Independent reference. Not affiliated with any vendor named on this site. Some links may be affiliate links. Expand full disclaimer.

This site is an independent technical reference. It is not affiliated with or endorsed by Recorded Future, Mandiant, Google Cloud, CrowdStrike, Microsoft, Anomali, ThreatConnect, EclecticIQ, Intel 471, Flashpoint, Palo Alto Networks, Unit 42, Cisco, Fortinet, SentinelOne, IBM, Dropzone AI, Prophet Security, Torq, Cyware, Radiant Security, Tenable, Qualys, Rapid7, DomainTools, SOCRadar, or any other vendor, project, or framework named on this site. MISP, OpenCTI, TheHive, and YARA are trademarks of their respective maintainers. All other trademarks belong to their respective owners. Pricing, feature, and platform-capability information was verified in April 2026 and may have changed since publication.

Some outbound links on this site may be affiliate links. Affiliate relationships do not influence ranking, verdicts, pricing data, or editorial positions. Where a verdict or comparison could be paid-placement-adjacent we mark it explicitly; otherwise assume zero vendor input.

COMPLIANCE / SOC 2 TYPE II

Threat intelligence for SOC 2: CC7.x evidence, 2026

Where threat-intelligence operations map onto AICPA Trust Services Criteria, what Type II auditors actually ask for, and how OSS plus commercial feeds compare as audit evidence.

Last verified: May 2026. Independent reference. Not legal or audit advice; consult your QSA or auditor for your scope.

SOC 2 TSC mapping for CTI

The AICPA Trust Services Criteria do not require a CTI feed by name. They require detection of unauthorised activity, monitoring of anomalies, and timely evaluation of events. A CTI programme contributes evidence to seven of the Common Criteria, primarily in the CC7 series. The mapping below reflects how auditors at Coalfire, A-LIGN, Schellman, KPMG, and EY commonly request CTI evidence in 2026 Type II engagements.

TSCWhat it requiresCTI evidenceTypical auditor question
CC7.1Detect configuration changes and known vulnerabilitiesVulnerability intel feed (Tenable, RecF, OSV); IoC ingestion logsShow me how new CVEs reach your SOC within 24 hours
CC7.2Monitor for anomalies and changes that could indicate threatsSIEM correlation rules sourced from IoC feeds; alert run-bookShow me five alert rules tied to current threat intel
CC7.3Evaluate events to determine if they pose a threatCase management records; triage SLAs; enrichment notesShow me a sample case from the past 90 days, end to end
CC7.4Respond to identified incidentsIR playbook references to CTI sources; tabletop exercisesWhen did you last update the IR playbook with new intel?
CC7.5Recover from identified incidentsPost-incident review showing CTI sourcing improvementsWhat CTI source addition came out of your last major incident?
CC8.1Manage change control with security awarenessCode review references to threat-informed patternsWhere is OWASP Top Ten knowledge baked into your SDLC?
CC9.2Manage vendor risk including security disclosuresVendor incident monitoring; supply-chain feed correlationHow would you know if a third-party supplier was breached?

Source: AICPA Trust Services Criteria 2017 (TSP Section 100, as amended); composite of public Type II audit checklists published by major firms.

CC7.2 is where CTI carries the weight

CC7.2 is the criterion where a CTI programme most directly demonstrates evidence quality. The control language is short: monitor for anomalies and changes that could indicate threats. The auditor wants to see three artefacts: a documented feed inventory, a tracing path from feed to SIEM rule, and a record of how rules are kept current.

A feed inventory is a one-page document that lists every CTI data source the SOC ingests, the cadence at which it updates, the format (STIX 2.1, TAXII, JSON, CSV), the volume per day, and the team owner. Most SOC 2 audit findings on CC7.2 cite missing inventory rather than missing feeds. Auditors do not require a particular feed; they require that you know what feeds you have and that you can prove you read them.

The tracing path is what auditors call the evidence chain. A CVE published by NIST flows into your SIEM as an indicator; the SIEM rule that fires on it is documented as having that CVE source. Five sample rules with full tracing is what most auditors ask to see. If you use Splunk Enterprise Security or Microsoft Sentinel, the workbench shows this trace natively for built-in content. If you author custom rules in SOC Prime, in Sigma, or in Sentinel KQL, your rule-source-of-truth (Git) should reference the CTI source.

