.svg)
Most SOC 2 consultants know AWS. Some know Azure and GCP. Very few know what to do when your stack includes a colocation facility, a bare-metal fleet, Palo Alto or Check Point firewalls, F5 load balancers, VMware or Proxmox hypervisors, or a hybrid deployment where the control plane is in AWS and the workload runs in a cage in Ashburn or Toronto.
That is the gap we fill. The same evaluation criteria for choosing a SOC 2 consultant apply here, but with an additional filter: infrastructure experience matters. Our team has spent decades building and securing traditional data center environments, from Cisco switching fabrics and Palo Alto perimeters to F5 application delivery and Dynatrace observability. We have run SOC 2 readiness engagements across enterprise-grade infrastructure and open-source stacks alike. We understand what an auditor will ask for when your evidence does not come from a cloud API.
Why on-prem SOC 2 is different
The SOC 2 Trust Services Criteria do not change when you run on-prem. What changes is the evidence and the control design.
Key Difference
A SOC 2 consultant who has only run AWS engagements will miss the physical security, network security, and infrastructure evidence requirements unique to on-prem, or worse, will write controls that do not match how your team actually operates.
Physical security becomes real. In AWS, CC6.4 is answered by the SOC report of your cloud provider. In a colocation facility, you have to document badge access, cage locks, camera coverage, visitor logs, and the physical security policy of the colo itself. Most SOC 2 consultants have never written these controls.
Network security is not a VPC with security groups. It is a Palo Alto, Check Point, or Cisco firewall, a set of VLANs, network segmentation rules, and an IDS/IPS deployment you actually have to operate. Auditors want to see the firewall rule change process, not a Terraform plan.
Backup and recovery require evidence of the physical restore. You cannot point at an S3 lifecycle policy. You have to show backup jobs running, restore tests completing, and offsite copies arriving at a second location.
Logging and monitoring is a pipeline you built. Wazuh, Security Onion, Loki, Elastic, Splunk, or some combination. You own the ingestion, the retention, the alerting, and the runbook. Auditors want to see the end-to-end story.
Patch management is a process, not an API call. You are patching hypervisors, network gear, storage, and operating systems on your own schedule. The control has to be documented and evidenced.
Watch Out
Controls that pass on paper but fail on the first customer deep dive are the most common outcome when an AWS-only consultant tries to run an on-prem SOC 2 engagement.
Who we work with
SaaS companies running on colocation or bare metal
The largest group. Companies who picked on-prem for cost, performance, data residency, or sovereignty reasons, and now need SOC 2 for enterprise deals.
Infrastructure and hosting providers
Companies whose product is the infrastructure. OVH customers, Leaseweb customers, managed hosting providers, regional ISPs adding managed services.
Hybrid deployments
Control plane in AWS or Azure, workloads on-prem or in colo. The hybrid story is where most SOC 2 consultants get lost.
Regulated on-prem operators
Healthtech running HIPAA on dedicated hardware, financial services with legacy core systems, Canadian and EU companies with data residency obligations.
Our on-prem specialty: not a marketing claim
Our team has built and secured infrastructure at organizations processing hundreds of billions in daily transactions, using Cisco, Palo Alto, Check Point, F5, and enterprise monitoring platforms like Dynatrace and Splunk. We also run a working lab with Proxmox, firewall appliances, Wazuh, and Security Onion to test and validate every control pattern before recommending it to clients. We work across the full spectrum, from enterprise-grade commercial stacks to cost-effective open-source alternatives.
Published reference architecture and control mappings
- SOC 2 readiness on bare metal SaaS
- SOC 2 vulnerability scanning for on-prem environments
- SOC 2 network security for on-prem
- SOC 2 configuration baselines for bare metal
- Security logging and monitoring architecture
- SOC 2 ticketing, SLA, vulnerability, and incident response workflows
How we work
We offer four engagement types so on-prem operators can pick the right entry point.
Assess
A standalone gap assessment of your on-prem or hybrid environment against the SOC 2 Trust Services Criteria. Roadmap, scope statement, and an honest read on your timeline. Useful if you want a third-party opinion before committing to a Build.
Build
The implementation engagement. Fixed scope, fixed price, 8 to 12 weeks. Output: a working security program, control matrix specific to your physical and network stack, custom policies, GRC platform configured if you want one, evidence collection running, and a readiness report. Delivered by a senior consultant with real infrastructure experience, not a junior associate who has only seen AWS.
Operate
Ongoing program management between audit cycles. Continuous evidence collection, vendor reviews, security training, internal audit, and external audit management. Operate is what gets you from Type I to Type II and keeps the program from decaying when you have a hardware refresh, a colo move, or a hypervisor upgrade.
ABO (Assess + Build + Operate)
Annual fixed-price subscription that bundles all three plus external audit management, optionally with a GRC platform license and annual penetration test for SOC 2. ABO is for on-prem operators who want one number on the budget line and one accountable team running the whole program.
GRC Platform is Optional
Some on-prem clients prefer to run the program on policies, runbooks, and process documentation rather than a SaaS platform. We support either approach in Operate and ABO engagements.
