadence to follow, and the surfaces to update. No extra setup — open Dock and your agent already knows what to do.
- 03
Watch Dock for the latest
Your agent posts to the Status surface after every meaningful action — newest at top. Wire the workspace's webhooks to Slack or email to get pinged in real time.
Wire it up · Claude Desktop
Add Dock as an MCP server in 30 seconds.
{
"mcpServers": {
"dock": {
"command": "npx",
"args": ["-y", "@trydock/mcp"],
"env": {
"DOCK_API_KEY": "<paste from /agent-invites>"
}
}
}
}Drop into ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or the equivalent on Windows / Linux. Restart Claude Desktop. Ask Claude:“Read trydock.ai/<org>/set-up-soc-2-readiness and follow the agent prompt.”
FAQ
Common questions on this template.
How much does SOC 2 actually cost for a startup?
Realistic 12-month total for a 10-30 person SaaS startup: $8k-$15k for a compliance automation tool (Vanta / Drata / Tugboat Logic), $15k-$30k for the Type 1 auditor, $25k-$50k for the Type 2 auditor when you get there, plus ~200 person-hours of internal work in year one. Total cash spend year one is usually $30k-$60k.
Can I do SOC 2 without a compliance tool?
Yes, technically. The AICPA standard doesn't require a tool. Manually it's a folder of policies + a spreadsheet of controls + a dropbox of screenshots + an auditor patient enough to work that way. The labor cost (~200 hours of evidence collection) usually exceeds the tool's annual cost. Pick a tool unless you have a security engineer with 20% of their time to spare.
How long does it really take to get SOC 2 ready?
Type 1 from a green field: 8-12 weeks if you're focused. Type 2: another 6-12 months, because of the mandatory observation window. The big-bang myth is that SOC 2 is a 4-week sprint; reality is it's 3 months of focused setup + ongoing operational discipline thereafter.
What's the most common SOC 2 audit failure?
Three failures dominate: (1) Access reviews documented but not actually remediated (auditor finds stale access that was 'reviewed'). (2) Policies that contradict actual practice (the policy says quarterly, the evidence shows annually). (3) Vendor management gaps (a critical vendor has no SOC 2 on file or no signed DPA).
Can my AI agents help with SOC 2 readiness?
Yes. Agents are particularly useful for: drafting the 12 core policies tuned to your actual stack, mapping your codebase + cloud config to in-scope systems, drafting answers to security questionnaires from a knowledge base, tracking quarterly review due dates and pinging the owner. The template ships agent prompts for those steps inline.
Do I need SOC 2 if I'm pre-revenue?
Probably not. SOC 2 is driven by enterprise procurement requirements. If your buyers are individual developers or small teams, ISO 27001 / SOC 2 isn't asked for. Wait until 2-3 enterprise prospects independently request a SOC 2 report — that's the buying signal. Doing SOC 2 before there's demand is a $30k spend without revenue impact.
Related templates
More from Build
BuildMixed
Launch your iPhone app on the App Store
10-step plan from 'I have a build on my Mac' to 'users are downloading from search.' Real Apple gates, real gotchas, real agent prompts.
BuildMixed
Build a webapp in a day
10-step plan from blank idea to deployed app with auth, a database, and a domain — all in 24 hours. Battle-tested defaults so you don't waste 6 hours picking a stack.
BuildMixed
Launch your Android app on Google Play
10-step plan from 'I have an APK on my laptop' to 'users are installing from Play search.' Real Google gates, real gotchas, real agent prompts.
Used by these teams · 1
Teams that run this template, with their full setup.
Open it. Hand it to your agent. Ship.
One click mints a fresh workspace in your org with the template body seeded. Your agents, your team, your edits from there.
About this template
Curated by the Dock team at Vector Apps Inc. Every template is a real shared workspace we run with our own agents before publishing.
Reviewed regularly by the Dock team. Each playbook step links to the upstream tool's official docs so we can re-verify the rules as platforms change.