Noxen and SOC 2
SOC 2 is an attestation, not a certification, and the evidence reviewers want is decidedly unglamorous: dated, repeatable, tied to a specific control criterion. Noxen produces exactly that for the Security TSC and the system-monitoring slice of the wider criteria set. To be unambiguous: Noxen does not make your organisation SOC 2 compliant. A CPA firm does, after they have reviewed your evidence. Noxen is one source of that evidence — a particularly clean one for the technical controls.
What SOC 2 is
SOC 2 is an AICPA reporting framework for service organisations. A licensed CPA firm performs an attestation engagement against one or more of the five Trust Services Criteria (TSC) and issues a report — a Type I report describes controls as of a point in time; a Type II report tests operating effectiveness over an observation window (typically 3, 6, or 12 months). The TSCs are:
- Security (always in scope) — protection against unauthorised access. Driven by the Common Criteria (CC) series — CC1 through CC9.
- Availability — system uptime and resilience.
- Processing Integrity — completeness and accuracy of system processing.
- Confidentiality — protection of information designated as confidential.
- Privacy — personal information handling.
Most SOC 2 engagements scope Security plus one or two others. Noxen contributes primarily to Security and adjacent Availability criteria. It does not produce evidence for Processing Integrity, Confidentiality, or Privacy in any direct way.
How Noxen maps to SOC 2
The Common Criteria series — particularly CC6 (Logical and Physical Access), CC7 (System Operations), and CC8 (Change Management) — contains a number of technical controls that a Type II auditor will want sampled evidence for. "Sampled evidence" means: across the observation window, show me that this control operated as described. A nightly Noxen scan produces one timestamped data point per night per host; over a 6-month window that is a sampleable, defensible evidence stream.
Each finding is tagged with the CC reference it relates to. The auditor decides whether the volume and quality of evidence satisfies the control. Noxen never marks a control as "passing" because that is not Noxen's call to make.
Controls Noxen produces evidence for
| Criterion | Coverage | What Noxen contributes |
|---|---|---|
| CC6.1 — Logical access security software, infrastructure, and architectures | Partial | sshd_config audit (root login disabled, password auth disabled, strong key algorithms), authorized_keys inventory. Covers the SSH boundary; identity-provider workflows stay with you. |
| CC6.6 — Boundary protection | Partial | Exposed admin surface detection across 70+ services (Home Assistant, Plex, *arr, Pi-hole, pfSense, Proxmox, Synology, Grafana, Prometheus, Portainer, Docker, Vault, Traefik …). Port-scan deltas. Flag-only — Noxen never authenticates against a surface. |
| CC6.7 — Restriction of the movement of information | Partial | TLS audit (weak ciphers, deprecated protocols, HSTS, OCSP stapling, expiry), HTTP security headers (CSP, X-Frame-Options, HSTS, X-Content-Type-Options). Demonstrates that data-in-transit controls operate. |
| CC7.1 — Detection and monitoring of new vulnerabilities | Full | This is the headline criterion. Daily CVE feed match against installed packages, severity bucketing, diff-from-yesterday delta. Sampled nightly across the observation window. |
| CC7.2 — Monitor system components and the operation of those components | Partial | Scheduled nightly scans via NoxenAgent produce a dated record of system state per host. Configuration drift surfaces as new findings. |
| CC7.3 — Evaluate security events to determine response | Partial | Severity buckets and remediation hints accompany every finding. Webhook delivery to Slack / Discord / Teams supports the "evaluate and route" step. Incident triage workflow stays with you. |
| CC8.1 — Authorise, design, develop, configure, document, test, and approve changes | Partial | Diff-from-yesterday output is itself a record of change to the fleet's security posture. New findings on a host after a deployment expose unintended change. Change-approval workflow remains in your ticketing system. |
Controls Noxen does NOT cover
SOC 2 is broad — most of the Common Criteria series is about governance, not technical telemetry. Noxen produces no evidence for the following, and your auditor will look for it elsewhere.
- CC1 — Control Environment. Tone-at-the-top, board oversight, ethics policies.
- CC2 — Communication and Information. Internal/external communications, security policies.
- CC3 — Risk Assessment. Formal risk register, threat modelling output.
- CC4 — Monitoring Activities. Internal audit programme.
- CC5 — Control Activities. Policy framework, segregation of duties.
- CC6.2 / CC6.3 — Identity lifecycle. User onboarding, provisioning, deprovisioning. Workflow, not telemetry.
- CC6.4 / CC6.5 — Physical access. Data centre badging, environmental controls.
- CC8.1 (workflow side) — Change approval. Ticket review, peer code review, deployment approval.
- CC9 — Risk Mitigation. Business continuity, vendor management.
- Customer-notification obligations under most TSCs.
How to export evidence
The MSP / Team tier ships ComplianceMapper with a SOC 2
framework selector. Per-host CSV or fleet-wide CSV. The columns
are designed to map straight into an auditor's working papers:
scan_date— ISO 8601 timestamp; the auditor uses this for sampling.host— display name; functions as the "in-scope system component" reference.finding_id— CVE ID or probe identifier.severity— critical / high / medium / low / info.tsc_category— CC6 / CC7 / CC8 grouping.tsc_criterion— sub-criterion (e.g.CC7.1).coverage—full/partial.summary— one-line description suitable for auditor review.
For a Type II engagement, the right cadence is monthly export across the observation window. The auditor will pick sample dates; you want every sample date to have a clean CSV available. NoxenAgent scans nightly, so the underlying data is already there — the export just materialises it.
When this is enough — and when it isn't
Noxen's SOC 2 mapping is enough as the
vulnerability-management and external-boundary slice of a
Type I or Type II evidence binder. If you are a small SaaS team
pursuing your first SOC 2 with a sympathetic auditor, the CC7
evidence stream is genuinely useful and saves the engineering
lead from cobbling together screenshots of apt list
--upgradable.
It is not a SOC 2 compliance platform. You still need a policy framework, a risk register, evidence of vendor reviews, change-management tickets, access-review records, and training completion logs. Tools like Vanta, Drata, and Secureframe cover that side; Noxen complements them by handing them a clean CVE / configuration / boundary evidence feed instead of requiring screenshots or untested integrations.
See the MSP tier → · All compliance mappings · Triaging CVE findings