Pricing
We do not publish fixed prices because every infrastructure footprint scopes differently. For a complete breakdown of all four cost components, see the SOC 2 cost and timeline guide. Typical ranges from competent consultants in this market:
| Engagement | Typical Range |
| Assess | From a few thousand up to $15,000+ for multi-site deep dives |
| Build | From around $20,000 for single-site SMB up to $75,000+ for enterprise |
| Operate | Monthly subscription scoped to your program size, frameworks, and audit cadence |
| ABO Subscription | Annual fixed price, from around $45,000 for SMB up to enterprise figures |
We give every prospect a fixed-price quote on the scoping call.
What the Build covers for on-prem environments
1. Scope definition including physical locations
Which cages, which racks, which circuits, which third-party facilities. Defensible to an auditor who will ask.
2. Physical security controls
Badge access, visitor management, camera retention, cage locks, environmental monitoring. Written for your actual facility, not a template.
3. Network security controls
Firewall rule management (Palo Alto, Check Point, Cisco, or open-source), segmentation design, VPN access, remote admin paths, IDS/IPS operations. We review your actual firewall config.
4. Host hardening baselines
CIS Benchmarks mapped to your OS and hypervisor. We document the baseline and set up the evidence collection.
5. Vulnerability management on-prem
Scanner selection (OpenVAS, Nessus, Tenable), scan schedules, remediation SLAs, evidence trail.
6. Backup and disaster recovery evidence
Backup job monitoring, restore test cadence, offsite verification, RTO/RPO documentation.
7. Logging and monitoring architecture review
We assess your current pipeline and fill gaps. Wazuh, Security Onion, Splunk, Elastic, Loki. Pick your poison, we have worked with them.
8. Change management for infrastructure
Hypervisor patches, firewall changes, hardware replacements. A process auditors will accept.
9. Incident response for on-prem
Runbooks that account for the fact that you cannot just redeploy from CI when something breaks.
10. Vendor and third-party controls
Colocation providers, ISPs, hardware vendors, managed services. SOC 2 still requires vendor management and it looks different for on-prem.
What we do (and do not do)
- We implement GRC platforms for on-prem and hybrid environments. Vanta, Drata, Scrut, Secureframe, Sprinto. We are certified implementers and can resell licenses or work with one you already own. We will recommend the platform that fits your stack.
- We do not tell clients to move to AWS to make SOC 2 easier. If on-prem is the right choice for your product, economics, or data residency, we make it work.
- We do not write control language that reads like it was cut from an AWS template and pasted onto your colo deployment.
- We do not skip physical walkthroughs. If your facility is within reach, we will visit. If it is not, we will do a remote walkthrough with your team on video.
- We work with reputable auditors who understand on-prem. Most of our engagements come back from audit with no findings. We cannot guarantee that outcome because the program is ultimately yours to run, but we can guide you to a place where a clean report is the most likely result.
Build an Effective Security Program
On-prem SOC 2 engagements led by consultants who understand real infrastructure.
Frequently Asked Questions
Can we get SOC 2 on bare metal or colocation?
Yes. The SOC 2 Trust Services Criteria are infrastructure-agnostic. What changes is the evidence and the control design. We have done this for multiple clients and published the reference architecture publicly.
Is SOC 2 harder for on-prem than for AWS?
Harder is the wrong word. It is different. You have more control over the stack, which means you can design better controls, but you are responsible for more evidence. Teams that understand their infrastructure deeply often find on-prem SOC 2 easier because the evidence is already in their operational runbooks.
Do you work with hybrid deployments?
Yes. Hybrid is where most SOC 2 consultants get lost because they have to split the control narrative between cloud and on-prem components. We design the control matrix so each control clearly states which environment it applies to and how the evidence flows.
What infrastructure platforms do you have experience with?
Enterprise and open-source. Cisco, Palo Alto, Check Point firewalls. F5 load balancers. VMware and Proxmox hypervisors. Dynatrace, Splunk, Elastic, Wazuh, Security Onion for monitoring. We run an open-source lab for testing and have decades of experience with enterprise-grade commercial platforms.
What about HIPAA, ISO 27001, or CPCSC alongside SOC 2 on-prem?
We run combined engagements when the overlap is material. HIPAA overlaps heavily with SOC 2 and we often bundle them. ISO 27001 is a natural companion and is typically 30 percent cheaper when done together with SOC 2. CPCSC is a Canadian federal contractor requirement we cover separately but can integrate.
How do you price on-prem engagements?
SMB Builds start at around $20,000, the same range as our standard SOC 2 offering. On-prem work does not automatically cost more. What can push the price up is the number of physical sites, the number of frameworks in scope, and enterprise complexity (multi-data-center, regulated industries, multi-region). We quote each engagement with fixed scope and fixed price after a 30-minute scoping call.
Are you only Canadian?
Based in Canada, working across North America. Most of our on-prem clients are in Canada and the US. We have done remote and on-site engagements in both countries.
Do you handle the auditor for us?
Yes. We act as the main point of contact between you and the auditor. We handle auditor communication, organize and submit evidence, defend your scope when it gets challenged, push back when an evidence request is overreaching, and walk the auditor through your control narrative. The audit firm is independent by design, but you are not on your own in the room.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
How Ready Are You for SOC 2?
Score your security program in under 5 minutes. Free.
Take the Scorecard