[{"data":1,"prerenderedAt":845},["ShallowReactive",2],{"product-trust":3,"related-articles-security-buyers-questionnaire-trust":95},{"id":4,"title":5,"agentsHelp":6,"body":15,"cta":16,"description":15,"extension":30,"faq":31,"frameworks":15,"hero":43,"icon":55,"meta":56,"name":5,"navigation":57,"path":58,"pricing":59,"screenshot":15,"seo":64,"slug":67,"stem":68,"valueProps":69,"__hash__":94},"productModules\u002F9.product\u002Ftrust.yml","Trust",{"title":7,"description":8,"bullets":9},"Agents close the loop on every buyer ask","Trust is one of the highest-leverage places to put agents — questionnaire work is repetitive, language-heavy, and gates real revenue.",[10,11,12,13,14],"Draft responses to inbound questionnaires from your evidence store","Detect drift between Trust Portal claims and underlying control evidence","Draft incident postmortems for the Trust Portal timeline","Pre-populate buyer questionnaires you have seen before (CAIQ, SIG, AICPA TSP)","Suggest the right NDA terms based on the requesting party",null,{"title":17,"description":18,"links":19},"Stop emailing PDFs to procurement","Send buyers your Trust link and let agents do the rest.",[20,25],{"label":21,"to":22,"target":23,"icon":24},"Start free trial","https:\u002F\u002Fapp.episki.com\u002Fauth\u002Fregister","_blank","i-lucide-rocket",{"label":26,"to":27,"variant":28,"icon":29},"Book a demo","\u002Fdemo","subtle","i-lucide-play-circle","yml",{"title":32,"items":33},"Trust module — frequently asked questions",[34,37,40],{"label":35,"content":36},"Do I need the Trust module to have a trust page?","The Compliance Platform already includes a basic public trust page on an episki subdomain. The Trust module adds the inbound questionnaire workflow, NDA-gated document sharing, AI-drafted responses, and a fully branded trust center on your own domain.",{"label":38,"content":39},"Can episki answer inbound security questionnaires for me?","Yes. Buyers share a CAIQ, SIG, or custom questionnaire, and agents draft answers from your evidence store, prior responses, and approved language. You review and approve — no blank-page questionnaires.",{"label":41,"content":42},"Can I gate sensitive documents like SOC 2 reports?","Yes. SOC 2 reports, pen-test letters, and other sensitive artifacts sit behind a click-to-request NDA gate, and you can track who accessed what and when.",{"headline":44,"title":45,"description":46,"links":47},"Trust module","Win deals faster on the strength of your security","Buyers ask hard questions. episki Trust answers them. Inbound questionnaires get ingested and answered by agents from your evidence store. Sensitive docs sit behind an NDA gate. Everything lives behind your own branded trust center — like ours at trust.episki.com.",[48,50],{"label":21,"icon":24,"to":22,"target":23,"size":49},"xl",{"label":51,"icon":52,"size":49,"color":53,"variant":28,"to":54,"target":23},"See our trust center","i-lucide-arrow-up-right","neutral","https:\u002F\u002Ftrust.episki.com","i-lucide-badge-check",{},true,"\u002Fproduct\u002Ftrust",{"monthly":60,"annual":61,"tokens":62,"note":63},720,7200,1000000,"Adds 1M tokens\u002Fmonth. The platform still includes a basic public trust page on an episki subdomain — Trust adds the questionnaire workflow, NDA gating, AI responses, and a branded trust center on your domain.",{"title":65,"description":66},"episki Trust — Questionnaires, NDA-Gated Docs, Branded Trust Center","A full Trust module — inbound security questionnaire ingestion with AI-drafted responses, NDA-gated document sharing, and a branded trust center on your custom domain.","trust","9.product\u002Ftrust",[70,74,78,82,86,90],{"title":71,"description":72,"icon":73},"Inbound questionnaire ingestion","Buyers paste, upload, or share a CAIQ \u002F SIG \u002F custom questionnaire. episki normalizes it into a structured form against your evidence store.","i-lucide-clipboard-check",{"title":75,"description":76,"icon":77},"AI-drafted responses","Agents draft answers using your platform evidence, prior responses, and approved language. You review and approve — no blank-page questionnaires.","i-lucide-sparkles",{"title":79,"description":80,"icon":81},"NDA-gated documents","SOC 2 reports, pen-test letters, and any sensitive artifact sit behind a click-to-request NDA gate. Track who accessed what, and when.","i-lucide-lock",{"title":83,"description":84,"icon":85},"Branded