soc2-evidence-collector
Generate SOC2 evidence collection checklists, automate evidence gathering scripts, and produce audit-ready evidence packages. Covers all 5 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Use when preparing for SOC2 Type I/II audits, maintaining continuous compliance, or building evidence collection automation. Built by AfrexAI.
Best use case
soc2-evidence-collector is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Generate SOC2 evidence collection checklists, automate evidence gathering scripts, and produce audit-ready evidence packages. Covers all 5 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Use when preparing for SOC2 Type I/II audits, maintaining continuous compliance, or building evidence collection automation. Built by AfrexAI.
Teams using soc2-evidence-collector should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/afrexai-soc2-evidence-collector/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How soc2-evidence-collector Compares
| Feature / Agent | soc2-evidence-collector | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Generate SOC2 evidence collection checklists, automate evidence gathering scripts, and produce audit-ready evidence packages. Covers all 5 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Use when preparing for SOC2 Type I/II audits, maintaining continuous compliance, or building evidence collection automation. Built by AfrexAI.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Top AI Agents for Productivity
See the top AI agent skills for productivity, workflow automation, operational systems, documentation, and everyday task execution.
AI Agent for YouTube Script Writing
Find AI agent skills for YouTube script writing, video research, content outlining, and repeatable channel production workflows.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
SKILL.md Source
# SOC2 Evidence Collector
Automate evidence gathering for SOC2 Type I and Type II audits across all 5 Trust Service Criteria.
## When to Use
- Preparing for an upcoming SOC2 audit (Type I or Type II)
- Building continuous compliance evidence pipelines
- Auditor requests evidence and you need to gather it fast
- Onboarding a new client who requires SOC2 compliance proof
- Annual evidence refresh cycle
- Gap analysis before engaging an audit firm
## Input
Gather these from the user before generating:
### Required
1. **Audit type**: Type I (point-in-time) or Type II (over a period, typically 3-12 months)
2. **Trust Service Criteria in scope**: Security (CC — always required), plus any of: Availability, Processing Integrity, Confidentiality, Privacy
3. **Cloud provider(s)**: AWS, GCP, Azure, multi-cloud, on-prem, hybrid
4. **Primary tech stack**: languages, frameworks, CI/CD, IaC tools
5. **Team size**: engineering + ops headcount
### Optional
- Current compliance certifications (ISO 27001, HIPAA, PCI-DSS, etc.)
- Audit firm name and timeline
- Previous audit findings or gaps
- Specific control frameworks already mapped (NIST 800-53, CIS, etc.)
- SSO/IdP provider (Okta, Azure AD, Google Workspace, etc.)
## Evidence Categories
### CC — Common Criteria (Security) — Always In Scope
#### CC1: Control Environment
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Org chart with security roles | HR system / Confluence | Manual export quarterly |
| Security policy documents | Policy repo / wiki | Git log showing annual review |
| Code of conduct acknowledgments | HR system | Export signed acknowledgments |
| Board/management meeting minutes on security | Calendar + notes | Screenshot + agenda export |
| Risk assessment documentation | GRC tool / spreadsheet | Export current risk register |
#### CC2: Communication and Information
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Security awareness training records | LMS / training platform | Completion report export |
| Onboarding security checklist | HR system | Template + completion logs |
| Incident communication procedures | Runbook / wiki | Version-controlled doc with review history |
