RESEARCH · 485 COMPANIES · $291M+ TRACKED
We analyzed every page of 485 compliance reports from companies backed by a16z, Benchmark, Kleiner Perkins, Lightspeed, and Y Combinator.
The finding
A company that raised $75M from a16z
produces the same SOC 2 report
as a $500K seed startup.
Funding buys market access. It does not buy operational discipline.
$75M buys you the same SOC 2 as $500K.
Across 27 researched companies ($291M total), funding level has zero correlation with compliance quality. The highest-funded company scores identically to seed-stage startups. The best report in the dataset? A bootstrapped company from Canada.
70% of every report is copy-paste.
One auditor. Same template. Identical control descriptions across hundreds of companies. The unique signal lives in two places: the architecture diagram (page 18) and the vendor list. Everything else is boilerplate.
78% pass SOC 2 without insuring against breach.
If they trusted their security controls, cyber insurance would be cheap and obvious. Its absence says more than the audit opinion.
100% have a disaster recovery plan. 49% have never tested it.
The gap between policy and practice is the real story. 88% have multi-AZ (a cloud default). Only 28% chose multi-region (an actual decision). SOC 2 counts both as "available."
SOC 2 tells you nothing about what actually matters.
Code quality. SDLC process. Team capability. Deployment speed. Scalability. Tech debt. AI practices. Zero signal in 500 reports. SOC 2 validates how you operate — not what you've built.
SOC 2 is the starting line.
Real Tech DD is the race.
The full report: 7 sections, 12 charts, 4,000 words.
What SOC 2 actually reveals about security, availability, infrastructure, and process discipline — section by section, with data for every claim.
Read the Full Report →