543 companies hold SOC 2. Almost none have moved on the next cert.
I mapped 643 US companies across 90+ compliance frameworks from public disclosures: who holds what, and where the gaps are. The shape of the market is below, free. The named companies behind each number are the product.
SOC 2 leads. The tail runs deep.
Adoption concentrates at the top and then scatters across a long tail of security, privacy, AI-governance, and government frameworks. The headline names are crowded. The opportunity is in the combinations.
Only 19% hold a single framework. A third hold five or more.
Once a company certifies, it keeps certifying. Every certified company is an expansion account, not a one-time sale. The single-framework companies are the greenfield; the five-plus companies are the renewal-and-upsell engine.
Distribution of frameworks held per company. Range runs from 1 to 18.
Pick a lane. See the prospect list size.
Every gap is a targeting list: companies that have proven they buy compliance, but have not yet bought the thing you sell. Choose what they hold and what they are missing.
The same data, sliced by who they are.
A framework is not a market until you can segment it. Here is where the holders sit by company size and by industry.
| Framework | 1-10 | 11-50 | 51-200 | 201-500 | 501-1,000 | 1,001-5,000 | 5,001-10,000 | 10,001+ |
|---|---|---|---|---|---|---|---|---|
| SOC 2 | 35 | 123 | 121 | 100 | 90 | 86 | 11 | 16 |
| ISO 27001 | 5 | 46 | 45 | 63 | 62 | 72 | 10 | 10 |
| ISO 42001 | 1 | 3 | 4 | 4 | 11 | 16 | 1 | 0 |
| HIPAA | 7 | 27 | 35 | 18 | 32 | 30 | 4 | 8 |
| PCI DSS | 4 | 15 | 29 | 29 | 24 | 42 | 6 | 11 |
| FedRAMP | 1 | 2 | 4 | 9 | 14 | 21 | 3 | 0 |
| HITRUST | 0 | 2 | 2 | 6 | 7 | 7 | 3 | 3 |
| GDPR | 8 | 46 | 51 | 55 | 51 | 44 | 7 | 3 |
Each row counts companies holding that framework, split across segments. Rows sum to the framework’s total holders.
The shape is free. The coordinates are the product.
The market shape
- Framework adoption counts
- Stacking distribution
- Every gap size, any combination
- Splits by size and industry
- Methodology and accuracy basis
The named companies
- Company names in your chosen slice
- Websites and public source links per record
- Framework profile for each company
- Filtered to your lane, size, and industry
- 90-day exclusivity in your vertical
Inference, not a lookup.
Audit reports and certifications are confidential by design. There is no public registry of who holds SOC 2. Compiling who actually holds one is inference from public trust centers, security pages, and disclosures, structured and normalized at scale. That is the whole reason the dataset is worth anything: if it were a lookup, everyone would have it.
Accuracy is verifiable. Pick any five companies in your lane and I will show the public source link behind each. The method stays mine. The proof is yours.
Which lane are you trying to grow?
Tell me the framework and the segment. I will pull the slice, show you how it breaks down, and you will know in fifteen minutes whether it is worth it.