We Told Our Customer We're SOC 2 Certified. We're Not.

"Customer asked if we have SOC 2. I said 'working on it.' We're not working on it."

That's a real post from r/sysadmin. Translation: they lied to close a deal, and now they're hoping the customer never follows up.

Here's the thing — this happens constantly. I've been doing security and compliance work for over 25 years, and if I had a dollar for every time a founder told me "we said we were working on it," I'd have enough to actually pay for their SOC 2.

The Compliance Lie Trap

It starts innocently. You're in a sales cycle. The customer's procurement team sends over a security questionnaire. Somewhere between "Do you have an incident response plan?" and "Provide your most recent SOC 2 Type II report," you feel the deal slipping.

So you improvise.

"We're working on it" buys time. "We take security seriously" is the universal deflection. "We're SOC 2 Type I certified" (from 18 months ago, with a scope that covered half your infrastructure, never renewed) — that technically isn't a lie, right?

Wrong. And you know it.

Three Bad Outcomes

When your customer follows up — and they will, because procurement teams exist specifically to follow up — you've got three options, and none of them are good:

1. Scramble Mode

Drop everything. Call Vanta or Drata ($20K/year). Hire a consultant ($15-25K). Stand up policies overnight. Pray you can get a Type I report in 90 days before the deal window closes.

Best case: you burn $35K+ and 200 hours of engineering time, and you might save the deal. Worst case: you blow all that money and the customer still walks because 90 days is too long.

2. Lose the Deal

Watch six months of sales work evaporate because you couldn't produce a report. Your champion at the customer goes quiet. Their CISO sends a polite email about "alignment on security posture." The deal dies in committee and nobody tells you why.

This is actually the least bad option, because at least you're not compounding the problem.

3. Double Down on the Lie

I once got a call from a founder who tried to pass off a competitor's SOC 2 report as their own. The customer's auditor caught it in 48 hours. The deal died, the relationship was nuked, and lawyers got involved.

It's fraud — and depending on how you sent it, potentially a federal crime. People have gone to prison for less creative lies.

What You Should Do Instead

If a customer asks about SOC 2 and you don't have it, here's the play:

Be honest. Be specific. Show the work.

"We don't have a SOC 2 report yet. Here's what we do have."

Then show them:

• Your security architecture. How is data encrypted? Where does it live? Who has access? If you're running on AWS with proper IAM, encrypted RDS, and VPC isolation — say that. With diagrams.
• Your policies. Incident response plan. Access control policy. Change management process. Even if they're v1 drafts, a written policy beats "we take security seriously" every time.
• Your roadmap. "We're targeting SOC 2 Type I by Q3. Here's our timeline, here's our auditor, here's our readiness checklist." A real roadmap with dates and milestones shows you're serious.
• Your controls. MFA enforced? Endpoint management? Background checks? Vulnerability scanning? List what you actually do. Most companies do more than they think — they just haven't documented it.

Nine times out of ten, this is enough. Procurement teams aren't unreasonable. They know small companies don't always have SOC 2. What they're really asking is: "Should we trust you with our data?" Give them a real answer.

The Math Nobody Talks About

Here's what founders get wrong about SOC 2 timing: they think it's a sales objection to handle reactively.

It's not. It's infrastructure.

If you're selling to mid-market or enterprise customers, SOC 2 is table stakes. Not having it doesn't just risk one deal — it's a tax on every deal. Your sales team is spending hours on security questionnaires that a SOC 2 report would answer in one PDF. Your founders are in calls explaining your security posture instead of closing.

The cost of SOC 2 isn't $35K. The cost of not having SOC 2 is every deal that stalls, every RFP you can't respond to, and every enterprise customer who ghosts you after the security review.

If You Already Lied

Look, I'm not here to judge. I've worked with dozens of companies who told a customer they were "working on it" when they weren't. It happens. The question is what you do next.

Option A: Come clean. Go back to the customer with a real plan. "We said we were working on SOC 2, and I want to give you a concrete update. Here's our timeline and here's what we've done so far." Most customers will respect the honesty.

Option B: Actually start working on it. Turn the lie into the truth. You said you were working on it? Great — now you are. Get a readiness assessment, build your roadmap, pick an auditor. Make the statement retroactively true.

Option C: Call someone who does this for a living. That's me. I've helped companies go from zero to SOC 2 Type I in under 90 days. Not by cutting corners — by focusing on what actually matters and skipping the compliance theater.

The worst thing you can do is nothing. The lie compounds. The customer will follow up. And when they do, "we're still working on it" has a shelf life. Let's talk before this becomes a six-figure cleanup job.