SOC 2 Type 2 audits require evidence that security controls operated effectively over a defined audit period. Sherlock EoP Auditor produces structured Windows host audit reports that align with SOC 2 Trust Services Criteria around privileged access plus configuration management. The reports are reproducible, timestamped plus suitable for inclusion in the auditor evidence package. This guide maps the EoP Auditor output to specific Trust Services Criteria so security teams plus auditors can use the tool as part of the evidence collection process.
SOC 2 Type 2 evidence requirements
SOC 2 Type 2 audits assess whether security controls operated effectively over an audit period of typically six to twelve months. The auditor reviews evidence that controls were implemented plus continued operating throughout the period. Evidence requirements include configuration documentation, control execution logs, exception reports plus remediation tracking.
The Trust Services Criteria (TSC) cover Security, Availability, Processing Integrity, Confidentiality plus Privacy. Most SOC 2 Type 2 engagements scope Security plus one or two additional criteria. The Security criterion includes logical access controls (CC6.1), system operations (CC7.1), change management (CC8.1) plus risk mitigation (CC9.1). Evidence for each control point must be reproducible, timestamped plus traceable to the operation being attested.
For Windows endpoints in production environments, the controls most likely to require evidence include privileged access management, security configuration management, vulnerability management plus periodic privileged access review. Many security teams struggle to produce evidence at the granularity SOC 2 auditors expect because the underlying telemetry sources do not naturally surface configuration-class findings.
Trust Services Criteria alignment
The Sherlock EoP Auditor produces reports that map to specific Trust Services Criteria. The alignment is direct because EoP Auditor surfaces conditions that would let a regular user account become privileged on a Windows host, which is a control category SOC 2 explicitly tests.
CC6.1 Logical access security: the criterion requires evidence that logical access to information assets is restricted to authorized users. EoP Auditor findings demonstrate whether the actual host configuration enforces the restriction at the OS level. A finding of "no privilege escalation surface detected" on a host with documented standard hardening provides evidence that logical access controls operated effectively. A finding of "third-party service X has named pipe authorization gap" documents an exception plus the remediation tracking required by the auditor.
CC6.3 Authorization for privileged functions: the criterion requires evidence that access to privileged system functions is authorized plus monitored. EoP Auditor findings show the surfaces through which unprivileged users could gain privileged function access. Negative findings (no surfaces detected) plus positive findings with remediation evidence both serve the criterion.
CC7.1 System operations monitoring: the criterion requires evidence that system operations including privileged operations are monitored plus reviewed. EoP Auditor scheduled scans across a fleet produce timestamped reports demonstrating periodic operations monitoring. Quarterly or monthly scans align with most SOC 2 Type 2 monitoring cadences.
CC8.1 Change management: the criterion requires evidence that changes to systems including software installations are reviewed plus approved. EoP Auditor scans run before plus after new third-party software deployment document whether the change introduced new privilege escalation surface. The before-and-after comparison is direct evidence of change impact assessment.
CC9.1 Risk mitigation: the criterion requires evidence that risk mitigation activities including vulnerability response are tracked. EoP Auditor findings flagged as high-severity that proceed to remediation plus re-test produce a documented risk mitigation trail aligned with the criterion.
Evidence package structure
SOC 2 auditors expect evidence packages organized for efficient review. The recommended structure for incorporating EoP Auditor output into a SOC 2 evidence package:
Scope documentation: the auditor needs to understand which Windows hosts were in audit scope, which were scanned with EoP Auditor plus the rationale for the scope decision. A scope memo documenting the host inventory, the scan cadence plus the scope exclusions (development hosts, lab machines) gives the auditor the context they need.
Scan reports as evidence: EoP Auditor produces structured reports per scan. The reports include timestamp, host identifier, scanner version plus per-finding detail with severity. Each report is one evidence artifact in the audit package. Reports across the audit period demonstrate the cadence the control operated at.
Finding remediation tracking: for each finding that surfaced during the audit period, the package needs to show what was done. Remediation tickets, change tickets, vendor coordination correspondence plus re-test reports complete the audit trail. A finding that surfaced plus was remediated plus re-tested clean is stronger evidence than the same finding surfaced plus left open.
