How JupiterOne Used JupiterOne to Power SOC 2 Type 2 Evidence Collection

Understanding the SOC 2 Type 2 Challenge

SOC 2 Type 2 assessments require more than proof that controls exist. Auditors must see evidence that controls:

• Are designed appropriately
• Operate consistently throughout the review period
• Can be traced back to authoritative source systems

Traditional audit preparation often involves manual exports from cloud consoles, screenshots of configuration pages, and ad hoc log reviews. While these approaches may satisfy individual requests, they are difficult to repeat, difficult to validate over time, and increase the risk of gaps when auditors request additional samples.

JupiterOne’s goal was to replace this manual approach with continuous, query-driven validation.

Solution: JupiterOne as the Evidence Engine

JupiterOne used JupiterOne as a centralized system of record for SOC 2 evidence by integrating core systems including:

• AWS (infrastructure and cloud resources)
• GitHub (code repositories, pull requests, and change history)
• Google Workspace (identity and access context)
• Internal documentation and configuration sources

With these integrations in place, assets, identities, and relationships were continuously ingested and normalized. The team then used J1QL, JupiterOne’s query language, to validate controls aligned to SOC 2 Common Criteria — without relying on static dashboards or one-off reports.

Each query served as living evidence: repeatable, time-bound, and directly tied to the underlying system of record.

Evidence in Practice

Change Management (CC7.2, CC8.1)

To demonstrate that changes to production systems were reviewed and approved, JupiterOne used J1QL queries against GitHub pull requests. Queries filtered for merged pull requests within the audit window, allowing auditors to verify that changes followed defined workflows and approval processes.

Because the queries could be rerun at any time, auditors could request refreshed samples without requiring additional manual effort from engineers.

Production System Inventory (CC1.2, CC7.1)

Maintaining an accurate inventory of in-scope production systems is foundational to SOC 2. JupiterOne used tagging-based queries to dynamically identify production AWS resources, including VPCs, EC2 instances, and DynamoDB tables.

This approach ensured that the inventory remained current throughout the audit period, even as infrastructure evolved. Rather than relying on static lists, the team could demonstrate that system boundaries were continuously enforced.

Access & Authentication Controls (CC6.1, CC6.2)

For identity and access management controls, JupiterOne validated configuration directly from source-of-truth artifacts. Cognito user pool settings were reviewed via Terraform configuration, ensuring that authentication and lockout policies were defined and enforced consistently.

By tying evidence to infrastructure-as-code and vendor documentation, the team demonstrated both control design and operational enforcement, without relying on screenshots from management consoles.

Management Oversight & Governance (CC1.1, CC1.3)

SOC 2 also requires evidence of governance and oversight. JupiterOne used GitHub-based artifacts to demonstrate recurring management and security meetings. J1QL queries surfaced recent meeting notes and agendas, showing that leadership review and oversight occurred consistently throughout the review period.

This provided auditors with clear, time-bound evidence of governance activities aligned to SOC 2 expectations.

Continuous Validation During the Audit Period

One of the most impactful benefits of using JupiterOne was the ability to validate controls continuously, not just at audit time. Queries could be scheduled or rerun on demand to:

• Confirm ongoing compliance
• Detect drift or exceptions early
• Regenerate evidence in response to auditor questions

This reduced audit friction and allowed the team to address potential issues proactively, rather than discovering gaps late in the assessment.

Audit Execution & Outcomes

During audit fieldwork, JupiterOne was able to respond to evidence requests quickly and consistently. Auditors reviewed query-backed results that could be traced directly to authoritative systems, reducing the need for follow-up clarification.

Because evidence was generated dynamically, the team avoided rebuilding artifacts when timelines shifted or additional samples were requested. The result was a smoother audit experience with less disruption to engineering and security teams.