A SOC 2 Type II report or an ISO 27001 certificate proves a vendor passed an audit on a specific date. It does not prove they are secure today. SolarWinds held both during the SUNBURST compromise. Change Healthcare was HIPAA-covered when an internet-facing Citrix portal with no multi-factor authentication let ransomware operators walk away with 190 million patient records. The certificates were current. The breaches still happened. Call it bad luck if you like, but the gap between a clean audit and a secure vendor is structural, not accidental. This post explains why audits miss it, what breach data shows, what to watch.
What does a compliance audit actually prove?
A compliance audit proves that a vendor produced evidence of certain controls during a defined window. It establishes a baseline, not a guarantee. What differs across frameworks is the size of that window, and how little of today it covers:
Framework | Cadence | What it tests | What it does not |
SOC 2 Type II (an attestation, not a certification) | 6–12 month look-back, refreshed annually | Whether stated controls operated during the audit window | Whether they still operate today; whether all critical systems were in scope |
ISO 27001 | 3-year certification with annual surveillance audits | Existence and management of an information security management system | Real-time effectiveness; vendor-product code-level vulnerabilities |
HIPAA | Statutory obligation, not a certification | A regulator can investigate after a breach | Nothing pre-emptively; there is no certificate to verify at procurement |
None of these mechanisms run continuously, and none watches the vendor’s external attack surface on the day you ask. That gap has a name in this series: the Paperwork View. Auditors check the audit surface. Attackers attack the attack surface. The two rarely overlap.
A genuine certificate and a breached vendor coexist for a reason, and that reason sits in the audit’s design.
Why do certified and compliant vendors still get breached?
Certified vendors still get breached because compliance audits test a defined scope at a point in time. A clean audit is a static snapshot, not a live reading. Three structural reasons sit underneath that, each with a named crater in the public record.
- The first is scope. Audits cover what an organisation claims to operate, and a standard built to test organisational controls was never designed to find unknown flaws in code. That is the seam the 2023 MOVEit Transfer breach tore open: a zero-day SQL injection flaw (CVE-2023-34362) in a SOC 2 and ISO 27001 attested product. The audit was clean; 2,700 organisations and 93 million individuals paid the price.
- The second is self-attestation. A vendor describes its own controls, and the audit only tests what the vendor describes. Change Healthcare’s policy required multi-factor authentication on all external systems, a control any auditor would tick. CEO Andrew Witty later confirmed before the Senate Finance Committee that the Citrix portal ALPHV/BlackCat used as their entry point had never had MFA enabled. The policy was real; nobody checked it against the box the attackers walked through.
- The third is cadence. Annual attestation describes the vendor’s controls on the audit date and says nothing about what we call the Compliance Drift Window: the gap between then and now, as settings change, vendors deploy new code, sub-processors swap, credentials leak, and fresh CVEs land in the CISA Known Exploited Vulnerabilities catalogue. IBM’s 2025 Cost of a Data Breach Report puts the median time to detect and contain a supply-chain breach at 267 days. For nine months after the auditors left, only the attackers knew the audit no longer held.
Three incidents are not a trend, though. The breach data is.
What does the data say about the gap?
The breach data confirms the gap is real and widening. Verizon’s 2025 Data Breach Investigations Report, drawn from 12,195 confirmed breaches, found third-party involvement doubled year-over-year from 15% to 30%. In most of those cases the third party was a vendor with current attestations.
Black Kite’s 2026 Third-Party Breach Report studied the “Elite 50”: the 50 most widely-shared critical vendors across Fortune 2000 supply chains. Seventy percent of them carry at least one unpatched CISA KEV vulnerability on their public estate. Eighty-four percent have critical CVSS 8+ flaws. Sixty-two percent have corporate credentials sitting in infostealer logs today. These are the vendors most enterprises depend on, and they pass their audits. Attackers read the attack surface instead.
The audit itself was at least meant to be sound. That assumption is now under strain.
Can you still trust the audit itself?
The certifying body has started warning about its own product. In early 2026 the AICPA’s official Journal of Accountancy documented a degradation in SOC 2 audit quality. Terry O’Brien of Schellman said of one set of reports: “You just know it’s a template. You can compare any five of their reports, and they’re all exactly the same.” Jeff Cook of Fortreum was blunter: “It’s not worth the paper it’s on.”
“Some firms are leaning too heavily on third-party SOC platforms without applying professional judgment required by standards.”
