5-step configurator · mid-scenario figures

Configure your SOC 2 budget
in five steps.

Pick your company size, approach, report path, starting posture, and trust criteria. The configurator returns three numbers, year 1 budget, year 2+ run-rate, three-year total, plus a line-item breakdown and the single largest cost lever so you know where to focus negotiation effort.

SOC 2 cost configurator

step 1 / 6

Company sizeApproachReport typeStarting postureTrust categoriesConfigured budget

How many employees do you have today?

Headcount is the strongest single driver of SOC 2 cost, it determines audit scope, internal hours, and tooling licences.

Company size

01

Starting posture

Greenfield, partial, or mature. This single dimension drives 60-80% variance between two companies of identical headcount. Mature programs need less readiness, less remediation, and fewer internal hours.

02

Report path

Type 1 only / Type 2 only / Type 1 then Type 2. Different year 1 vs year 2+ shapes. The 'Type 1 then Type 2' path is the most common but the most expensive year 1.

03

Trust criteria selection

Adding criteria beyond Security adds ~18% to audit fees each. The configurator forces an honest choice rather than defaulting to all five.

How to read the output

Year 1 budget

The sticker number. Includes audit fees, platform/consultant cost, internal staff time priced at $95/hr fully-loaded, readiness assessment, tooling upgrades, pentest, training, policy/legal docs. This is what you need to budget for the first year.

Year 2+ run-rate

The recurring annual figure after year 1 one-offs (initial readiness, remediation surprises, consultant onboarding, policy drafting) drop out. Typically 45-65% of year 1 depending on approach. Platform approaches have a smaller year-2 drop because the platform fee is recurring.

3-year total

Year 1 plus 2 × year 2+ run-rate. The number that matters for cost-of-ownership decisions and for honestly comparing DIY vs platform vs consultant. The cheapest year 1 is often not the cheapest 3-year total.

Biggest cost lever

The single largest year 1 line item in your configuration. This is where negotiation effort and scoping precision pay off the most. For platform-led approaches it is usually the audit fee or the platform itself. For DIY it is usually the internal staff time line, which is where time-to-certification trade-offs hide.

Methodology

The configurator combines five dimensions into a line-by-line cost build:

  1. Company size drives a base multiplier (10-25 employees 0.65x · 25-50 1.00x · 50-150 1.45x · 150-500 2.10x · 500+ 3.10x), with separate audit and tooling multipliers reflecting that audit scope and tooling licences scale less than linearly with headcount.
  2. Approach determines the platform/consultant base spend and the internal-hours multiplier (DIY 1.00x · platform 0.45x · consultant 0.20x · hybrid 0.30x).
  3. Report path sets audit fees with year 1 and year 2+ figures distinct (Type 1 is one-off; Type 2 is recurring annual).
  4. Starting posture multiplies readiness and remediation (greenfield 1.30x / 1.40x · partial 1.00x / 1.00x · mature 0.60x / 0.50x).
  5. Trust criteria applies a 1 + 18% per additional category multiplier to audit fees.

Figures are mid-scenario. Real variance is typically ±35-50% depending on auditor selection, remediation surprises, and auditor interpretive strictness. Internal staff time priced at $95/hr fully-loaded (US blended security-engineering rate). Verified against vendor pricing pages (Vanta, Drata, Sprinto, Secureframe) and published audit-fee bands from major CPA firms. Last calibration: April 2026. Use the configurator output as a planning anchor; get at least two firm proposals before locking the budget.

Updated 2026-06-12