If your SOC 2 prep cost $4,500, your SOC 2 prep is a fucking lie. Your auditor will figure that out in about 45 minutes.
Scenario: An SMB owner needs a SOC 2 report because a major customer is requesting one. SMB owner gets a quote from a real SOC 2 compliance readiness firm and goes pale. SMB owner finds a guy on a freelance marketplace offering SOC 2 readiness in 90 days for $4,500. SMB owner takes the deal and exhales.
What the owner doesn't realize is that bargain basement compliance buys you a "package." The package contains policies. The policies contain phrases like "the Company will" and "the Company shall," and if you read them carefully, you will notice that one of them refers to a fire suppression system that doesn't exist in your office, and another one names a previous client by accident. The risk assessment is a spreadsheet. The spreadsheet rates everything as "medium." The incident response plan instructs you to contact the CISO, but you don't have one. The deliverable is technically complete, but it's a Halloween costume.
Then comes the audit.
The auditor isn't stupid. The auditor has seen this package before, from a hundred different companies, with the names changed and the typos preserved. The auditor starts asking questions that Halloween costumes can't answer. "Walk me through what happened the last time you executed your incident response plan." "Show me the evidence that this control operated for the past six months." "Who owns this risk and where is that documented?" The wheels fall off in about 45 minutes. I told you they would.
Now the company has a SOC 2 report riddled with exceptions. They're explaining to their biggest customer why their security program didn't pass muster while simultaneously trying to figure out who will build the real one before that customer signs with a competitor.
The math on this is brutal. Original engagement: $4,500. Remediation done correctly: $40,000 to $80,000, depending on how big a hole was dug. Audit reissue: another five-figure number. Customer renewal at risk: seven figures. Three months of leadership war-room time: not free. So the bargain-basement $4,500 prep is now 15x, with a year of stress stapled to the bill.
Nobody is incentivized to tell you this. The vendor who sells a $4,500 package isn't going to sell you a $40,000 service. They're going to close the deal. That's their job. Determining whether $4,500 is enough is the buyer's responsibility, and the buyer is almost always wrong because they've never built a real compliance program and don't know what it costs. I'm not being smug about this. Twenty years ago, I would've made the same call. Everyone has to learn this once. The point is not to need to learn it twice.
Infosec compliance isn't a deliverable. It's a program that never stops. It's a daily discipline, whether you're paying attention or not. The audit and final SOC 2 report are the visible parts. The actual prep work is the boring, unglamorous, every-quarter discipline of reviewing controls, gathering evidence, training people, testing your response plans, and updating policies when your business changes. A "package" can't do that. A real program does. And a real program doesn't cost $4,500, because nobody can do the work required for that price. It's arithmetic, and arithmetic isn't negotiable.
Before you sign anything, find out what it actually costs to build, run, and maintain a SOC 2-compliant program. If you don't know, you're not ready to negotiate the price yet. Then decide whether you're buying a deliverable or a program. If you're buying a deliverable, you're buying a Halloween costume. And ask whether the vendor will be on the phone with you during the audit to answer questions. If the answer is no, you're not buying a partnership; you're buying a transaction, and compliance isn't a transaction.
If you already bought the $4,500 prep and you're reading this with a sinking feeling, the good news is this can be fixed. The bad news is that it's not free. Start by getting honest about what you actually need. Read your policies and see if they describe how your business actually operates. Pull your evidence and see if it exists. Talk to a real compliance professional and find out what cleanup actually looks like. The longer you wait, the harder the conversation with your customer will be when they ask.
Compliance is one of the few places in business where the bargain costs more than the premium. Everyone in the industry knows this. The only people who don't are the buyers who haven't yet been blindsided.
Take it seriously, or don't. Those are the two honest options. The third option, pretending, only works until it doesn't.