Startup Cybersecurity // 2026
AI ComplianceApril 16, 2026·11 min read

SOC 2 Evidence Checklist for Developers: What Auditors Actually Need from Engineering

SOC 2 gets expensive when engineering has to reconstruct proof after the fact. The easiest path is to treat evidence as an output of normal operations, not a special project during audit season.

The Audit Reality

Auditors do not care that you intended to have controls. They care that the controls existed, ran consistently, and left evidence. For engineering, that usually means showing access boundaries, change controls, logging, vulnerability management, backup discipline, and incident handling in a form someone else can verify.

Engineering teams often experience SOC 2 as a documentation burden because the request arrives late. Suddenly someone asks for proof of branch protection, vulnerability scanning, access reviews, backup testing, and incident handling across months of activity. If none of that was captured along the way, the audit becomes archaeology.

The better approach is to build the evidence trail into normal engineering work. That means knowing which controls matter, which artifacts prove them, and which signals can be automated every month so nobody has to scramble for screenshots and memory.

8
Engineering evidence categories auditors ask for first
1
Best strategy: evidence as a byproduct of operations
0
Value in policies without executable proof

What Auditors Expect from Engineering

Auditors are not looking for security jargon. They are looking for repeatable control operation. If engineering says code changes require review, there should be branch protection and PR history showing that. If the company says it scans for vulnerabilities, there should be recent reports and remediation records. If access is restricted, there should be logs or permission settings that demonstrate how.

This is why engineering evidence tends to cluster around a few core themes: who can access systems, how changes are approved, how risk is detected, how incidents would be investigated, and how critical data can be recovered. The exact tooling matters less than the fact that the evidence is clear and current.

For startups, the fastest audit wins come from collecting the evidence you already produce and fixing the control gaps where no evidence exists because the control itself is weak.

The Engineering Evidence Checklist

Branch protection on critical repos

SDLC

Show that the default branch requires review and that risky changes cannot merge silently.

Access control records for production systems

Access

Be able to show who can access cloud consoles, databases, CI secrets, and production admin tools.

Recent vulnerability scan evidence

Scanning

Application and dependency scanning reports prove that code risk is checked on a recurring basis.

Change history for security-sensitive releases

Change Mgmt

Auditors want to see that significant changes were reviewed, not pushed ad hoc into production.

Audit logs for admin or privileged actions

Logging

You should be able to answer who changed permissions, billing settings, or customer-impacting config.

Backup and restore evidence

Recovery

Not just backup configuration, but proof that the system can actually be restored within the business expectation.

Incident record or tabletop output

IR

Even if no major incident occurred, show that there is a defined response process and who owns it.

Monthly or periodic access review proof

Review

A simple recurring review beats hand-wavy claims that only the right people have access.

A Simple Audit Event Pattern Auditors Understand

Structured audit logging is one of the clearest engineering artifacts because it ties a control claim to real system behavior.

No Durable Audit Signal
export async function POST(req: Request) {
  const body = await req.json();
  await db.update(workspaces)
    .set({ plan: body.plan })
    .where(eq(workspaces.id, body.workspaceId));

  return Response.json({ ok: true });
}
Durable Audit Event
await db.update(workspaces)
  .set({ plan: body.plan })
  .where(eq(workspaces.id, body.workspaceId));

await db.insert(auditLogs).values({
  workspaceId: body.workspaceId,
  actorUserId: userId,
  action: 'workspace.plan_updated',
  metadata: { nextPlan: body.plan },
  createdAt: new Date(),
});

Audit logs do not need to be complex to be useful. They just need to be consistent, attributable, and retained long enough to support review and investigation.

How to Make Evidence Easy Every Month

Automation

Automate recurring scans

A dated scan history is much easier to present than a one-off report run in panic mode before the auditor arrives.

Ops

Standardize screenshots and exports

Decide in advance what branch protection, access review, and backup evidence should look like so retrieval is fast.

Logging

Log privileged actions intentionally

If you only log errors, you cannot prove that sensitive actions were attributable and reviewed.

Ownership

Tie controls to owners

Evidence is easier to maintain when each control has a named engineering or platform owner.

Produce Evidence Continuously

Turn Engineering Controls Into Audit-Ready Proof

Run recurring scans and close the control gaps that leave you with policy language but no executable evidence behind it.

// npx custodia-cli scan
$ npx custodia-cli scan

  ┌──────────────────────────────────────────────────────┐
  │  CUSTODIA.DEV  //  STARTUP SECURITY ANALYSIS         │
  └──────────────────────────────────────────────────────┘

  HIGH     LOG-02 Missing audit event on admin change
          src/app/api/admin/workspaces/[id]/route.ts:34
          Privileged mutation updates tenant settings without a durable audit record.

  MEDIUM   AUTH-03 Weak branch-protection parity in deploy path
          scripts/deploy-prod.ts:12
          Production deployment script can run outside standard reviewed CI workflow.

  MEDIUM   SEC-04 No recent application scan evidence path
          package.json
          No recurring code scan command or documented scheduled scan workflow detected.

  ───────────────────────────────────────────────────────
  OUTPUT: file-level findings, fix guidance, severity map
  COVERAGE: auth, secrets, injection, access control, AI
Scan My CodebaseView Demo Report

Frequently Asked Questions

What kind of evidence do auditors ask developers for?

They usually ask for proof around change control, access management, vulnerability scanning, logging, backup and recovery, and incident readiness. In practice that means repo settings, reports, logs, and configuration evidence that show the controls really operate.

Do we need expensive tooling to produce SOC 2 evidence?

Not necessarily. Many startups can produce strong evidence with the tools they already use if the controls are explicit and the outputs are retained consistently.

Why do auditors care about vulnerability scans?

Because scans are objective proof that application risk is being checked regularly. A written policy without recent scan evidence is weak.

Do engineering teams need to keep screenshots for everything?

Not for everything, but visual evidence is still common for branch protection, access settings, and admin configuration. The best evidence strategy mixes screenshots, reports, logs, and exported settings.

What makes SOC 2 evidence painful?

Trying to recreate it after the fact. If evidence is not generated as part of normal operations, audit prep becomes a manual scramble.

Related Articles
CybersecuritySeries A Security Checklist for StartupsAI ComplianceSOC 2 for AI CompaniesCLI GuidesIntegrate a Security Scanner into GitHub Actions