The currency record is the easiest to lose. A rule that fired three years ago against a campaign that ended two years ago is not useful evidence; the auditor wants to see review cadence. Quarterly rule reviews with documented rationale (kept active, deprecated, tuned for false positives) is the minimum. Annual is too slow.

For teams running an LLM enrichment layer on top of the feed pipeline, the auditor will ask for evidence that LLM-derived classifications are reviewed by a human before any alert action. See hallucination risk in AI threat reports for the governance gates that hold up in audit.

OSS, commercial, and hybrid evidence quality

Auditors are vendor agnostic. They weigh evidence consistency, not vendor brand. The three common stacks below all pass Type II in 2026 with credible auditors; the practical differences are in operational continuity and time to evidence retrieval.

OSS only

$300 to $1,500 / month

Yes, with rigour

Strengths: Full transparency on data lineage. TLP tagging is explicit. Free to extend the audit trail. Auditor can inspect MISP event JSON directly.

Audit risks: Operational continuity if one analyst leaves. Documentation hygiene is the audit risk, not the technology. No formal SLA on intel quality from any single source.

OSS plus one commercial feed

$50,000 to $120,000 / year

Yes, median pattern

Strengths: Commercial vendor SOC 2 attestation transfers to your vendor list. Curated intel reduces analyst load. Audit trail spans your OSS plus vendor portal.

Audit risks: Vendor terms may restrict data retention; check before relying on vendor portal as primary evidence store. Pipe data into your own audit-friendly store as well.

Premium commercial stack

$250,000+ / year

Yes, customer trust signal

Strengths: Recorded Future Elite or Mandiant Advantage plus brand-protect tooling produces audit-ready dashboards. Strong customer-trust signal for enterprise prospects.

Audit risks: Cost-benefit is hard to justify unless audit scope explicitly requires it for enterprise customer attestation. Most mid-market SaaS overbuys at this tier.

For full audit-cost ranges that affect your stack-budget conversation, see soc2compliancecost.com. A Type I audit typically costs $20,000 to $60,000; Type II from $40,000 to $150,000 depending on scope.

Common CTI-related audit findings

Findings cluster into five recurring patterns. The remediation cost is small when caught before fieldwork; expensive when raised in management response after the audit window has closed.

Missing CTI feed inventory

CC7.1 / CC7.2 deficiency

Fix: One-page inventory listing every feed (NIST NVD, MISP communities, commercial subscriptions, OSINT). Update quarterly. Store in audit-evidence folder.

Rules unmapped to intelligence sources

CC7.2 deficiency on rule provenance

Fix: Add CTI source metadata to every SIEM rule comment. SOC Prime, Sigma, and Sentinel KQL all support comment fields the auditor can read.

No documented rule review cadence

CC7.2 deficiency on currency

Fix: Quarterly rule review with a tracking spreadsheet. Each rule reviewed: kept, tuned, or retired with rationale. Persists in evidence folder.

Case records that close without enrichment notes

CC7.3 deficiency on event evaluation

Fix: Mandatory enrichment-summary field in TheHive or Jira before close. One paragraph minimum. Spot-checked by an L2 analyst weekly.

LLM enrichment without human review evidence

CC7.3 plus emerging AI governance scrutiny

Fix: Every LLM-classified alert above Low confidence requires human acknowledgement before close. Log the human acknowledgement in the case record.

What the auditor will actually ask

A composite of the typical CC7-series question set from a Big Four or A-LIGN Type II in 2026. If a SOC manager can answer all ten without consulting another team, the audit will not surface CTI findings.

  1. Q1.Walk me through how a new CVE flows from publication to a SIEM alert rule. How long does that typically take?
  2. Q2.Show me the inventory of CTI feeds you ingest. How is the inventory kept current?
  3. Q3.Show me five SIEM detection rules and the threat intelligence sources they reference.
  4. Q4.When did you last review the detection rule set? Where is the documented review?
  5. Q5.Show me a case from the past 90 days where an IoC fired in your SIEM. Walk me through the triage and close.
  6. Q6.How do you stay current on threat actors targeting your industry?
  7. Q7.Where in your IR playbook do you reference threat intel sources?
  8. Q8.If your primary CTI vendor went offline, what is your fallback?
  9. Q9.Do you use AI or LLMs to enrich alerts? Where is the human review gate?
  10. Q10.How would you know if a third-party vendor you depend on suffered a breach?

Composite question set drawn from publicly available SOC 2 readiness checklists (Vanta, Drata, Secureframe, A-LIGN) and Coalfire SOC 2 control matrix references.

