At the RSA Conference 2025, TrustNet’s CISO, Trevor Horwitz, and CTO, Mike Kerem, delivered a critical presentation: “The Dark Side of SOC 2: Third-Party Risks Hidden in Plain Sight.” 

The session challenged common misconceptions about SOC 2 reports, emphasizing that compliance alone does not guarantee security. 

Watch the full session and learn how to strengthen your vendor risk strategy today. 

Session Highlights: The Dark Side of SOC 2

TrustNet’s RSAC 2025 presentation broke down the most common but least understood weaknesses hidden in SOC 2 reports. Here are the key takeaways: 

SOC 2: What It Covers 

SOC 2 evaluates controls across five criteria: security, availability, processing integrity, confidentiality, and privacy. 

It applies to service providers handling sensitive or mission-critical data, including SaaS, cloud, and B2B platforms. 

Reports are issued by CPA firms under the AICPA Trust Services Criteria and come in two forms: 

• • • Type I – point-in-time assessment 
    • Type II – control performance over 3–12 months 

Each report includes an audit opinion, system description, and test results. SOC 2 is commonly used for vendor due diligence, compliance checks, and proving security posture. 

Hidden Risks to Watch

1. Misaligned Scope and Controls

• • SOC 2 only covers systems that the vendor defines in the scope. 
  • Some reports audit a single product line while excluding core infrastructure. 
  • What to do: Read the system description closely. Request details for anything out of scope. 

2. Subservice Providers Are Often Ignored

• • Vendors may rely on cloud or third-party providers that aren’t audited or secured. 
  • Common risks: misconfigured S3 buckets, no logging, overreliance on default settings. 
  • What to do: Identify subservice providers. Confirm they’re monitored or audited. 

3. Missing Domains Create Control Gaps 

• • Vendors can exclude availability, confidentiality, or privacy if they’re not part of the selected TSCs, as only security is mandatory. That leaves blind spots around data handling, uptime, or regulatory compliance. 
  • What to do: Map SOC 2 domains to your risk areas. Ask for alternate assurances where gaps exist. 

4. SOC 2 Doesn’t Equal Continuous Security

• • SOC 2 is a snapshot. It doesn’t reflect post-audit breaches, new infrastructure, or personnel changes. 
  • What to do: Supplement audits with continuous monitoring and require incident disclosures in contracts. 

5. Audit Quality Varies by Vendor

• • SOC 2 doesn’t mandate control depth. Some vendors test thoroughly; others check boxes. 
  • What to do: Review audit scope, control rigor, and the auditor’s credibility. 

6. “Clean” Reports Can Be Misleading

• • Zero-exception reports may mean limited scope or weak auditing, not strong security. 
  • What to do: Ask how issues are identified and resolved. Transparency builds trust.

7. Shared Controls Are Often Overlooked

• • SOC 2 includes Complementary User Entity Controls (CUECs) that define the customer’s, not just the vendor’s, responsibility. Overlooking these shared duties can lead to misconfigurations, weak access controls, missing backups, or open exposure. 
  • What to do: Map CUECs to your internal controls. Follow the vendor’s configuration and monitoring guidance, audit regularly, and train teams to manage responsibilities. 

SOC 2 compliance doesn’t tell the whole story. Hear directly from Trevor and Mike as they expose the overlooked risks hiding in third-party audits.