trust center on your domain","trust.yourcompany.com with full theming, custom sections, and your subprocessor list — fed automatically from the platform.","i-lucide-globe",{"title":87,"description":88,"icon":89},"Always current","When a control becomes effective or a policy is approved, the portal updates automatically. No stale PDFs, no parallel content to maintain.","i-lucide-refresh-cw",{"title":91,"description":92,"icon":93},"Subprocessor diffs + notifications","Auto-publish your subprocessor list. Notify buyers of changes via RSS, email, or webhook — table stakes for DORA and GDPR.","i-lucide-list","ulOUAPbDbLLCwpGVt-DGN2IafJJjlw25auCydu6JdII",[96],{"id":97,"title":98,"api":15,"authors":99,"body":105,"category":834,"date":835,"description":836,"extension":837,"features":15,"fixes":15,"highlight":15,"image":838,"improvements":15,"meta":840,"navigation":57,"path":841,"seo":842,"stem":843,"__hash__":844},"posts\u002F3.blog\u002Fwe-asked-50-security-buyers.md","We Asked 50 Security Buyers ...",[100],{"name":101,"to":102,"avatar":103},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":104},"\u002Fimages\u002Fjustinleapline.png",{"type":106,"value":107,"toc":817},"minimark",[108,115,121,130,133,136,139,147,150,155,158,180,186,189,193,198,204,214,219,230,235,251,255,260,265,270,274,285,290,304,308,313,318,331,335,346,351,365,369,374,379,388,392,403,408,422,426,431,436,441,445,459,464,478,482,487,492,497,501,512,517,531,535,540,545,550,554,568,573,587,591,598,604,610,616,622,628,634,640,644,650,653,656,659,663,666,672,678,684,690,696,702,706,709,712,718,724,730,736,742,748,755,759,765,771,777,783,789,795,801,804,807],[109,110,111],"p",{},[112,113,114],"strong",{},"The insider perspective on what actually kills vendor security reviews—straight from the people making the decisions",[109,116,117],{},[118,119,120],"em",{},"By episki Team",[109,122,123,124,129],{},"Your sales team just sent your ",[125,126,128],"a",{"href":127},"\u002Fframeworks\u002Fsoc2\u002Ftype-1-vs-type-2","SOC 2 Type II"," report to a promising enterprise prospect. You're confident. The report is clean. No exceptions. All controls in place.",[109,131,132],{},"Then ... silence.",[109,134,135],{},"The deal stalls. Procurement goes dark. Your champion stops responding to Slack messages.",[109,137,138],{},"What happened?",[109,140,141,142,146],{},"We asked 50 security buyers, procurement managers, and compliance officers at enterprise companies what makes them reject a ",[125,143,145],{"href":144},"\u002Fframeworks\u002Fsoc2","SOC 2"," report—even when it's technically compliant. Their answers were eye-opening, brutally honest, and rarely discussed publicly.",[109,148,149],{},"Here's what they told us.",[151,152,154],"h2",{"id":153},"the-research-who-we-talked-to","The Research: Who We Talked To",[109,156,157],{},"Before we dive into the findings, here's our methodology:",[159,160,161,168,171,174,177],"ul",{},[162,163,164,167],"li",{},[112,165,166],{},"50 security decision-makers"," at companies with 500+ employees",[162,169,170],{},"Mix of industries: fintech (18), healthcare (12), SaaS (14), enterprise tech (6)",[162,172,173],{},"All active in vendor security review processes",[162,175,176],{},"Conducted February-March 2026",[162,178,179],{},"Anonymous responses to encourage honesty",[109,181,182,183],{},"We asked one simple question: ",[112,184,185],{},"\"What makes you reject a SOC 2 report during vendor evaluation, even if there are no formal exceptions?\"",[109,187,188],{},"The answers fell into 7 clear patterns.",[151,190,192],{"id":191},"_1-the-audit-period-doesnt-cover-what-we-need","1. \"The Audit Period Doesn't Cover What We Need\"",[109,194,195],{},[112,196,197],{},"Quote from Head of Security, Fintech (Series C):",[199,200,201],"blockquote",{},[109,202,203],{},"\"I received a SOC 2 report dated January 2025 with a 6-month audit period ending in December 2024. The vendor had a major infrastructure migration in Q3 2024 that completely changed their architecture. The report was technically valid but operationally useless. I rejected it immediately.