Project overview
A 60-engineer SaaS company needed to retire a flaky VPN, harden their AWS accounts and reach SOC 2 Type II without slowing the team down.
Challenges
- VPN-based access model that didn't scale and frustrated engineers
- Inconsistent IAM and account baselines across environments
- No 24/7 detection and response capability
Our approach
We replaced the VPN with identity-aware access, hardened the AWS landing zone, and stood up continuous detection mapped to SOC 2 controls.
Zero-trust access
- Replaced VPN with Okta-backed identity-aware proxies
- Enforced device posture and short-lived credentials for cloud access
AWS hardening
- Codified guardrails with SCPs and Config rules
- Centralized logging and key management in a dedicated security account
Detection & response
- Stood up SIEM with 24/7 monitoring and on-call rotations
- Wrote and tested runbooks for the most likely incident classes
Outcomes
- Passed SOC 2 Type II on the first attempt
- VPN fully retired across the engineering org
- 24/7 detection coverage with documented response runbooks