No. A SOC 2 Type II report or an ISO 27001 certificate proves a vendor passed an audit on a specific date. It does not prove they are secure today. SolarWinds held both during the SUNBURST compromise. Change Healthcare was HIPAA-covered when an internet-facing Citrix portal with no multi-factor authentication let ransomware operators walk away with 190 million patient records. The certificates were current. The breaches still happened. This post explains why the compliance-versus-security gap is structural, names the live signals that close it, and sets up the rest of the series.
What does a compliance audit actually prove?
A compliance audit proves that a vendor produced evidence of certain controls during a defined window. The window is what differs across frameworks:
Framework | Cadence | What it tests | What it does not |
SOC 2 Type II | 6–12 month look-back, refreshed annually | Whether stated controls operated during the audit window | Whether they still operate today; whether all critical systems were in scope |
ISO 27001 | 3-year certification with annual surveillance audits | Existence and management of an information security management system | Real-time effectiveness; vendor-product code-level vulnerabilities |
HIPAA | Statutory obligation, not a certification | A regulator can investigate after a breach | Nothing pre-emptively; there is no certificate to verify at procurement |
None of these mechanisms run continuously, and none watches the vendor’s external attack surface on the day you ask.
That gap has a name in this series: the Paperwork View. Auditors check the audit surface. Attackers attack the attack surface. The two rarely overlap.
Why do certified and compliant vendors still get breached?
Certified vendors still get breached because compliance audits test a defined scope at a point in time. They cannot detect unknown vulnerabilities, controls that exist on paper but not in practice, or drift after the audit closes. Three structural reasons:
- Scope. Audits cover what an organisation claims to operate. The 2023 MOVEit Transfer breach exploited a zero-day SQL injection flaw (CVE-2023-34362) in a SOC 2 and ISO 27001 attested product. The standard’s scope was never designed to find unknown vulnerabilities in code, and 2,700 organisations and 93 million individuals paid the price.
- Self-attestation. A vendor describes its own controls. The audit tests whether those described controls operated. If a control is missing from the description, it is missing from the test. Change Healthcare’s official MFA policy required multi-factor authentication on all external systems. CEO Andrew Witty confirmed before the Senate Finance Committee that the Citrix portal ALPHV/BlackCat used as the entry point had never had MFA enabled.
- Cadence. Annual or semi-annual attestation describes the vendor’s controls on the audit date. It says nothing about the Compliance Drift Window: the period between then and now in which configurations change, vendors deploy new code, sub-processors swap, credentials leak, and fresh CVEs land in the CISA Known Exploited Vulnerabilities catalogue. IBM’s 2025 Cost of a Data Breach Report puts the median time to detect and contain a supply-chain breach at 267 days. The audit was clean. For nine months after the auditors left, only the attackers knew it no longer was.
What does the data say about the gap?
Verizon’s 2025 Data Breach Investigations Report, drawn from 12,195 confirmed breaches, found that third-party involvement doubled year-over-year from 15% to 30%. The third party was, in most cases, a vendor with current attestations.
Black Kite’s 2026 Third-Party Breach Report studied the “Elite 50”: the 50 most widely-shared critical vendors across Fortune 2000 supply chains. Seventy percent of them carry at least one unpatched CISA KEV vulnerability on their public estate. Eighty-four percent have critical CVSS 8+ flaws. Sixty-two percent have corporate credentials sitting in infostealer logs today. These vendors pass audits. Attackers read the attack surface instead.
Can you still trust the audit itself?
The certifying body has started warning about its own product.
Across three articles between February and May 2026, the AICPA’s official Journal of Accountancy documented a degradation in SOC 2 audit quality. Terry O’Brien (Schellman) said of one set of reports: “You just know it’s a template. You can compare any five of their reports, and they’re all exactly the same.” Jeff Cook (Fortreum) was sharper: “It’s not worth the paper it’s on.”
“Some firms are leaning too heavily on third-party SOC platforms without applying professional judgment required by standards.”