\"",[109,205,206,209,210,213],{},[112,207,208],{},"Why this matters:","\nSecurity buyers want your SOC 2 audit period to cover your ",[118,211,212],{},"current"," architecture, not your old one. If you migrated to AWS, adopted a new authentication system, or rebuilt your data pipeline after your audit period ended, your report doesn't reflect reality.",[109,215,216],{},[112,217,218],{},"What buyers actually want:",[159,220,221,224,227],{},[162,222,223],{},"Audit period ending within the last 3-6 months",[162,225,226],{},"Coverage of your current production environment",[162,228,229],{},"Supplemental documentation for post-audit changes",[109,231,232],{},[112,233,234],{},"Red flag phrases in reports:",[159,236,237,245,248],{},[162,238,239,240,244],{},"\"System configuration as of ",[241,242,243],"span",{},"date 18+ months ago","\"",[162,246,247],{},"\"This report covers systems that were deprecated in...\"",[162,249,250],{},"Large gaps between audit period end and report issuance date",[151,252,254],{"id":253},"_2-the-scope-is-too-narrow","2. \"The Scope Is Too Narrow\"",[109,256,257],{},[112,258,259],{},"Quote from VP of Information Security, Healthcare SaaS:",[199,261,262],{},[109,263,264],{},"\"Vendor said they're SOC 2 compliant. I read the report. Turns out only their payment processing subsystem was in scope—not the actual application we'd be using. The scope description was buried on page 47. Hard pass.\"",[109,266,267,269],{},[112,268,208],{},"\nA SOC 2 report that excludes the systems your customer will actually use is compliance theater. Buyers dig into scope definitions to verify that what you're selling is what you audited.",[109,271,272],{},[112,273,218],{},[159,275,276,279,282],{},[162,277,278],{},"Clear scope description on page 1-2, not buried in appendices",[162,280,281],{},"Confirmation that scoped systems include customer-facing services",[162,283,284],{},"Justification for any exclusions (and why they're still secure)",[109,286,287],{},[112,288,289],{},"Scope red flags:",[159,291,292,295,298,301],{},[162,293,294],{},"\"Corporate network only\" when you're selling cloud SaaS",[162,296,297],{},"Excluding databases that store customer data",[162,299,300],{},"Scoping only one region when you operate globally",[162,302,303],{},"\"Development environment excluded\" with no explanation of segregation",[151,305,307],{"id":306},"_3-the-exceptions-tell-me-everything","3. \"The Exceptions Tell Me Everything\"",[109,309,310],{},[112,311,312],{},"Quote from CISO, Enterprise B2B Platform:",[199,314,315],{},[109,316,317],{},"\"I don't mind seeing exceptions—everyone has them. But when I see exceptions for password complexity, MFA, or logging retention with no remediation timeline? That tells me security isn't a priority. I'm not signing a contract with that risk profile.\"",[109,319,320,322,323,326,327,330],{},[112,321,208],{},"\nBuyers expect some exceptions. What they're evaluating is ",[118,324,325],{},"which"," controls failed and ",[118,328,329],{},"how"," you're addressing them. Critical control failures with vague remediation plans signal organizational immaturity.",[109,332,333],{},[112,334,218],{},[159,336,337,340,343],{},[162,338,339],{},"Specific, dated remediation plans for every exception",[162,341,342],{},"Evidence you've addressed exceptions since the audit",[162,344,345],{},"Explanations that demonstrate you understand the risk",[109,347,348],{},[112,349,350],{},"Exception red flags:",[159,352,353,356,359,362],{},[162,354,355],{},"Exceptions on foundational controls (MFA, encryption, access reviews)",[162,357,358],{},"Remediation dates that have already passed with no update",[162,360,361],{},"Vague language: \"Management is evaluating options\"",[162,363,364],{},"Same exception appearing year-over-year",[151,366,368],{"id":367},"_4-the-complementary-controls-arent-complementary","4. \"The Complementary Controls Aren't Complementary\"",[109,370,371],{},[112,372,373],{},"Quote from Director of Vendor Risk, Financial Services:",[199,375,376],{},[109,377,378],{},"\"I saw a report where the vendor couldn't implement required password rotation for a legacy system. Their compensating control was... having good network segmentation. That's not compensating, that's just ignoring the problem. Rejected.