The Evidence Gap Between Incident Closure and Audit Readiness

In Part 1, we met Anika, James, and Rachel and watched an EzProtect detection fall into the accountability gap. In Part 2, we introduced three principles that close the gap. This final part brings Rachel’s story to its conclusion: the SOC 2 audit is here.

Rachel’s audit is in 90 days and the clock is already ticking

France issued its first NIS2 enforcement penalty in Q1 2026, an €850,000 fine against an entity with inadequate incident reporting. Twenty-one of the EU’s 27 member states have transposed NIS2 into national law. GDPR enforcement fines reached €2.1 billion in 2025. These are not future risks. They are current obligations.

Rachel’s firm is based in the United States, but three of its customers are headquartered in EU member states. That means Rachel has GDPR exposure through the personal data of EU data subjects stored in the firm’s Salesforce environment. Her SOC 2 auditor will ask to see evidence that incident response procedures exist and were followed. Her ISO 27001 auditor will ask for a documented response process with evidence of corrective action. If any incident in the past twelve months was handled informally, that is an audit finding regardless of the technical outcome.

What most organizations actually have after an incident

A support ticket that any admin can edit. An email thread where someone said “done.” A case record closed without attachments or sign-off. The Verizon 2026 DBIR found the human element was a factor in 62% of breaches. The documentation that follows is often just as fragile.

Four regulatory clocks Rachel needs to know

GDPR Art. 33 requires supervisory authority notification within 72 hours, with fines up to €20 million or 4% of global annual turnover. NIS2 requires 24-hour early warning and 72-hour full notification, with fines up to €10 million or 2% plus personal management liability. DORA requires 24-hour initial classification for major ICT incidents in financial services, with daily penalties of 1% of average daily turnover. The EU Cyber Resilience Act, effective September 2026, adds a 24-hour early warning for actively exploited vulnerabilities. For US organizations, the SEC requires Form 8-K within four business days of materiality determination.

What a phishing link in a support case looks like without accountability

A customer submits a support case through the firm’s Experience Cloud portal. The case description contains a credential-harvesting URL. Marcus, a support agent on Anika’s team, opens the case, reads the description, and clicks the link before EzProtect’s URL scanner flags it. The URL is a phishing page. Marcus may have entered his Salesforce credentials.

Without an accountability layer, somebody notices Marcus’s browser activity during a quarterly review. IT messages Marcus to change his password. Marcus changes it. Nobody checks whether Marcus entered credentials on the phishing page. Nobody checks whether other agents viewed the same case and clicked the same link. Nobody checks whether the URL appeared in the firm’s other Salesforce applications. The case gets closed. When Rachel’s auditor asks for the incident response record, there is nothing to produce.

What the same incident looks like with Argus

EzProtect’s URL scanner identifies the credential-harvesting link and quarantines the field, making the URL un-renderable. The detection signal flows through Salesforce Data Cloud into Argus.

Argus checks EzProtect’s click-tracking logs and finds that Marcus clicked the URL before quarantine. Because a click is confirmed, Argus auto-escalates from P2 to P1. It invalidates Marcus’s active sessions across every Salesforce org where he has a license. It creates a credential-compromise milestone and assigns it to James, who must investigate whether any data was accessed during the compromised session. It creates a blast radius milestone for every other Salesforce application registered in Argus, asking each Application Owner to check whether the same URL appeared in their environment.

Anika, as the Application Owner for the Experience Cloud community, receives a milestone with clear instructions: verify the URL has been removed from the case body, confirm no other cases contain the same link, and submit the evidence. Argus’s AI checks Anika’s submission before James reviews it. James reviews, a separate Approver signs off, and the milestone locks. Marcus’s manager is notified, framed as coordination, not punishment. The customer who submitted the case receives a templated communication approved by Anika’s manager before it is sent.

The containment phase cannot close until both James and Anika have signed off. When James’s credential-compromise investigation milestone hits 75% of its SLA because James is still working the original trojan incident from Part 2, Argus does not wait. Rachel receives an email with the milestone name, the P1 severity, the time remaining, and a link to coordinate or reassign. Rachel reassigns the investigation to the secondary Security Lead, who picks up where James left off with the full evidence chain visible. The escalation closes with an audit entry. The breach record stays in the timeline permanently, documenting that the milestone exceeded its window and how it was resolved. Every step is recorded on the immutable incident timeline with the name of the responsible person, the timestamp, and the evidence they submitted.

Evidence that builds itself

Argus produces two parallel audit records. The immutable incident timeline records every notification, acknowledgment, escalation, milestone transition, and missed deadline. It is append-only. Events cannot be edited or deleted. If something needs correcting, a new event is added. History does not change.

The milestone record carries instructions, required evidence, and the Author, Reviewer, and Approver for each step. Milestones are editable while in draft. The moment the Approver signs off, the milestone locks permanently, including every file and comment. If evidence needs updating after approval, a new versioned entry is created alongside the old one. Argus lives in EzProtect’s environment, not in the customer’s Salesforce org, with no access to customer business data. The incident data and audit trail are maintained independently from the systems being protected.

