How Paraxial.io Helps Developers Achieve 12 Key SOC 2 Controls

Michael Lubas, 2025-04-02

Developers use Paraxial.io to ensure their software is safe against cyberattacks. This protection is also required by many regulatory and compliance frameworks. System and Organization Controls 2 (SOC 2) was created by the American Institute of Certified Public Accountants (AICPA), and is a common requirement for SaaS businesses looking to sell into enterprise markets. Using Paraxial.io fulfills the following controls: 

Risk Assessment 
3.2 - Identify, analyze, and manage risk
3.3 - Consider the potential for fraud 
3.4 - Identify and assess changes 

Monitoring 
4.1 - Evaluate internal controls are functioning 
4.2 - Evaluate internal control deficiencies 

Control Activities 
5.1 - Mitigate risks to achieve objectives 
5.2 - Technology controls to achieve objectives 

Logical and Physical Access Control
6.1 - Implement security software 
6.6 - Implement security for threats outside system 

System Operations
7.1 - Detect changes that result in new vulnerabilities 
7.2 - Monitor system for security events 

Change Management 
8.1 - Manage changes to software and infrastructure

Below is a detailed description of each control and how Paraxial.io fulfills it.


CC3.2: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

With Paraxial.io, you can quickly get an inventory of your deployed web applications, document if each application stores customer data and faces the public internet, and automatically scan each application for vulnerabilities.


CC3.3: The entity considers the potential for fraud in assessing risks to the achievement of objectives.

With Paraxial.io, you can assess how vulnerable your applications are to fraudulent use (hacking attempts, bot attacks) and vulnerabilities specifically related to your projects.


CC4.1: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

You can setup Paraxial.io code scanning in your CI/CD pipeline to ensure all of your applications are being checked for security vulnerabilities. Then once a week you will receive an email summary showing that all your sites are being scanned.


CC4.2: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Similar to the above example, imagine the weekly summary email shows a repository is not being scanned. You can now communicate with senior management that the control is not being followed, and work with the relevant team to fix it.


CC5.1: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Paraxial.io mitigates the risk of OWASP Top 10 style hacking attempts, including SQL injection, remote code execution, cross site scripting, and automated bot attacks to compromise user accounts. These are risks which would significantly impact the ability of an organization to function in the event of an incident.


CC5.2: The entity also selects and develops general control activities over technology to support the achievement of objectives.

Similar to the above example, Paraxial.io is used as a control activity over the technology infrastructure, to protect the entity’s assets from external threats.


CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.

Paraxial.io is able to identify and manage the inventory of information assets (web applications), detect vulnerabilities, and prevent security incidents by ensuring the deployed applications are safe.


CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Paraxial.io is able to scan web servers for open ports, prevent vulnerabilities in web applications, and block automated bot attacks against servers and applications. If an external attacker is attempting to take over user accounts via a credential stuffing attack, Paraxial.io can monitor, detect, and block the attack.


CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

Paraxial.io is able to detect server changes that open ports (via Network Scans) and code changes that introduce vulnerabilities (via Code Scans). If a vulnerability is discovered in a project’s dependency, Paraxial.io is also able to detect it. For Code Scans, a new scan can run in CI/CD on each code change (pull request).


CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

HTTP events can be ingested into the Paraxial.io backend for bot defense. For example, if one IP address attempts 100 login events in 60 seconds, that is a clear signal of a malicious security event, and will result in a ban.


CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Paraxial.io is able to scan system changes for vulnerabilities, and report these findings to the relevant stakeholders (developers, management, board of directors).

Paraxial.io stops data breaches by helping developers ship secure applications. Get a demo or start for free.

Subscribe to stay up to date on new posts.