SOC 2 Audits
TLS Evidence for CC6.7 in Minutes

SOC 2 doesn’t prescribe specific TLS versions, but auditors test CC6.7 against current NIST and industry standards. Deprecated protocols, weak ciphers, and missing forward secrecy show up as exceptions in the report, and enough of them risk a qualified opinion. SSLBoard produces the evidence that shows CC6.7 is met, or surfaces what needs fixing before your audit window opens.

One scan covers the requirements that matter

Enter a domain and SSLBoard discovers every hostname and TLS endpoint across your infrastructure using Certificate Transparency logs and active server probing. Each finding maps to CC6.7:

  • CC6.7, encryption in transit: Full TLS version and cipher suite analysis across every endpoint. TLS 1.0, TLS 1.1, SSL, RC4, DES, 3DES, NULL, EXPORT, and anonymous suites are flagged, each a de facto audit failure against CC6.7 under current auditor expectations.
  • CC6.7, forward secrecy: Missing ECDHE or DHE key exchange is a CC6.7 observation. Every endpoint is tested for forward secrecy support and results are reported per hostname.
  • Certificate inventory: Full inventory of issuers, key strength, SAN coverage, and expiry dates. Shadow and forgotten subdomains discovered via Certificate Transparency logs. An unknown endpoint is audit risk that an attacker can exploit before your next pen test.

Why auditors use external scans

SOC 2 auditors don’t take your word for your TLS configuration. They run external scans. This report shows the same view they’ll see, which means you can find and fix gaps before they write them up as exceptions.

CT logs are a public record containing every certificate a CA has ever issued for your domain, including ones on hosts your asset inventory doesn’t track. A subdomain you don’t know about is one an auditor can document in the report.

There’s nothing to install and nothing changes on your servers. The scan runs entirely from outside.

From scan to evidence

  1. Enter the apex domain. SSLBoard finds every hostname and probes every TLS endpoint.
  2. The summary report shows your TLS score and a ranked list of every issue found. It’s free.
  3. Unlock the full report for host-level detail. Download CSV data or share a link directly with your auditor.

The full report covers certificate chains, issuer distribution, protocol versions, cipher suites, key strength, HSTS status, OCSP revocation, forward secrecy status, and adjacent-domain discovery, all mapped to specific hostnames and IP:port combinations.

Fits the audit workflow

Share a link directly with your auditor. They get the same view you see, no screenshots to take, no CSVs to email.

Multi-tenant SaaS platforms with large subdomain footprints run the same way as single-domain startups. The scan handles both.

Confirm your email once. After that, share the full report link with as many people as need it.

Info

Need to see what the report looks like for your domain? Run a free scan — the summary report is instant, and the full report unlocks after email confirmation.

Run a free scan Read the FAQ