| External communication policies | Policy repo | Git log + approval records |
#### CC3: Risk Assessment
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Annual risk assessment report | GRC tool | PDF export with sign-off |
| Vendor risk assessments | Vendor management tool | Export assessment records |
| Penetration test reports | Security vendor | PDF reports with remediation tracking |
| Vulnerability scan results | Scanner (Qualys, Nessus, etc.) | Automated export, monthly |
#### CC4: Monitoring Activities
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| SIEM dashboards and alert configs | Datadog / Splunk / CloudWatch | Screenshot + config export |
| Uptime monitoring evidence | Pingdom / Datadog / UptimeRobot | Monthly uptime reports |
| Log retention configuration | Cloud provider console | Config export / IaC snippet |
| Anomaly detection rules | SIEM / monitoring tool | Rule export with change log |
#### CC5: Control Activities
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Access control matrix | IdP / IAM console | Export user-role mappings |
| MFA enforcement evidence | IdP admin console | Policy config screenshot |
| Firewall / security group rules | Cloud console / IaC | `terraform state` or console export |
| Encryption at rest configuration | Cloud console / IaC | Config export showing encryption enabled |
| Encryption in transit (TLS) | Load balancer / CDN config | Certificate + config export |
#### CC6: Logical and Physical Access Controls
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| User access reviews (quarterly) | IdP + spreadsheet | Review meeting notes + updated access list |
| Terminated user deprovisioning | IdP audit log | Export showing timely deactivation |
| SSH key / credential rotation logs | Secrets manager | Rotation event logs |
| Physical access logs (if applicable) | Building management | Badge access reports |
#### CC7: System Operations
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Change management records | Jira / GitHub PRs | Export merged PRs with approvals |
| CI/CD pipeline configuration | GitHub Actions / CircleCI | Config file export from repo |
| Deployment approval process | PR review settings | Branch protection rule screenshots |
| Incident response logs | PagerDuty / Opsgenie | Incident timeline exports |
| Backup configuration and test results | Cloud console / IaC | Backup policy + restore test logs |
#### CC8: Change Management
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| PR review requirements | GitHub / GitLab settings | Branch protection config |
| Code review evidence | GitHub PR history | Export PRs with review comments |
| Release notes / changelogs | Repo | CHANGELOG.md with version history |
| Rollback procedures | Runbook | Documented procedure with test evidence |
#### CC9: Risk Mitigation
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Business continuity plan | Policy repo | Document with annual review evidence |
| Disaster recovery test results | DR runbook | Test execution logs + results |
| Insurance certificates | Finance / legal | Current certificate copies |
| Sub-processor agreements | Legal / contract management | Signed DPAs + vendor list |
### A — Availability (If In Scope)
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| SLA definitions and monitoring | Product docs + monitoring | SLA doc + uptime dashboard exports |
| Capacity planning documentation | Architecture docs | Quarterly capacity review notes |
| Auto-scaling configuration | Cloud console / IaC | Config export |
| Incident response SLA adherence | PagerDuty / incident tracker | Response time reports |
| Redundancy / failover configuration | Cloud architecture | Architecture diagram + failover test logs |
### PI — Processing Integrity (If In Scope)
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Data validation rules | Application code / config | Code snippets + test results |
| QA / testing procedures | CI/CD pipeline | Test suite config + pass/fail reports |