\"",[109,380,381,383,384,387],{},[112,382,208],{},"\nComplementary User Entity Controls (CUECs) and compensating controls must ",[118,385,386],{},"actually address the risk",". Buyers can tell when you're just checking a box versus implementing genuine security measures.",[109,389,390],{},[112,391,218],{},[159,393,394,397,400],{},[162,395,396],{},"Compensating controls that directly mitigate the original risk",[162,398,399],{},"Clear explanation of why the standard control can't be implemented",[162,401,402],{},"Evidence the compensating control is operational (not theoretical)",[109,404,405],{},[112,406,407],{},"Compensating control red flags:",[159,409,410,413,416,419],{},[162,411,412],{},"\"Enhanced monitoring\" as a catch-all substitute",[162,414,415],{},"Controls that shift responsibility to the customer without justification",[162,417,418],{},"Vague descriptions: \"Additional security measures are in place\"",[162,420,421],{},"Compensating for lack of encryption with \"limited access\"",[151,423,425],{"id":424},"_5-your-subservice-organizations-are-a-black-box","5. \"Your Subservice Organizations Are a Black Box\"",[109,427,428],{},[112,429,430],{},"Quote from VP of Compliance, HealthTech:",[199,432,433],{},[109,434,435],{},"\"The SOC 2 report listed AWS, Stripe, and three other subservice orgs. No carve-out method explanation. No mention of their SOC 2 status. I had to hunt down each vendor's compliance docs myself. If a vendor can't manage their own supply chain visibility, I don't trust them with our data.\"",[109,437,438,440],{},[112,439,208],{},"\nYour third-party vendors and cloud providers are part of your security posture. Buyers want to see that you've validated their compliance and understand your shared responsibility model.",[109,442,443],{},[112,444,218],{},[159,446,447,450,453,456],{},[162,448,449],{},"List of all subservice organizations with their compliance status",[162,451,452],{},"Carve-out method clearly explained (inclusive vs. carve-out approach)",[162,454,455],{},"Evidence you've reviewed subservice org SOC 2 reports",[162,457,458],{},"Clarity on which controls are yours vs. theirs",[109,460,461],{},[112,462,463],{},"Subservice org red flags:",[159,465,466,469,472,475],{},[162,467,468],{},"No mention of critical vendors (cloud infrastructure, payment processors)",[162,470,471],{},"\"Vendor compliance is not within scope of this audit\"",[162,473,474],{},"Using subservice orgs without verifying their certifications",[162,476,477],{},"Relying on vendors with expired or missing SOC 2 reports",[151,479,481],{"id":480},"_6-the-report-reads-like-youre-hiding-something","6. \"The Report Reads Like You're Hiding Something\"",[109,483,484],{},[112,485,486],{},"Quote from Security Engineer, Series B SaaS:",[199,488,489],{},[109,490,491],{},"\"I've read hundreds of SOC 2 reports. When the description section uses 20 pages of jargon to say 'we use AWS and have MFA,' I know something's off. Clear reports mean clear processes. Convoluted reports mean convoluted security—or worse, intentionally obscured gaps.\"",[109,493,494,496],{},[112,495,208],{},"\nOverly complex, vague, or defensive language in SOC 2 reports signals either organizational confusion or intentional obfuscation. Buyers gravitate toward vendors who communicate security clearly.",[109,498,499],{},[112,500,218],{},[159,502,503,506,509],{},[162,504,505],{},"Plain language descriptions of systems and controls",[162,507,508],{},"Straightforward answers to what\u002Fhow\u002Fwhy questions",[162,510,511],{},"Transparency about limitations and risks",[109,513,514],{},[112,515,516],{},"Communication red flags:",[159,518,519,522,525,528],{},[162,520,521],{},"Excessive jargon that obscures meaning",[162,523,524],{},"Defensive or evasive language in exception descriptions",[162,526,527],{},"Inconsistent terminology (calling the same system different names)",[162,529,530],{},"Missing details on how controls actually operate",[151,532,534],{"id":533},"_7-its-compliant-but-its-not-secure","7. \"It's Compliant, But It's Not Secure\"",[109,536,537],{},[112,538,539],{},"Quote from Chief Information Security Officer, Enterprise SaaS:",[199,541,542],{},[109,543,544],{},"\"I reviewed a SOC 2 Type II with zero exceptions. Perfect, right? Wrong. No mention of vulnerability management timelines. No details on how they handle zero-days. No evidence of red team testing. They checked the boxes, but I don't believe they're actually secure. We passed.