AICPA VP for Ethics and Firm Quality Carl Mayes confirmed in May 2026
The Delve allegations, published anonymously in March 2026 and under AICPA inquiry, are the live case. A whistleblower alleges a compliance-automation firm issued roughly 494 SOC 2 reports, 493 of them near-identical templates. Delve denies it. But when the audit becomes a commodity product, the certificate stops being a security signal.
One vendor makes the gap concrete:
Questionnaire vs. Reality
- Questionnaire Says: “We enforce multi-factor authentication on all external-facing systems. Annual audit confirms control operating effectiveness.”
- Reality Shows: A public-facing Citrix portal at a HIPAA-covered subsidiary processing 190 million patients’ data ran without MFA on the day the ransomware operators logged in. The policy was real. The control was never tested against the actual attack surface. (Change Healthcare, February 2024.)
If the paperwork can be this wrong, the question is what you watch instead.
What does a Reality View of a vendor look like?
Elasticito’s Reality View ignores what a vendor says and measures what it does. It watches the observable signals an attacker can already see, every day, rather than sampling them once a year.
The sharpest is KEV exposure on the public estate: every CISA Known Exploited Vulnerability sitting unpatched on a vendor’s internet-facing assets, the list attackers prioritise. Patch cadence sits alongside it: the days between CVE disclosure and remediation against the vendor’s own SLA. Across the vendor portfolios we monitor, we have measured vendors taking 112 days to patch a critical CVE while their questionnaire still claimed a 30-day SLA. Stolen Sessions matter too: pre authenticated corporate logins in infostealer logs were the exact vector UNC5537 used against roughly 165 Snowflake customer tenants in 2024, as well as being an initial access vector of the recent Stryker attach. Sub-processor sprawl is the next signal, the way Capital One’s 2019 breach traced to one misconfigured AWS role. Basic email and DNS hygiene rounds it out, a cheap tell of operational discipline.
None of this appears in a SOC 2 report. All of it is visible to attackers using free tools.
How does Elasticito close the compliance-versus-security gap?
Elasticito runs Third-Party Risk Management as continuous threat modelling, not annual paperwork. Using Black Kite’s continuous cyber risk ratings, it watches every vendor against those signals daily, then maps each one’s posture to the attack paths that reach your data. Certifications stay where they belong, as a procurement floor. Your team acts on the live signal instead of the annual one.
FAQ
Can a company be SOC 2 certified and still get hacked?
Yes. SolarWinds, MOVEit Transfer, Okta, Snowflake, and Microsoft were all SOC 2 attested at the time of significant compromises between 2020 and 2024. A SOC 2 attestation describes controls during a past audit window. It is not a real-time security signal, and it does not test for unknown vulnerabilities in vendor software.
Is SOC 2 certification enough for vendor due diligence?
No. A SOC 2 report is necessary but not sufficient for vendor due diligence. It confirms a vendor has documented controls and submitted to independent review, a procurement floor and nothing more. It does not substitute for continuous external monitoring of the vendor’s attack surface, KEV exposure, patch cadence, and credential leakage.
What does SOC 2 compliance actually prove?
SOC 2 is an attestation, not a certification. A licensed CPA firm examined a defined set of controls over a defined period, graded against the five AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy), and reported that those controls were designed and (for Type II) operating effectively. It does not prove the controls are operating today, that all critical systems were in scope, or that the auditor was rigorous. The AICPA itself acknowledged in 2026 that some firms are issuing template reports inconsistent with the standard.
What’s the difference between a SOC 2 audit and continuous security monitoring?
A SOC 2 audit is a snapshot. It samples evidence over a past window and reports a point-in-time judgement. Continuous monitoring observes the vendor’s external attack surface every day, surfacing KEV exposure, patch latency, leaked credentials, and configuration drift as they happen. The audit answers “did the control exist?” Continuous monitoring answers “is the vendor exploitable right now?”
Conclusion: why compliance certificates can’t prove a vendor is secure
A compliance certificate tells you the vendor was audit-ready on a date in the past. It does not tell you whether they are breach-ready today.
If you would rather manage risk than manage folders, join Elasticito and Threatplane on 15 July 2026 for Your Questionnaire Won’t Save You: Discover the Vendors Most Likely to Breach You Next.
Created: 2026-05-29 / Reviewed: 2026-06-23