| Error handling and correction procedures | Runbook / code | Error handling docs + incident examples |
| Data reconciliation reports | Application logs / reports | Monthly reconciliation output |
### C — Confidentiality (If In Scope)
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Data classification policy | Policy repo | Document with review history |
| NDA / confidentiality agreements | Legal / HR | Signed agreement copies |
| Data retention and disposal policy | Policy repo | Policy doc + disposal logs |
| DLP tool configuration | DLP tool admin | Config export + alert samples |
### P — Privacy (If In Scope)
| Evidence | Source | Collection Method |
|----------|--------|-------------------|
| Privacy policy (public) | Website | URL + version history |
| Data processing agreements | Legal | Signed DPAs |
| Consent management records | CMP / application | Consent log exports |
| Data subject request procedures | Policy repo / ticketing | Procedure doc + DSR ticket samples |
| Privacy impact assessments | GRC tool / docs | PIA reports for high-risk processing |
## Automation Scripts
When the user's stack is identified, generate shell scripts for automated evidence collection:
### AWS Evidence Collection (example)
```bash
#!/bin/bash
# SOC2 Evidence Collector — AWS
# Generated by AfrexAI SOC2 Evidence Collector skill
set -euo pipefail
EVIDENCE_DIR="soc2-evidence/$(date +%Y-%m-%d)"
mkdir -p "$EVIDENCE_DIR"/{iam,network,encryption,logging,compute}
echo "=== CC5: Access Controls ==="
aws iam get-account-summary > "$EVIDENCE_DIR/iam/account-summary.json"
aws iam generate-credential-report && sleep 5
aws iam get-credential-report --output text --query Content | base64 -d > "$EVIDENCE_DIR/iam/credential-report.csv"
aws iam list-users --output json > "$EVIDENCE_DIR/iam/users.json"
aws iam list-policies --scope Local --output json > "$EVIDENCE_DIR/iam/custom-policies.json"
echo "=== CC5: Encryption at Rest ==="
aws rds describe-db-instances --query 'DBInstances[*].{ID:DBInstanceIdentifier,Encrypted:StorageEncrypted,KmsKey:KmsKeyId}' > "$EVIDENCE_DIR/encryption/rds-encryption.json"
aws s3api list-buckets --query 'Buckets[*].Name' --output text | tr '\t' '\n' | while read bucket; do
aws s3api get-bucket-encryption --bucket "$bucket" >> "$EVIDENCE_DIR/encryption/s3-encryption.json" 2>/dev/null || echo "{\"bucket\":\"$bucket\",\"encryption\":\"NONE\"}" >> "$EVIDENCE_DIR/encryption/s3-encryption.json"
done
echo "=== CC4: Logging ==="
aws cloudtrail describe-trails > "$EVIDENCE_DIR/logging/cloudtrail-config.json"
aws cloudwatch describe-alarms --state-value ALARM > "$EVIDENCE_DIR/logging/active-alarms.json"
echo "=== CC5: Network Security ==="
aws ec2 describe-security-groups > "$EVIDENCE_DIR/network/security-groups.json"
aws ec2 describe-vpcs > "$EVIDENCE_DIR/network/vpcs.json"
echo "=== CC6: MFA Status ==="
aws iam list-virtual-mfa-devices > "$EVIDENCE_DIR/iam/mfa-devices.json"
echo "Evidence collected in $EVIDENCE_DIR"
echo "Review and redact sensitive values before sharing with auditors."
```
### GitHub Evidence Collection (example)
```bash
#!/bin/bash
# SOC2 Evidence Collector — GitHub
set -euo pipefail
ORG="${1:?Usage: $0 <github-org>}"
EVIDENCE_DIR="soc2-evidence/$(date +%Y-%m-%d)/github"
mkdir -p "$EVIDENCE_DIR"
echo "=== CC8: Branch Protection ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | while read repo; do
gh api "/repos/$ORG/$repo/branches/main/protection" 2>/dev/null > "$EVIDENCE_DIR/${repo}-branch-protection.json" || true
done
echo "=== CC7: Recent Deployments ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | head -10 | while read repo; do
gh api "/repos/$ORG/$repo/deployments?per_page=10" > "$EVIDENCE_DIR/${repo}-deployments.json" 2>/dev/null || true
done
echo "=== CC8: PR Review Evidence ==="
gh api "/orgs/$ORG/repos" --paginate --jq '.[].name' | head -10 | while read repo; do
gh pr list --repo "$ORG/$repo" --state merged --limit 20 --json number,title,mergedAt,reviewDecision > "$EVIDENCE_DIR/${repo}-merged-prs.json" 2>/dev/null || true
done