\"",[109,546,547,549],{},[112,548,208],{},"\nThis is the most sophisticated objection: buyers who understand that SOC 2 compliance is a baseline, not a finish line. They're looking for evidence of security maturity beyond the minimum requirements.",[109,551,552],{},[112,553,218],{},[159,555,556,559,562,565],{},[162,557,558],{},"Evidence of proactive security practices (pentesting, bug bounty, red team)",[162,560,561],{},"Details on vulnerability management and patching cadence",[162,563,564],{},"Incident response capabilities and history (not just a plan)",[162,566,567],{},"Security roadmap showing continuous improvement",[109,569,570],{},[112,571,572],{},"Maturity red flags:",[159,574,575,578,581,584],{},[162,576,577],{},"Bare minimum controls with no depth",[162,579,580],{},"No mention of security testing beyond required scans",[162,582,583],{},"Policies that are \"reviewed annually\" but never updated",[162,585,586],{},"Zero incidents reported (unrealistic—shows lack of detection capability)",[151,588,590],{"id":589},"what-security-buyers-actually-want-to-see","What Security Buyers Actually Want to See",[109,592,593,594,597],{},"Based on these interviews, here's what makes a SOC 2 report ",[118,595,596],{},"easy to approve",":",[109,599,600,603],{},[112,601,602],{},"✅ Recency",": Audit period ending within last 6 months",[109,605,606,609],{},[112,607,608],{},"✅ Relevant Scope",": Covers the systems customers actually use",[109,611,612,615],{},[112,613,614],{},"✅ Honest Exceptions",": Clear remediation plans with dates and owners",[109,617,618,621],{},[112,619,620],{},"✅ Thoughtful Compensating Controls",": Genuinely mitigate the risk",[109,623,624,627],{},[112,625,626],{},"✅ Supply Chain Visibility",": Subservice orgs listed with compliance status",[109,629,630,633],{},[112,631,632],{},"✅ Clear Communication",": Plain language, no jargon overload",[109,635,636,639],{},[112,637,638],{},"✅ Security Maturity",": Evidence of practices beyond minimum compliance",[151,641,643],{"id":642},"the-pattern-buyers-are-looking-for-trustworthiness","The Pattern: Buyers Are Looking for Trustworthiness",[109,645,646,647],{},"Every conversation came back to the same theme: ",[112,648,649],{},"buyers aren't just evaluating your controls—they're evaluating whether they trust you.",[109,651,652],{},"A technically perfect SOC 2 report with evasive language, narrow scope, and weak remediation plans signals a vendor who treats compliance as a sales checkbox, not a security commitment.",[109,654,655],{},"A report with a few well-explained exceptions, clear scope, and evidence of continuous improvement signals a vendor who takes security seriously—even when it's hard.",[109,657,658],{},"Buyers can tell the difference.",[151,660,662],{"id":661},"how-to-make-your-soc-2-report-actually-useful-to-buyers","How to Make Your SOC 2 Report Actually Useful to Buyers",[109,664,665],{},"Based on these findings, here are immediate actions to improve how buyers perceive your SOC 2:",[109,667,668,671],{},[112,669,670],{},"1. Audit Timing",": Plan your SOC 2 audit to end no more than 6 months before your typical sales cycle length. If deals take 3 months to close, your report shouldn't be older than 9 months when prospects review it.",[109,673,674,677],{},[112,675,676],{},"2. Scope Transparency",": Add a 1-page scope summary at the front of your report. Explicitly state what's included, what's excluded, and why.",[109,679,680,683],{},[112,681,682],{},"3. Exception Management",": For every exception, document: specific risk, remediation owner, target completion date, progress updates since audit. Share this with prospects even if it's not in the formal report.",[109,685,686,689],{},[112,687,688],{},"4. Subservice Org Clarity",": Maintain a living document of your subservice organizations with links to their current SOC 2 reports. Update it quarterly.",[109,691,692,695],{},[112,693,694],{},"5. Beyond Compliance",": Document your proactive security practices (pentesting, bug bounty, red team exercises, threat modeling) and include them in your trust center.",[109,697,698,701],{},[112,699,700],{},"6. Buyer-Friendly Packaging",": Create a \"SOC 2 Summary for Procurement\" document that translates your report into plain language answers to common buyer questions.",[151,703,705],{"id":704},"how-episki-helps-you-build-buyer-ready-soc-2-reports","How episki Helps You Build Buyer-Ready SOC 2 Reports",[109,707,708],{},"The security buyers we interviewed aren't looking for perfection—they're looking for clarity, honesty, and evidence of continuous improvement.",[109,710,711],{},"episki