What does 'SOC 2 software aggregation service' actually mean?

It means a Layer 2 service that helps buyers select between the 7+ SOC 2 software vendors (Vanta, Drata, Secureframe, Sprinto, Scytale, Scrut Automation, Thoropass) — without being a vendor itself. The vendors hold the auditor relationships, framework templates, integration recipes, and trust signals; SideGuy holds the operator-honest selection function that routes buyers to the right vendor for their stage, GTM, and stack. Same StubHub mechanism (the marketplace doesn't sell tickets — it routes buyers to the right seller), applied to B2B SaaS compliance.

Why does this need to exist? Don't the vendors compete and let buyers pick?

They compete on marketing — but buyers can't realistically evaluate 7 vendors on their own. Each vendor's website is a sales surface designed to convert THAT visitor into a demo, not to honestly compare their fit vs alternatives. The result is buyers default to whichever vendor their YC batch / network / Twitter feed mentioned first, often the wrong fit for their stage or stack. The aggregation service exists because the cost of picking wrong (12-18 months on a wrong-fit platform) is meaningfully higher than the cost of taking 30 minutes to read an honest cross-vendor read. SideGuy provides that read.

Who else is doing this? Why isn't it a crowded category?

As of 2026-05-08, no one else is doing operator-honest SOC 2 software aggregation at scale. Affiliate-driven comparison sites exist (G2, Capterra, etc.) but their rankings reflect ad-spend and incentive structures, not operator-honest fit. Industry analyst reports (Gartner Magic Quadrant, IDC MarketScape) help enterprise buyers but cost $5K+ and aren't accessible to the Series A-C buyer base. Y Combinator's vendor recommendations are tribal, not analytic. The category is empty because (1) the structural incentive against existing affiliate sites is real (operator-honest reads kill the affiliate funnel), (2) the category requires a multi-year content compound, not a single launch, and (3) the partner-program economics only became viable in 2024-2026 as the SOC 2 vendor category matured. SideGuy is early.

Where does this doctrine extend beyond SOC 2?

Every multi-vendor SaaS category where 5-7 vendors compete for the same buyer profile. Confirmed targets: HIPAA / BAA (Compliancy Group, Aptible, MedStack + cross-framework Vanta/Drata + BAA-providing infrastructure like AWS / Datadog / GCP), Auth / IDP (Auth0, Clerk, WorkOS, Stytch), Email infrastructure (SendGrid, Postmark, Resend, SES), CRM (HubSpot, Salesforce, Attio, Pipedrive), Analytics (Amplitude, Mixpanel, Segment, Heap), Payments (Stripe, Square, Adyen, Braintree), Trust Centers (Vanta TC, SafeBase, SecurityPal), Vendor Risk Management (Whistic, Panorays, UpGuard, SecurityScorecard), Privacy / GDPR (OneTrust, DataGrail, Osano, Securiti, TrustArc, Transcend, Ketch — already shipped on SideGuy). The doctrine applies any time a buyer faces 5+ similar vendors and the cost of picking wrong is higher than the cost of an honest read. SideGuy already has 14 vendor entity pages spanning compliance + privacy categories.

Is SideGuy biased toward any particular vendor?

No — operator-honest is the moat. Every vendor entity page on SideGuy includes a Where-It-Shines AND a Where-It-Breaks section. The 7-way comparison page forces ranking with explicit when-to-pick-each guidance. Partner-program participation is publicly disclosed on every page. The honest test: when a buyer is wrong-fit for a SideGuy partner vendor, SideGuy routes them to a different vendor (sometimes one without partner status), telling them straight up. The moat is the honesty — once compromised, the entire meta-matchmaker function loses credibility. Vendors who try to influence SideGuy rankings are politely refused. The partner-program economics only work if the rankings stay honest; we'd kill the geese laying the eggs by tilting them.

How can a SaaS vendor partner with SideGuy?

Two paths. Path 1 (any vendor): apply to your existing partner / referral program and notify SideGuy — we'll add the disclosure to your entity page on SideGuy and route operator-honest-vetted buyers your way. Path 2 (Layer 2 strategic partnership): if you're a category-leading vendor in a multi-vendor SaaS category and you understand that operator-honest external aggregation grows the category for everyone (not just for you specifically), text PJ at 858-461-8054 to discuss co-marketing on the meta-doctrine. Sister doctrines: Two Lanes (Authority + Revenue), Compliance Buyers ARE Custom Buyers, Tickets Without Holding Broker Info. SideGuy is Cardiff/Encinitas-based and operator-led; we move at operator speed, not enterprise procurement speed.

