Comment by czbond

Two things: OP is SOC2'ing & also the mgmt of the firm seems inexperienced but trying to sell expert services.

Which is very different from pen testing, internal/external vulnerability assessments, PCI level 1/2, etc.

SOC2'ing is often like an auditor verifying that one does things according to a prescribed, or described process that the company attests to. I've often viewed it as 'accounting style firms' looking to get a bite of that 'juicy security scare fee pie'