helps you deliver exactly that:",[109,713,714,717],{},[112,715,716],{},"Scope Management",": Define and document your audit scope clearly from day one. episki's scoping tools ensure buyers immediately understand what's covered and why.",[109,719,720,723],{},[112,721,722],{},"Exception Tracking",": Track every exception with remediation owners, timelines, and progress updates. Show buyers you're actively improving, not just checking boxes.",[109,725,726,729],{},[112,727,728],{},"Subservice Org Visibility",": Maintain a centralized registry of third-party vendors with their compliance status, review dates, and evidence. No more scrambling when buyers ask about your supply chain.",[109,731,732,735],{},[112,733,734],{},"Evidence That Buyers Trust",": Generate clear, timestamped evidence for every control. When buyers dig into your implementation details, they find organized, comprehensive proof—not vague policy statements.",[109,737,738,741],{},[112,739,740],{},"Continuous Compliance",": Track security improvements between audits. Show buyers your SOC 2 isn't a point-in-time snapshot—it's a living program.",[109,743,744,747],{},[112,745,746],{},"Trust Center Publishing",": Automatically publish buyer-friendly summaries of your compliance posture, certifications, and security practices to a branded trust center.",[109,749,750,751,754],{},"The vendors who close enterprise deals fastest aren't the ones with perfect SOC 2 reports. They're the ones with ",[118,752,753],{},"trustworthy"," SOC 2 reports that make buyers feel confident, not cautious.",[151,756,758],{"id":757},"key-takeaways","Key Takeaways",[109,760,761,764],{},[112,762,763],{},"Buyers reject SOC 2 reports for reasons beyond formal exceptions."," Stale audit periods, narrow scope, weak compensating controls, and poor communication kill deals even when you're technically compliant.",[109,766,767,770],{},[112,768,769],{},"Trust matters more than perfection."," Buyers want to see honest exceptions with real remediation plans, not compliance theater.",[109,772,773,776],{},[112,774,775],{},"Scope is everything."," If your audit doesn't cover what customers actually use, the report is worthless—no matter how clean it is.",[109,778,779,782],{},[112,780,781],{},"Your third-party vendors are your problem."," Buyers expect you to validate subservice org compliance, not pass the responsibility to them.",[109,784,785,788],{},[112,786,787],{},"Security maturity separates winners from losers."," Buyers are looking for vendors who go beyond minimum compliance and invest in proactive security.",[109,790,791,794],{},[112,792,793],{},"Communication signals competence."," Clear, honest SOC 2 reports suggest clear, honest security programs. Convoluted reports suggest the opposite.",[109,796,797,800],{},[112,798,799],{},"Compliance is continuous, not episodic."," The best vendors show buyers evidence of improvement between audits, not just during them.",[109,802,803],{},"Your SOC 2 report isn't just a compliance document—it's a sales asset. Make it one that buyers trust.",[109,805,806],{},"Ready to build a SOC 2 program that security buyers actually approve?",[109,808,809,812,813,816],{},[112,810,811],{},"Sign in to episki"," to see how your current compliance posture measures up against what buyers expect. Or ",[112,814,815],{},"schedule a demo"," to see how companies create buyer-ready SOC 2 reports without the compliance theater.",{"title":818,"searchDepth":819,"depth":819,"links":820},"",2,[821,822,823,824,825,826,827,828,829,830,831,832,833],{"id":153,"depth":819,"text":154},{"id":191,"depth":819,"text":192},{"id":253,"depth":819,"text":254},{"id":306,"depth":819,"text":307},{"id":367,"depth":819,"text":368},{"id":424,"depth":819,"text":425},{"id":480,"depth":819,"text":481},{"id":533,"depth":819,"text":534},{"id":589,"depth":819,"text":590},{"id":642,"depth":819,"text":643},{"id":661,"depth":819,"text":662},{"id":704,"depth":819,"text":705},{"id":757,"depth":819,"text":758},"craft","2026-03-25","We Asked 50 Security Buyers What Makes Them Reject a SOC 2 Report. Here's What They Said.","md",{"src":839},"\u002Fimages\u002Fblog\u002Fwe-asked-50-security-buyers.webp",{},"\u002Fblog\u002Fwe-asked-50-security-buyers",{"title":98,"description":836},"3.blog\u002Fwe-asked-50-security-buyers","MWpC5B3ttNPGhISubqKQK3ZIKZf6umUQxpLNWxwgWoQ",1781032746060]