Tools · SOC 2
SOC 2 Simulator — see your likely scope
Pick a profile, shape your system the way DC 200 does — commitments, infrastructure, software, people, data — and watch the Trust Services Categories and an illustrative control set assemble in real time. Real scoping happens with your auditor; this shows you the shape of the conversation.
Choose a profile
Presets tuned to how these businesses typically scope. Everything stays editable.
Shape your system
These five groups mirror how a real SOC 2 system description is built — your commitments plus the DC 200 components (infrastructure, software, people, data).
Commitments
Infrastructure
Software
People
Data
Your simulated control set
Pick a profile above to assemble an illustrative control set.
MFA on production & corporate accessCC6.1Software
Multi-factor authentication enforced for production systems and identity provider.
Role-based access, least privilegeCC6.1Software
Access mapped to roles; production access granted only where the role requires it.
Joiner–mover–leaver provisioningCC6.2People
Access granted on documented approval and revoked promptly on exit or role change.
Quarterly access reviewsCC6.2People
Recurring reviews of who can access what, with documented sign-off and removals.
Encryption in transitCC6.7Infrastructure
TLS on all external and service-to-service traffic.
Encryption at rest & key managementCC6.7Data
Customer data encrypted at rest with managed, rotated keys.
Illustration only. SOC 2 has no prescribed control list — the AICPA defines criteria and each organization designs controls to meet them. Your real control set is defined with your readiness team and tested by an independent licensed CPA firm. Why there is no official list →
How the simulator thinks
SOC 2 scope is driven by commitments, not checklists. Security — the Common Criteria CC1–CC9 — is in every examination. The other four Trust Services Categories attach only when you promise customers something they cover: an uptime SLA pulls in Availability, transaction processing pulls in Processing Integrity, confidentiality clauses pull in Confidentiality, and commitments to individuals about their personal data pull in Privacy. That is exactly the logic this simulator applies — transparently, next to each category.
The system-shaping step mirrors the five components a real system description covers under DC 200 — infrastructure, software, people, procedures, and data — so the selections you make here translate directly into how your report would describe your environment. Cloud hosting introduces a subservice organization; health or cardholder data flags regulatory overlays; a remote-first team shifts the control weight toward endpoints and identity.
What no simulator can do is decide your scope. That happens in readiness — mapping your actual contracts and data flows to criteria — and in dialogue with the independent licensed CPA firm that performs the examination. Tranquility Cybersecurity runs that readiness work and coordinates the examination through empanelled audit partners, across 500+ audits delivered. Start with What Is SOC 2? or the SOC 2 compliance checklist to see the full journey.
SOC 2 Simulator — common questions
Is this a real SOC 2 scoping exercise?
No — it is an illustration. Real scoping is a dialogue between your team, your readiness consultant, and the licensed CPA firm that performs the examination, grounded in your contracts, data flows, and system description. The simulator shows the shape of a typical scope so the real conversation starts from understanding, not a blank page.
Which Trust Services Categories are mandatory?
Only Security — the Common Criteria (CC1–CC9) — is required in every SOC 2 examination. Availability, Processing Integrity, Confidentiality, and Privacy are added only when your commitments to customers make them relevant. More categories is not automatically better: each adds criteria your controls must meet, every year.
Are these the official SOC 2 controls?
There is no official SOC 2 control list. The AICPA defines criteria; each organization designs its own controls to meet them. The controls shown here are illustrative examples drawn from common practice — your real set would be tailored to your system and tested by the CPA firm.
How many controls will we actually have?
It varies with scope. Security-only reports commonly land somewhere in the tens to low hundreds of controls, and each additional category adds more. The simulator intentionally shows a representative subset, not an exhaustive population.
What do the PHI and cardholder-data flags mean?
They add overlay notes: health data pulls in HIPAA obligations and cardholder data pulls in PCI DSS — separate instruments from SOC 2. A SOC 2 report can describe related controls, but it does not make you HIPAA compliant or PCI validated.
What should we do with this result?
Treat it as a conversation starter. The typical next steps are a readiness assessment against the criteria you actually need, remediation of gaps, an operating period for your controls, and then the examination by an independent licensed CPA firm — which Tranquility Cybersecurity prepares you for and coordinates through empanelled audit partners.
Turn the simulation into a real scope
A 30-minute call with an auditor: your commitments, your system, and what your first examination should actually cover.
Free Assessment
No obligation, no sales pitch
Custom Roadmap
Tailored to your organization
Expert Guidance
500+ successful audits