SideGuy Thesis · Holding Broker Doctrine · Verified 2026-05-08

PJ said it out loud · 2026-05-08

Who in the hell is building a SOC 2 software aggregation service?
SideGuy.

Q: How does SideGuy make money if it's not selling the vendors?

Two flywheels. Flywheel 1 (vendor-side): SideGuy participates in vendor partner / referral programs (Vanta Service Partner application submitted 2026-05-08, Drata Alliance Launch application 2026-05-08, Secureframe Service Partner 2026-05-08). When a buyer routes through SideGuy and engages a vendor, SideGuy receives a referral fee from the vendor's partner budget — not from the buyer's purchase price. Flywheel 2 (buyer-side, structurally more valuable): the same Series A-C founder buying SOC 2 software is also a buyer for adjacent SideGuy services — private AI consulting, fractional CTO, custom shareables for outbound, CRE brokerage, SBA loans. Trust acquired via the SOC 2 routing converts into 4-5 cross-sell pathways per acquired buyer. One trust = 10-50x the single referral fee in lifetime value.

7+ holding brokers in the SOC 2 category. Zero meta-matchmakers helping buyers pick the right one without ad-spend bias. SideGuy operates one layer up — operator-honest routing, partner-program economics, no SOWs, no enterprise procurement cycle. This is the thesis page.

7+SOC 2 vendors 14SideGuy entity pages 5Partner programs in 0Other meta-matchmakers

✅ Verified 2026-05-08 · Operator-honest read · no vendor sponsorship clause overrides ranking · Text to discuss

⚡ TL;DR · the SideGuy thesis in 30 seconds SideGuy is Layer 2 to all enterprise/compliance software. The boxed SaaS vendors (Vanta · Drata · Secureframe · Salesforce · Datadog · OneTrust · etc.) are Layer 1 — they hold the auditor relationships, framework templates, integration recipes, and trust signals. Buyers can't realistically pick between them alone, and they certainly can't ask Vanta to spin up a custom shareable for a 2pm meeting. SideGuy is the human-endpoint Layer 2: operator-honest second-opinion routing → custom builds the boxed software can't do → ongoing fractional intelligence → eventual implementation when the buyer decides to OWN their stack instead of renting it forever. Four-stage customer journey, monetized at every stage. SOC 2 was the proof-of-pattern; the thesis applies across privacy/GDPR, vendor risk, HIPAA, trust centers, IAM, GRC — every multi-vendor enterprise/compliance category where 5-7 vendors compete and the buyer can't pick alone.

The 3-layer architecture

Layer 0 buyer can't realistically evaluate 7 vendors. Layer 1 vendors compete on marketing, not honest comparison. Layer 2 is structurally missing. SideGuy fills it.

0Buyer

          Layer 0 — The buyer with the need
          Founder / CTO / security lead at a Series A-C startup who needs SOC 2 to close a customer deal. Has budget. Has decision power. Doesn't have time to evaluate 7 vendors.
          What they actually need: "Tell me which one fits MY situation. I don't have 40 hours to compare them."
        
1Vendor

          Layer 1 — The holding broker (Vanta / Drata / Secureframe / Sprinto / etc.)
          Holds the auditor relationships (you don't pick auditor cold). Holds the framework expertise (SOC 2 standard → checkbox UI). Holds the integration recipes (AWS / Okta / Rippling evidence collection). Holds the trust signal (the Vanta-verified badge enterprise buyers respect).
          What they want: the buyer to pick THEM specifically. Their website is a sales surface, not an honest comparison.
        
2SideGuy

          Layer 2 — The meta-matchmaker (SideGuy)
          Operator-honest routing of Layer 0 to the right Layer 1. Same StubHub mechanism — the marketplace doesn't sell tickets, it routes buyers to the right seller. SideGuy doesn't sell compliance software, it routes buyers to the right vendor for THEIR stage, GTM, and stack.
          How it monetizes: partner referral programs (Vanta Service Partner, Drata Alliance Launch, Secureframe Service Partner — applications submitted 2026-05-08) PLUS cross-sell to adjacent SideGuy services because compliance buyers are custom-service buyers too.
        