AICPA VP for Ethics and Firm Quality Carl Mayes confirmed in May 2026
The Delve allegations, published anonymously in March 2026 and under AICPA inquiry, are the live case. A whistleblower alleges that a compliance-automation firm issued roughly 494 SOC 2 reports, 493 of them near-identical templates. Delve denies it. When the audit becomes a commodity product, the certificate stops being a security signal.
Questionnaire vs. Reality
- Questionnaire Says: “We enforce multi-factor authentication on all external-facing systems. Annual audit confirms control operating effectiveness.”
- Reality Shows: A public-facing Citrix portal at a HIPAA-covered subsidiary processing 190 million patients’ data ran without MFA on the day the ransomware operators logged in. The policy was real. The control was never tested against the actual attack surface. (Change Healthcare, February 2024.)
What does a Reality View of a vendor look like?
Elasticito’s Reality View ignores what the vendor says it does and measures what the vendor actually does. Six observable signals run continuously:
- KEV exposure on the public estate. Count every CISA Known Exploited Vulnerability sitting unpatched on the vendor’s internet-facing assets.
- Patch cadence. Measure the days between CVE disclosure and remediation, against the vendor’s stated SLA.
- Leaked credentials. Track corporate credentials surfacing in infostealer logs and combo lists across the past 90 days.
- Sub-processor and fourth-party sprawl. Map who the vendor depends on and assess their posture in turn.
- Email and DNS hygiene. Confirm SPF, DKIM, and DMARC enforcement and TLS currency. Cheap signals of operational discipline.
- Attack-path reachability. Trace the line from a compromise of this vendor to your data.
None of these are visible in a SOC 2 report. All of them are visible to attackers using free tools.
How does Elasticito close the compliance-versus-security gap?
Elasticito runs Third-Party Risk Management as continuous threat modelling, not annual paperwork. Using Black Kite’s continuous cyber risk ratings, the platform monitors every vendor against the six signals above every day, then maps each vendor’s posture to the attack paths that reach your data. The certifications stay where they belong, as a procurement floor. Your team acts on the live signal.
FAQ
Can a company be SOC 2 certified and still get hacked?
Yes. SolarWinds, MOVEit Transfer, Okta, Snowflake, and Microsoft were all SOC 2 attested at the time of significant compromises between 2020 and 2024. A SOC 2 attestation describes controls during a past audit window. It is not a real-time security signal and does not test for unknown vulnerabilities in vendor software.
What is the difference between compliance and security?
Compliance is the evidence that an organisation meets a defined standard at a defined point in time. Security is the live state of an organisation’s defences against the threats it faces today. The two overlap but are not the same. A vendor can be compliant on Monday and breached on Tuesday with both statements remaining true.
Is SOC 2 certification enough for vendor due diligence?
No. A SOC 2 report is necessary but not sufficient. It confirms a vendor has documented its controls and submitted to independent review. It does not confirm those controls operate today against current threats. Pair it with continuous external monitoring of the vendor’s attack surface, KEV exposure, patch cadence, and credential leakage.
What does SOC 2 compliance actually prove?
SOC 2 is an attestation, not a certification. A licensed CPA firm examined a defined set of controls over a defined period, and reported that those controls were designed and (for Type II) operating effectively. It does not prove the controls are operating today, that all critical systems were in scope, or that the auditor was rigorous. The AICPA itself acknowledged in 2026 that some firms are issuing template reports inconsistent with the standard.
What’s the difference between a SOC 2 audit and continuous security monitoring?
A SOC 2 audit is a snapshot. It samples evidence over a past window and reports a point-in-time judgement. Continuous monitoring observes the vendor’s external attack surface every day, surfacing KEV exposure, patch latency, leaked credentials, and configuration drift as they happen. The audit answers “did the control exist?” Continuous monitoring answers “is the vendor exploitable right now?”
The lesson
A compliance certificate tells you the vendor was audit-ready on a date in the past. It does not tell you whether they are breach-ready today.
If you would rather manage risk than manage folders, join Elasticito and Threatplane on 15 July 2026 for Your Questionnaire Won’t Save You: Discover the Vendors Most Likely to Breach You Next.
Created: 2026-05-29 / Reviewed: 2026-05-29