Exception register: findings that could not be remediated within the audit period need exception documentation. SOC 2 auditors accept exceptions when the rationale plus compensating controls are documented. EoP Auditor findings that fall into this category (vendor will not patch, replacement product not yet evaluated) get exception register entries with the documented compensating controls.
Re-test attestation: the audit period ends with a re-test of high-severity findings. EoP Auditor scans run at the end of the audit period demonstrate the closing state of the privileged access surface. The closing scan is often the strongest single piece of evidence in the package.
Practical audit workflow
The operational workflow that aligns with most SOC 2 Type 2 cadences:
Pre-audit: establish a Windows host inventory in scope. Run an initial EoP Auditor baseline scan on all in-scope hosts. Document findings plus initiate remediation for high-severity items.
Quarterly during audit period: run scheduled EoP Auditor scans on the host inventory. Document new findings plus track existing findings through remediation. Update the exception register for any items that cannot be remediated within the quarter.
Pre-audit close: run a final EoP Auditor scan covering the host inventory. Compile the evidence package for auditor review. Document the trend (findings opened, remediated, closed) across the audit period to show effective control operation.
During audit: the auditor reviews evidence package. EoP Auditor reports provide the primary evidence for privileged access plus configuration management controls. Auditor questions about specific findings or remediation reference the report identifiers in the package.
Post-audit: incorporate auditor feedback into the next audit period workflow. Refine scan scope, cadence plus reporting based on what the auditor needed.
What EoP Auditor evidence does plus does not establish
The EoP Auditor evidence is specific to configuration-class privilege escalation surface on the scanned Windows hosts. It does not establish:
(1) Network security controls (firewall configurations, network segmentation),
(2) Identity and access management at the directory layer (AD configurations, MFA enforcement),
(3) Application-layer access controls (RBAC in business applications),
(4) Cloud infrastructure controls (IAM in AWS, Azure, GCP),
(5) Data classification or data loss prevention controls.
These control categories require separate evidence sources. EoP Auditor evidence is one component of a complete SOC 2 evidence package. The component it serves (Windows endpoint privileged access plus configuration management) is non-trivially difficult to evidence with other telemetry sources, which is why EoP Auditor reports add concrete value in the audit package.
Auditor coordination tips
Some practical observations from supporting clients through SOC 2 Type 2 engagements where EoP Auditor was part of the evidence:
Walk the auditor through one report early. Many auditors have not seen EoP Auditor output before. A brief walkthrough of one representative report (what each finding category means, how severity is assigned, what remediation looks like) saves multiple rounds of back-and-forth during the audit.
Document the scanner version per scan. The auditor will want to verify scanner consistency across the period. Capturing the EoP Auditor version in each report (the tool surfaces this in the structured output) eliminates a question.
Pair high-severity findings with remediation evidence in one bundle. The auditor reviews evidence bundle by bundle. A finding-plus-remediation-plus-retest bundle is easier to review than three separate evidence items.
Document exception register reasoning fully. Exceptions are not failures if the rationale plus compensating controls are documented. The exception register entries should be specific about what could not be remediated, why, plus what compensating controls reduce the residual risk.
What this means for compliance programs
The mistake compliance programs make is treating SOC 2 evidence as documentation work rather than as evidence of operational effectiveness. EoP Auditor reports produced as a byproduct of routine Windows endpoint operations are stronger evidence than documentation-only evidence assembled at audit time. The reports demonstrate the control operated during the audit period, not that the control was documented.
The honest practitioner posture is to make EoP Auditor scans part of the Windows operations routine plus capture the reports as evidence naturally. Quarterly scan cadence plus integration into change management produces strong evidence with minimal additional process burden.
The Sherlock Forensics services practice supports clients through SOC 2 Type 2 engagements as forensic plus security expert witnesses. Talk to our team about SOC 2 evidence support, gap assessment or compliance audit preparation. The forensic toolchain that supports compliance work includes the Sherlock Disk Imager for acquisition with chain of custody, the Sherlock Universal Events Viewer for timeline reconstruction plus the Sherlock EoP Auditor for the privileged access plus configuration management evidence category.
EoP Auditor reports map directly to SOC 2 Type 2 Trust Services Criteria. Get on the EoP Auditor early access list for the privileged access plus configuration management evidence layer. Talk to our team about audit preparation or compliance assessment.