The two compounding flywheels

Layer 2 economics work because TWO independent flywheels compound from a single buyer acquisition. Most aggregators have only Flywheel 1.

Flywheel 1 · Vendor-side

The holding broker partner economics

SideGuy participates in vendor partner programs. When a buyer routes through SideGuy and engages a vendor, SideGuy receives a referral fee from the vendor's partner budget — not from the buyer's purchase price.

Vanta Customer Referral · $500 per closed referral
Vanta MSP Service Provider · revenue share on managed customers
Drata Alliance Launch · revenue share + co-marketing + MDF
Secureframe Customer Referral · $500 Amazon gift card per close
Secureframe Service Partner · rev share + co-sell

Flywheel 2 · Buyer-side

"Compliance buyers ARE custom buyers"

The same Series A-C founder buying SOC 2 is structurally a buyer for adjacent SideGuy services. Trust acquired through the SOC 2 routing converts to 4-5 cross-sell pathways per acquired buyer.

Private AI consulting · $5-20K engagement
Fractional CTO retainer · $3-8K/month
Custom shareables for outbound · $500-2K per page
CRE brokerage referral (if scaling office)
SBA loans / business lending advisory
Vanta/Drata implementation help (Service Partner layer)

The compound math · per acquired buyer

Buyer texts PJ for Drata warm introInitial trust acquisition$0

PJ routes; Drata closesVendor referral fee$500-rev%

6 weeks: buyer asks about private AICross-sell #1$5-20K

Ongoing: fractional CTO retainerCross-sell #2$3-8K/mo

Quarterly: custom shareables for outboundCross-sell #3$500-2K

Annual: refresh + adjacent vendor routingMaintenance + repeat fees$500-1K+

One acquired buyer LTV = 10-50x the initial vendor referral fee. The structural reason SideGuy has unit economics that pure-play comparison sites don't: the comparison page is the trust-acquisition mechanism, not the revenue mechanism. Revenue lives downstream.

The full 4-stage customer journey

Most vendor-channel businesses stop at Stage 1 (referral fee, then they're gone). SideGuy stays through all four. The 4-stage journey is the structural reason the buyer LTV math works.

1RENT

Stage 1 · Rent the boxed software

Buyer: Picks Vanta / Drata / Salesforce / Datadog / OneTrust. Signs the contract. Starts paying. Realizes after a few months that they're now in a multi-year subscription with no exit.

SideGuy: Operator-honest second-opinion BEFORE the buyer signs. Warm-intro routes them to the right vendor for their actual situation, not whoever's website they landed on first.

SideGuy revenue · Vendor referral $$ ($500/close · rev share · etc.)

2CUSTOM

Stage 2 · Custom builds the boxed software can't do

Buyer: Realizes the boxed SaaS doesn't cover everything. They need a custom shareable for a 2pm meeting. They need a one-off tool. They need a personal-use thing the vendor will NEVER build.

SideGuy: Operator-speed custom builds on top of the rented stack. Hours-not-weeks turnaround. Operator-honest scope. No enterprise procurement.

SideGuy revenue · Project engagements ($5K-$50K builds)

3HYBRID

Stage 3 · Hybrid stack — rented + custom

Buyer: Now operating on a hybrid stack. Some processes stay on the boxed SaaS (working fine). Others run on SideGuy-built custom (where the boxed SaaS couldn't bend).

SideGuy: Ongoing operator partner — maintains custom layer, advises on what stays rented vs builds next. The fractional intelligence layer above the stack.

SideGuy revenue · Fractional retainer ($3K-$10K/month)

4OWN

Stage 4 · Own the in-house intelligence stack

Buyer: Eventually decides "we should stop paying rent and own this." Builds in-house. Stops the boxed SaaS subscription where they can.

SideGuy: Implementation + intelligence layer — wires the "human-first intelligence" into the in-house stack. Even when buyers OWN the software, they still need the operator-translation layer.

SideGuy revenue · Implementation engagement + ongoing intelligence consulting (multi-year)

The killer insight: SideGuy's economics are aligned with the buyer's actual journey, not with locking them into one stage. Vendor partner fees flow during Stages 1-3 (they're still using the boxed SaaS); custom + implementation revenue flows during Stages 2-4 (they need build/operator help). No incentive to push the buyer where they shouldn't be.

