← Home
Market Intelligence / Compliance Frameworks

543 companies hold SOC 2. Almost none have moved on the next cert.

I mapped 643 US companies across 90+ compliance frameworks from public disclosures: who holds what, and where the gaps are. The shape of the market is below, free. The named companies behind each number are the product.

643
US companies mapped
90+
distinct frameworks tracked
543
hold SOC 2, not ISO 42001
01 / The landscape

SOC 2 leads. The tail runs deep.

Adoption concentrates at the top and then scatters across a long tail of security, privacy, AI-governance, and government frameworks. The headline names are crowded. The opportunity is in the combinations.

SOC 2
582
ISO 27001
313
GDPR
265
CCPA/CPRA
206
HIPAA
161
PCI DSS
160
SOC 1
94
SOC 3
69
ISO 27701
67
FedRAMP
54
ISO 27018
43
ISO 27017
42
CSA STAR
42
ISO 42001
40
HITRUST
30
02 / Compliance compounds

Only 19% hold a single framework. A third hold five or more.

Once a company certifies, it keeps certifying. Every certified company is an expansion account, not a one-time sale. The single-framework companies are the greenfield; the five-plus companies are the renewal-and-upsell engine.

122
1 framework
111
2 frameworks
105
3 frameworks
99
4 frameworks
206
5+ frameworks

Distribution of frameworks held per company. Range runs from 1 to 18.

03 / The gap explorer

Pick a lane. See the prospect list size.

Every gap is a targeting list: companies that have proven they buy compliance, but have not yet bought the thing you sell. Choose what they hold and what they are missing.

Companies that holdbut have not disclosed
543
543 of the 582 companies that hold SOC 2 have not disclosed ISO 42001. That is 93% of the SOC 2 base, sitting unworked.
Counts are public-source and aggregate. The named companies in any slice are delivered in the paid brief.
one you’d know, sourced. the rest are in the full lane.
each number is a different firm’s pipeline →
04 / Cross-tabs

The same data, sliced by who they are.

A framework is not a market until you can segment it. Here is where the holders sit by company size and by industry.

Framework1-1011-5051-200201-500501-1,0001,001-5,0005,001-10,00010,001+
SOC 23512312110090861116
ISO 27001546456362721010
ISO 420011344111610
HIPAA7273518323048
PCI DSS41529292442611
FedRAMP1249142130
HITRUST02267733
GDPR8465155514473

Each row counts companies holding that framework, split across segments. Rows sum to the framework’s total holders.

05 / What you get

The shape is free. The coordinates are the product.

On this page, free

The market shape

  • Framework adoption counts
  • Stacking distribution
  • Every gap size, any combination
  • Splits by size and industry
  • Methodology and accuracy basis
In the brief, paid

The named companies

  • Company names in your chosen slice
  • Websites and public source links per record
  • Framework profile for each company
  • Filtered to your lane, size, and industry
  • 90-day exclusivity in your vertical
06 / Method

Inference, not a lookup.

Audit reports and certifications are confidential by design. There is no public registry of who holds SOC 2. Compiling who actually holds one is inference from public trust centers, security pages, and disclosures, structured and normalized at scale. That is the whole reason the dataset is worth anything: if it were a lookup, everyone would have it.

Accuracy is verifiable. Pick any five companies in your lane and I will show the public source link behind each. The method stays mine. The proof is yours.

Which lane are you trying to grow?

Tell me the framework and the segment. I will pull the slice, show you how it breaks down, and you will know in fifteen minutes whether it is worth it.

← Home

raph@raphaelmercado.devlinkedin.com/in/raphmercadogithub.com/raphaelmercado-coder