Recommended starting pattern

For a SaaS company pursuing Type II for the first time, with a security team of two to six people, the audit-defensible CTI pattern in 2026 is:

  • Open-source feeds

    NIST NVD, MISP CIRCL, abuse.ch ThreatFox and MalwareBazaar, AlienVault OTX. Ingestion via MISP modules.

  • Commercial feed (entry tier)

    SOCRadar entry tier or Recorded Future Core if budget permits. Pipe into MISP for unified evidence.

  • Knowledge graph

    OpenCTI Community, self-hosted. Organisations model for multi-tenancy if you serve customers.

  • Detection content

    SOC Prime free tier or Sigma rule corpus for SIEM-portable detections. Author custom rules in Git with CTI source comments.

  • Case management

    TheHive Community or Jira Service Management. Mandatory enrichment-summary field before close.

  • LLM enrichment (optional)

    Claude API for alert summarisation and case-note drafting. Human acknowledgement required before close. Log prompts and responses for 90 days.

  • Documentation

    Feed inventory, rule review log, IR playbook with CTI references. Stored in your audit-evidence repository (Drata, Vanta, or git folder).

Total cost: $300 to $2,500 per month plus one analyst FTE for operations. Sufficient evidence for a Type II Common Criteria audit at most SaaS companies in 2026. Scale up to commercial feeds when audit scope or customer-trust evidence requires it.

FAQ

Does SOC 2 require a threat intelligence feed?

No, the AICPA Trust Services Criteria do not name a specific feed or vendor. CC7.1 (detection of configuration changes), CC7.2 (anomaly monitoring), and CC7.3 (event evaluation) require that the service organisation identify and respond to security events. A threat intelligence feed is one of the most defensible evidence sources for those criteria, particularly for CC7.2 anomaly monitoring, because it gives auditors a documented IoC source the SOC team correlates against. Organisations with no CTI evidence often pass SOC 2 if their SIEM detection rules are well documented, but auditors increasingly probe whether the rule set is informed by current threat data.

Which CTI evidence holds up best in a SOC 2 audit?

Auditors weight three things heavily: documented IoC ingestion (where the data came from, how often it updates, who reviews it), evidence the IoCs are correlated against your environment (SIEM alert rules, EDR detection content, network IDS feed), and a closed-loop case record showing IoC hits were investigated. A commercial feed (Recorded Future, Mandiant) plus a SIEM correlation with TheHive or Jira case records typically passes a Big Four SOC 2 Type II without follow-up. An OSS-only stack with MISP plus OpenCTI plus TheHive also passes provided the documentation is rigorous and TLP handling is auditable.

Can OSS threat intel evidence pass a SOC 2 Type II?

Yes. MISP, OpenCTI, TheHive, and Cortex are all auditable on their own merits. What matters is the documented operational rigour around them: data-source list, ingestion frequency, TLP classification scheme, alert correlation flow, case management policy, and analyst review cadence. Auditors are equally happy with OSS evidence as with commercial provided the documentation is consistent. The risk with OSS-only programmes is operational continuity (one analyst leaves and the stack falls behind) rather than the technology itself.

Does an LLM enrichment layer create new SOC 2 audit risk?

It can. Auditors increasingly ask about AI in the control environment: which decisions does the LLM make, what is the human review gate, what is the audit trail for prompt and response, what happens when the LLM is wrong. If an LLM auto-classifies an alert and the alert is missed, the auditor wants to see the human review point. The defensible pattern is to use the LLM for drafting (enrichment, summarisation, case notes) with human approval before any action. Document the prompt scope, retention period for LLM input and output, and the fallback when the LLM is unavailable.

What does threat intel for SOC 2 cost in 2026?

Three tiers in practice. OSS-only is $300 to $1,500 per month in infrastructure plus analyst time, and is sufficient evidence for many Type I audits and lighter Type II scopes. OSS plus one commercial feed (SOCRadar entry tier, Recorded Future Core) lands at $50,000 to $120,000 per year and is the median in 2026 for SaaS companies pursuing Type II with a Big Four auditor. Premium commercial stack (Recorded Future Elite plus Mandiant Advantage plus brand-protect tooling) is $250,000 plus per year and is justified mainly when the audit scope includes enterprise customer trust evidence.

PCI-DSS evidence next →FedRAMP ConMon →OSS stack details →LLM audit risk →SOC 2 audit cost →

Updated 2026-05-11