The 2pm Meeting Test · why Stage 2 is INEVITABLE not optional

"They can't ask Vanta to spin up a shareable for a meeting at 2pm."— PJ · 2026-05-09

If a buyer needs something custom, fast, scoped to ONE specific moment — could they get it from Vanta / Drata / Salesforce / Datadog? No. Boxed SaaS vendors structurally cannot operate at that speed:

→ Their roadmaps move in quarters · Their product scope excludes 99% of one-off operator needs · Their customer-success cycles take weeks · Their unit economics require horizontal scope (one feature for thousands of customers, not one custom build per buyer) · Zero mechanism for personal-use tools or business-adjacent custom builds.

SideGuy can. Architecture is built for one-off ergonomic flexibility (Worker pipe + AI-augmented build velocity + operator-led decisions, no committee). PJ ships custom shareables in ~30 minutes mid-conversation. That speed is the structural moat boxed SaaS cannot match.

This is why Stage 2 is INEVITABLE, not optional. Every buyer hits a 2pm-meeting moment eventually — when they need something custom, immediately, and realize their $20K/year SaaS subscription gives them zero help. That moment is the SideGuy entry point.

Where the doctrine extends

Every multi-vendor SaaS category where 5-7 holding brokers compete for the same buyer profile, and the cost of picking wrong is higher than the cost of an honest read.

Category	Layer 1 Holding Brokers	SideGuy Status
SOC 2 / Compliance	Vanta · Drata · Secureframe · Sprinto · Scytale · Scrut · Thoropass	✓ Done
Privacy / GDPR	OneTrust · DataGrail · Osano · Securiti · TrustArc · Transcend · Ketch	✓ Done
Vendor Risk Mgmt	Whistic · Panorays · UpGuard · SecurityScorecard · BitSight · Black Kite	✓ Done
HIPAA / BAA	Compliancy Group · Aptible · MedStack + cross-fw (Vanta/Drata) + BAA infra (AWS/Datadog/GCP)	◐ Partial
Auth / IDP	Auth0 · Clerk · WorkOS · Stytch · Cognito	○ Pending
Email infrastructure	SendGrid · Postmark · Resend · SES · Mailgun	○ Pending
CRM	HubSpot · Salesforce · Attio · Pipedrive · Close	○ Pending
Analytics	Amplitude · Mixpanel · Segment · Heap · PostHog	○ Pending
Payments	Stripe · Square · Adyen · Braintree · Checkout.com	○ Pending
Trust Centers	Vanta TC · SafeBase · Drata TC · SecurityPal	○ Pending

The category is structurally empty for a reason. Affiliate-driven comparison sites (G2, Capterra) reflect ad-spend, not operator-honest fit. Industry analyst reports (Gartner, IDC) cost $5K+ and aren't accessible to the Series A-C buyer. YC's vendor recommendations are tribal, not analytic. Operator-honest meta-matchmaking is empty because (1) the structural incentive against existing affiliate sites is real (operator-honest reads kill the affiliate funnel), (2) the category requires a multi-year content compound — not a single launch, (3) the partner-program economics only matured in 2024-2026 as the SOC 2 vendor category itself matured. SideGuy is early. The window is open.

Two paths from here

If you're a buyer evaluating SOC 2 software → text PJ for the operator-honest read on which vendor fits your stage. If you're a vendor in a multi-vendor SaaS category → text PJ to discuss Layer 2 partnership.

📲 I'm a buyer · Text PJ 🤝 I'm a vendor · Text PJ

Cross-links · read the rest of the thesis in the wild

Every page below is the doctrine in operation, not just in theory.

🛡 SOC 2 7-Way Comparison · the Layer 1 selection tool 🛠 SD Vanta Implementation · Layer 2 routing operations (Vanta) 🤝 SD Drata Warm Intro · Layer 2 routing operations (Drata) 📅 What Vanta Shipped · May 2026 · monthly content engine 🪪 Vanta · operator-honest entity read 🪪 Drata · operator-honest entity read 📚 SideGuy Compliance Hub · 11 forced-ranking comparisons 🎯 SideGuy Operator Marketplace · cross-sell flywheel surface 🏠 SideGuy home

Who in the hell is building a SOC 2 software aggregation service?SideGuy.