Founders and CISOs hear about security in two contexts. The first is compliance — SOC 2, ISO 27001, HIPAA, PCI-DSS. The second is risk — would we survive a breach? The unfortunate reality is that these two conversations have less overlap than people assume.
What compliance frameworks actually verify
Frameworks verify process. They check that you have policies. That you've assigned responsibilities. That you've documented your controls. That you review them periodically.
What they don't verify is whether those controls actually work against an attacker.
You can be SOC 2 Type II compliant with an application that's full of holes. As long as you have a policy for vulnerability management, evidence that you ran a scanner, and tickets in your system, the auditor signs off. They're not, and were never meant to be, security testers.
The companies that conflate the two
We're sometimes hired by companies that just passed their audit and want to confirm everything is good. The conversation tends to go the same way:
- "We have SOC 2 Type II — we're audited."
- "What did the audit test for?"
- "…the controls."
- "Which controls?"
- "The ones in our policy."
And then, two weeks later, we hand them a report with critical findings — none of which the audit would have caught, because the audit wasn't looking for them.
What compliance is good at
To be clear: frameworks aren't useless. They're excellent at:
- Forcing operational hygiene — backups, access reviews, change management.
- Demonstrating to customers and procurement teams that you take security seriously.
- Creating internal pressure to fund the boring-but-necessary controls (logging, MFA enforcement, etc.).
- Standardizing your posture so it can be compared to peers.
None of those should be discounted. They have real value. They just aren't a security test.
What you need on top
The companies with the best actual security posture treat compliance and adversarial testing as complementary, not interchangeable. They run their certifications to satisfy external requirements and they hire independent testers to break their systems. The findings rarely overlap. Both are necessary.
A practical split:
- Compliance audits — annual, covering controls, policies, evidence.
- Pentests — annual or biannual, covering your most critical applications.
- Targeted reviews — quarterly or per-launch, covering new features.
- Bug bounty — continuous, covering anything internet-facing.
Each of these tells you something different. None of them replaces the others. The most expensive lesson in this industry is finding out, the hard way, where one ends and the others begin.