Rachel’s audit with Argus

Rachel sits down with the SOC 2 auditor. The auditor asks to see evidence of incident response over the past twelve months. Rachel opens the Argus timeline export. Every incident EzProtect detected is there. Every milestone has a named Author, Reviewer, and Approver with timestamped sign-offs. Every piece of evidence is attached and locked. The blast radius checks are documented. The escalations that fired when James was in a meeting are documented, including when they resolved.

SOC 2 CC7.4 and CC7.5 require evidence that incident response procedures exist and were followed. ISO 27001 Annex A.5.26 requires a defined, documented response process. Rachel can show both.

One transparency note: at launch, regulatory notification clock management (GDPR 72-hour tracking, NIS2 24-hour early warning) is handled by the customer’s existing processes. Dedicated regulatory clock management is on the Argus roadmap. What is available today, and what Rachel’s auditor is actually asking to see, is the immutable evidence trail that proves the team responded: who was notified, when they acknowledged, what evidence they collected, who reviewed it independently, and who approved it. That trail is the product. It exists today. And it is what closes the gap between “we have a policy” and “we can prove we followed it.”

The 241-day lifecycle and the accountability impact on your teams

The 241-day average breach lifecycle that IBM has tracked for over a decade persists because the industry spent twenty years optimizing the wrong layer. Detection got faster. Scanners got smarter. Alert volumes went up. And the time between finding a threat and proving it was resolved barely moved, because no one built the system that enforces what happens between the alert and the closure.

That is the business case for accountability as a discipline, not just a principle. Organizations that resolve breaches in under 200 days spend $1.88 million less than those that take longer. The difference is not better detection. It is structured, evidence-backed, independently-reviewed response that starts the moment the scanner fires and does not stop until the record is locked.

For Anika, accountability means clear instructions that turn her deep Salesforce expertise into defensible incident response, without adding a separate documentation exercise to her day. For James, it means a system that chases the work forward, routes around bottlenecks, and surfaces only the decisions that require his judgment. For Rachel, it means an audit trail that answers every question the auditor will ask, built in real time while the team was doing the work, not reconstructed from memory three months later.

For the enterprise, accountability means closing the gap that has kept the breach lifecycle at 241 days for over a decade. EzProtect catches the threat. Argus by EzProtect ensures the response is owned, documented, and defensible. Every milestone has a named human. Every piece of evidence is validated. Every sign-off is locked. Every escalation is recorded. And every incident that enters the system exits it with a record that would hold up in front of an auditor, a regulator, or a court.

The accountability gap between detection and resolution is not inevitable. It is a system design problem, and Argus is the system that solves it.

Let’s close your team’s accountability gap. Book an Argus demo and bring your last Salesforce security incident. We will show you the evidence trail EzProtect and Argus would have produced together: every notification, every milestone, every sign-off, locked and ready for your auditor.

---

Frequently Asked Questions

What evidence do SOC 2 and ISO 27001 auditors require for incident response?

SOC 2 CC7.4 and CC7.5 require proof that incident response procedures exist and were followed during actual incidents. ISO 27001 Annex A.5.26 requires a defined, documented response process with evidence of corrective action. In practice, auditors look for timestamped records showing who was notified, what they did, what evidence they collected, who reviewed it, who approved it, and whether the response met the required timeline. A closed ticket without these elements is an audit finding even if the incident itself was handled correctly. Argus by EzProtect produces all of these artifacts automatically as a by-product of the response workflow, with every milestone carrying a named Author, Reviewer, and Approver with timestamped sign-offs locked into an immutable record.

What is the difference between closing a ticket and producing audit-ready evidence?

A closed ticket indicates someone marked the work as done. Audit-ready evidence proves the work was actually performed, verified by a second person, and approved by someone who understood its compliance significance. The critical differences are immutability (audit-ready evidence is locked at approval and cannot be edited afterward), separation (the person who collected the evidence cannot approve it), and completeness (the specific artifacts an auditor would inspect are attached at the time of the work, not reconstructed later). Argus by EzProtect enforces all three by design: milestones lock on approval, the Author can never be the Approver, and AI validates evidence completeness before any human reviewer sees it.

What are the GDPR, NIS2, and DORA notification deadlines for security incidents?

GDPR Art. 33 requires supervisory authority notification within 72 hours, with fines up to €20 million or 4% of global turnover. NIS2 requires 24-hour early warning and 72-hour full notification, with fines up to €10 million or 2% plus personal management liability. DORA requires 24-hour initial classification for major ICT incidents in financial services with daily penalties. The EU Cyber Resilience Act (effective September 2026) adds 24-hour early warning for actively exploited vulnerabilities. For US firms, the SEC requires Form 8-K within four business days of materiality determination. Argus by EzProtect’s immutable incident timeline and locked milestone records provide the evidence foundation these regulatory windows require, documenting every response action with named ownership and timestamps as the work happens rather than after the deadline has passed.

How can organizations improve incident response documentation without adding overhead?

The most effective approach is a system that produces the audit trail as a by-product of doing the work rather than as a separate documentation exercise. Argus by EzProtect does this by requiring evidence submission at every milestone, validating evidence quality with AI before human review, locking every milestone on approval so the record cannot be edited afterward, and recording every notification and escalation on an immutable timeline. The team does the work. The audit trail builds itself. There is no separate step where someone goes back and documents what happened, because the documentation is the work.