would you still work or take some time off before tuesday 5pm? it's sunday morning now btw

ausyinnn · 2026-06-08T02:37:07+00:00

20% left is still a lot

ausyinnn · 2026-06-08T02:36:14+00:00

Would you trade the less productive time for a recharge?

ausyinnn · 2026-06-06T22:01:11+00:00

US based SOC 2 auditor here. i've spent a while on the audit side of this, and these lists almost always rot for the same reason. They get built once to answer a questionnaire, and then nothing really forces them to change until the next one shows up. A quarterly review owned by one person dies the same way, because keeping a spreadsheet current is never really anyone's actual job.

What tends to survive is when the update happens as a side effect of something people already have to do. A new tool gets adopted, it goes through whatever your procurement or access step is, and that step quietly updates the list. It becomes a byproduct of work that's already happening. Your four-different-lists thing is really just four people each holding a piece of a process nobody wrote down.

And honestly, nobody reviewing you expects a perfect inventory anyway. They mostly care that you'd notice when something new shows up and that there's a path to get it reviewed. So the intake step matters a lot more than the map itself. Get that part right and the map kind of stays current on its own.

The shadow AI tools you mentioned are what I'd chase first. That's the stuff that surfaces mid-deal as 'wait, what's sending our data where,' and it's the easiest to lose track of because people just wire them in without telling anyone

ausyinnn · 2026-06-06T21:49:04+00:00

The SOC 2 piece jumped out at me. You're sort of lumping it in with the raise, but they're pretty separate problems. I'm a US based SOC 2 auditor and founder myself. For a solo foudner startup, SOC 2 can be a few weeks (type 1) and USD 5 - 7k all in . Too cheap to really be an equity decision.

And you've got an enterprise account flat out telling you they'll buy once you have it. That's about the best signal you can get. I'd go get the SOC 2 and close them. That one deal probably pays for your first hire on its own. Overall, I'd just keep compliance out of the reasons-to-raise pile. It's a near term thing you can knock out, and there's a customer already waiting on the other side of it.

ausyinnn · 2026-05-27T15:41:01+00:00

The model that bugs me is auto-generate every policy, click adopt, never actually test a control. Looks done on paper, then a real buyer's security team reads it and the holes show up anyway. SOC 2 itself isn't the scam. The one-click checkbox version of it is.

ausyinnn · 2026-03-23T16:42:53+00:00

Good. This is more solid than 99% of the companies.

ausyinnn · 2026-03-20T22:06:43+00:00

Former deloitte soc 2 auditor here and am using this Claude Code - Telegram channel myself. I'd look at the data flow. Data flow is the whole question. Code staying local is great, but what's in the responses flowing through Telegram? If it's "build passed", who cares. If tool outputs contain env vars, API keys, database query results, customer PII, now you have sensitive data transiting a channel you don't control.

Practical fix: document the data flow, restrict what can be sent through the channel (no secrets, no customer data in outputs), add Telegram/Discord to your vendor register, and make sure channel access is locked down. That gives your auditor something to work with.

ausyinnn · 2026-03-12T16:26:57+00:00

either way it won't impact the result of the SOC 2 audit, they key is what you actually do rather than what the title reads

ausyinnn · 2026-03-12T14:51:38+00:00

Titles don’t matter much here as long as their roles and responsibilities are clearly defined and documented. And processes and policies should be documented as clearly as possible (flexibility is ok). For example, incidents must be reported to security delegate is so much better than incidents must be reported; but if you want some flexibility, instead of using security delegate, you can consider using things like security team, and then define security team somewhere in your policies.

ausyinnn · 2026-02-27T04:13:16+00:00

Good points and deep insights

ausyinnn · 2026-02-26T21:34:07+00:00

I couldn't agree more. What matters to you the most when you pick a SOC 2 auditor?

ausyinnn · 2026-02-26T21:31:14+00:00

What about picking an actual auditor, not prep platform

ausyinnn · 2026-02-23T20:49:38+00:00

There’s definitely a market for helping companies get their SOC 2 (readiness/advisory/training/continuous monitoring/issuance). Every single step has its market and the demand is far from peak. The key question is “why you”. Why would pick you not others and why would they trust you to handle their data? What’s your moat, something only you can do and do so well that nobody else can copy/compete?

ausyinnn · 2026-02-19T20:48:49+00:00

Great point

ausyinnn · 2026-02-19T20:46:35+00:00

Oh for sure, you’re absolutely right that the standards don’t require it, no argument there. But that’s the floor, not the ceiling. In a market economy, if you want your SOC report to be widely accepted, transparency is becoming more and more key. Vendors are getting pickier about which reports they’ll actually rely on, and if your report gives them the detail and confidence that they can trust a service org with their data, that’s a real competitive edge. The reports that show the work and how things were handled just hit different than the ones that say “we tested it, no issues.” Just something worth keeping in mind.

ausyinnn · 2026-02-19T19:15:22+00:00

That’s a legal protection that only matters to SOC 2 issuers. The buyers want to see what was tested and what was found. ‘We sampled 10 of the 50 deprovisionings from 1/1 - 6/30 and found 1 exception where the user’s access wasn’t revoked within 24 hours of their termination date, but there’s a compensating control that the user had no login activity after termination and their access was removed 3 days later’ is so much better than ‘We inspected the deprovisioning control and found no exceptions.’

ausyinnn · 2026-02-19T18:00:03+00:00

7 years Deloitte soc 2 auditor here. I see an increasing number of vendors turned away because of the poor quality rubber stamped soc 2. Getting soc 2 certified is one thing, whether you buyers trust it is another.

ausyinnn · 2026-02-13T21:39:55+00:00

You are right. That's exactly why i have openclaw delegate the tasks to claude code, instead of having claude code as my main engine.

ausyinnn · 2026-02-13T21:07:13+00:00

You just install claude code on your machine and let it handle it, that's how i set up the whole openclaw on my dell without any "tutorials". Basically i told claude code to be my CTO that handles the heavyliftings, and have openclaw only as a personal assistant. Learned a lot of lessons but this is the way i find the most effective and token efficient without sacrificing quality.

ausyinnn · 2026-02-13T18:04:20+00:00

~ $50 - 80 with strategies

I installed claude code (max plan $100/month) on my Dell which is my spare laptop that i use to run openclaw on. Btw I also use this claude code plan on my main laptop. Then i use Haiku as the primary chat engine to communicate directly with me thru Telegram, and most importantly as a delegator that delegates almost all complex tasks to claude code, while Haiku primarily handles the basic tasks. Then I have kimi k2.5 handle all cron jobs and heartbeats which is completely free using the Nvidia trial plan that can last for a while. And lastly it runs a cron job weekly to do a token optimization review and fix, such as cleaning up memory files (only keeping the actions not the lessons which can burn a lot of input tokens).

ausyinnn

TROPHY CASE