Your Enterprise Customer Just Asked for a SOC 2 Type 2 Report. Now What?

You are three weeks from closing a six-figure deal. The customer's security team sends a vendor assessment form. Question 4: "Do you have a SOC 2 Type 2 report?" You don't. The deal goes on hold. Six months later, it dies. This is happening more and more. SOC 2 Type 2 is no longer just a nice-to-have for companies selling to US enterprise — it is a procurement gate. And for .NET teams, the path from "we should probably do this" to "we have the controls in place" is less obvious than it should be. This article maps the five SOC 2 Trust Service Criteria (TSC) to concrete .NET controls, and shows how Granit — an open-source modular .NET 10 framework — covers most of the technical side out of the box. SOC 2 in one paragraph SOC 2 is an AICPA standard. It comes in two flavors: Type 1 : your controls exist at a point in time. Cheap to get. Low customer value. Type 2 : your controls operated effectively over a 6–12 month observation window. Expensive. What enterprise customers actually want.