In February 2025, Netcraft received its first SOC 2 Type 2 report, with no exceptions noted. This report underscores Netcraft’s unwavering commitment to putting customer needs first, and we’re pleased to share how we reached this milestone.

With this SOC 2 Type 2 report, we are demonstrating to our customers and the community that we continue to be strongly committed to their security and compliance needs while we focus on providing digital risk protection and threat intelligence.

Background

Netcraft’s dedication to security has been foundational since day one—and it’s only grown stronger over time. As one of the early members of the PCI Approved Scanning Vendor (ASV) program and a former provider of security testing services, we’ve spent more than 20 years helping customers meet their own security and compliance goals. Our Web Data surveys provide us with a bird’s eye view of the Internet which has given us a great deal of insight into what sites do right and wrong, and we’ve had unmatched visibility into some of the largest emerging network threats in our era, and we broadly share these findings.

In the PCI ASV program we developed and maintained our own scanning software and scanned thousands of customers' networks. Through this, and with the help of PCI Data Security Standard (PCI DSS), we learned the value of strong security controls like network segmentation, data minimisation, patching and secure defaults by seeing the impact that implementing these measures had on improving clients' network security. Similarly – in providing security consulting and testing services – we gained insight into secure design, risk assessments, and the value of third-party assurance. Netcraft has always built these principles into its systems and processes, but our primary focus has always been on clients' needs.

SOC 2 Compliance

SOC 2 is an auditing standard which was developed by AICPA to help companies manage and protect customer data through effective internal controls. It is particularly important for technology companies and service providers, such as those in the software as a service (SaaS) industry, as it assures that they have effective security controls in place. SOC 2 audits cover principles known as Trust Services Criteria (TSC)—security, availability, processing integrity, confidentiality, and privacy—to ensure comprehensive protection and reliability of the service provider's systems.

As Netcraft’s product offerings evolved, so did our clients' needs. As the industry matured, the value of external compliance reporting became clear. Customers now want to see compliance reports from SaaS providers, and Netcraft looks to its vendors for similar assurances. In the SaaS space, the gold-standard compliance certification is SOC 2 due to its global recognition, standardised reporting, and flexibility. Netcraft committed to obtaining this coveted classification which was achieved in February of 2025

With the initial work on Type 1 completed in 2024, the team set its sights on SOC 2 Type 2 in 2024. In a Type 2 audit, all in-scope systems and services are sampled for a specific duration (the observation period) to determine whether the policies and procedures are being followed correctly. Populations which can be sampled include all current and terminated employees, all critical vendors, all software and infrastructure changes, all customer data deletions and any security incidents which took place in the observation period. These are then randomly sampled by the auditors to ensure policies were followed correctly. As well as this, SOC 2 auditors require evidence that controls are implemented on all in-scope infrastructure and systems, and this is done with a combination of machine and manually generated evidence and documentation as well as walkthrough calls with the auditors. In Netcraft’s inaugural 6-month observation period (which ran from May 1 to October 31 2024) our auditors found no exceptions to our policies and procedures and issued us with our SOC 2 Type 2 report in early 2025.

Conclusion

Netcraft’s SOC 2 Type 2 report marks the culmination of decades of commitment to security. In working towards Type 1 and Type 2 compliance we were able to distill years of hard-won experience and knowledge into a succinct set of policies and procedures, and now we have an externally assured report to share with external stakeholders giving them confidence in our security posture.

If you’re a Netcraft customer and you would find our SOC 2 Type 2 report useful, please contact your account manager.