echo "=== CC5: Org Security Settings ==="
gh api "/orgs/$ORG" --jq '{two_factor_requirement: .two_factor_requirement_enabled, default_permissions: .default_repository_permission}' > "$EVIDENCE_DIR/org-security.json"
echo "Evidence collected in $EVIDENCE_DIR"
```
## Output Format
Generate a structured evidence package:
```
soc2-evidence/
├── README.md # Overview, scope, period, auditor info
├── evidence-matrix.md # Full checklist with status (collected/pending/N-A)
├── collection-scripts/
│ ├── collect-aws.sh
│ ├── collect-github.sh
│ ├── collect-idp.sh
│ └── collect-monitoring.sh
├── gap-analysis.md # Missing evidence + remediation steps
└── schedule.md # Evidence collection calendar (what to refresh when)
```
### evidence-matrix.md Format
```markdown
| # | Control | Evidence | Status | Source | Last Collected | Notes |
|---|---------|----------|--------|--------|---------------|-------|
| CC1.1 | Org chart | org-chart-2026-Q1.pdf | ✅ Collected | HR export | 2026-01-15 | |
| CC5.3 | MFA enforcement | mfa-config.json | ✅ Automated | IdP API | 2026-03-17 | Script: collect-idp.sh |
| CC3.2 | Pen test report | — | ⏳ Pending | External vendor | — | Due 2026-04-01 |
```
## Workflow
1. Gather inputs (audit type, scope, stack, team size)
2. Generate the full evidence matrix for in-scope criteria
3. Mark known evidence sources based on their stack
4. Generate collection scripts for automated gathering
5. Identify gaps and generate remediation recommendations
6. Create an evidence collection schedule (daily/weekly/monthly/quarterly)
7. Output the complete evidence package
## Tips for Users
- **Start 3-6 months before audit**: evidence gaps take time to fill
- **Automate early**: scripts that run monthly save panic before audit
- **Version everything**: auditors love seeing change history
- **Don't fake it**: missing evidence is better than fabricated evidence
- **Continuous > point-in-time**: Type II requires sustained evidence over the audit period
- **Tag evidence**: use consistent naming so auditors can self-serve
## AfrexAI Note
This skill generates the framework and automation scaffolding. For hands-on SOC2 audit preparation with managed AI agents handling continuous evidence collection, monitoring, and auditor coordination — that's what AfrexAI's AI-as-a-Service delivers. Contact us at hello@afrexai.com.Related Skills
tianyancha-bidding-collector
天眼查招投标数据查询工具 - 基于浏览器自动化技术批量查询企业招投标/中标公示信息,导出结构化 CSV 报表。支持 macOS 和 Windows 跨平台运行。
design-inspiration-collector
多平台设计灵感收集技能。当用户需要设计参考、UI灵感、视觉创意时触发。用户提出设计方向(如"医疗App"、"移动端UI"、"金融Dashboard"等),技能负责:(1) 使用Tavily搜索Behance、Dribbble、Pinterest三个平台的相关内容 (2) 整理内容并附上链接 (3) 生成腾讯文档,文档命名为"关键词+日期时间"格式 (4) 发送文档链接给用户 (5) 推荐其他相关方向(不带链接)。触发词:找灵感、收集灵感、设计参考、UI参考、视觉灵感、设计趋势、Behance、Dribbble、Pinterest。
kb-collector
Knowledge Base Collector - save YouTube, URLs, text to Obsidian with AI summarization. Auto-transcribes videos, fetches pages, supports weekly/monthly digest emails and nightly research.
industry-news-collector
行业新闻聚合与热度排序工具。当用户询问XX行业的最新动态时触发,如:"今天有什么XX行业新闻?""总结一下这周的XX行业动态""最近XX行业有什么热点?"。覆盖:新产品发布、行业动态、融资新闻、技术突破、政策变化等。输出中文摘要列表,按热度排序,附带原文链接。
Meta Ads Collector Skill
## Purpose
Instagram Collector Skill
## Purpose
evidence-gap-mapper
在报告、方案或演示稿中定位结论先行但证据不足的位置,并给出补证优先级。;use for evidence, gap-analysis, research workflows;do not use for 伪造数据支撑结论, 忽略高风险假设.
compliance-evidence-assembler
把审计所需证据整理成目录、清单和缺失项,便于后续评审。;use for compliance, evidence, audit workflows;do not use for 伪造证据, 替代正式审计结论.
skill-feedback-collector
Human-in-the-loop MCP feedback collector with task queue. Pauses to collect human input via browser UI before continuing. Use when completing tasks, encountering uncertain parameters, needing user confirmation, working with coding plan subscriptions, or when you should ask instead of guess. Also covers batch task execution via auto-dequeue.
Testimonial Collector
Generates testimonial request emails and formats collected testimonials for marketing
---
name: article-factory-wechat
humanizer
Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases.