Achieving Full Asset Visibility: How Socotra Gained Control Over a Growing and Complex Inventory

Intro & Overview

Socotra is a cutting-edge technology company that provides a cloud-native, flexible, and API-driven platform for the insurance industry. Its core platform enables insurers to manage products, policies, claims, and customer data with efficiency and scalability. Designed for modern insurance needs, Socotra helps accelerate product launches, reduces maintenance costs and enhances customer experiences. Socotra’s flexible, API-driven architecture allows insurers to integrate with third-party services and innovate quickly, making it a preferred choice for organizations looking to improve agility and streamline operations in a competitive market.

Socotra found itself navigating a rapid technology expansion. Within a two month period, they acquired another company and launched a related product line, resulting in a company landscape 3x larger than before. Despite this surge in assets and systems, the IT, DevOps and SecOps teams remained unchanged, intensifying the challenge of managing and securing their growing environment. Without the resources to identify and gain full visibility into their new infrastructure, the infosec and cybersecurity teams were left struggling to keep pace with their evolving security and operational needs. This expansion exposed gaps in their ability to efficiently maintain security compliance and asset management.

To support its growing business, Socotra leverages the JupiterOne platform for enhanced security and operational efficiency. This customer story highlights how JupiterOne delivers comprehensive asset visibility and streamlined compliance management, empowering Socotra to protect its operations today and prepare for the challenges of tomorrow.

Overcoming Asset Visibility and Compliance Challenges in a Growing and Complex Tech Environment

Faced with continued growth and increasing complexity in managing their security operations, Mark Holtz, CISO at Socotra, sought a solution that could provide unified visibility and control over their growing asset landscape. The need for a single platform capable of aggregating, consolidating, and normalizing data from multiple sources, while offering automation and advanced compliance capabilities, became essential.

Socotra faced a significant challenge in managing its sprawling infrastructure, which included 50+ AWS environments—belonging to customers and for internal use. Each environment carried its own configuration history, but the lack of centralized visibility made it nearly impossible to track forgotten or "phantom" resources left running after tests or configuration changes. These overlooked resources accumulated over time, leading to unnecessary resource wastage, costing Socotra both time and money. The absence of a comprehensive view made it difficult to efficiently manage assets and ensure that resources were being used effectively.

Mark considered dedicated GRC platforms like Vanta and Tugboat who offered basic compliance functionality for things like SOC1 or SOC2, but those tools lacked deeper integrations that would allow for more complex, custom and granular compliance frameworks. Unlike other tools that enforced a rigid set of predefined compliance rules, Socotra needed the flexibility to tailor their own compliance standards, especially for more advanced frameworks. JupiterOne offered the ability to customize compliance checks and audit how resources were being utilized. This flexibility empowered Socotra to align their security operations with specific compliance requirements, providing the control they needed to efficiently manage and audit their assets in line with both industry standards and internal policies. By leveraging JupiterOne’s customization features, Socotra enhanced their security posture and ensured compliance on their own terms.

Results and Benefits

By implementing JupiterOne, Socotra was able to streamline its audit preparation for SOC1 and ISO 27001. Traditionally, preparing for these audits required extensive manual work, including gathering evidence, verifying control effectiveness, and managing compliance documentation across departments. With JupiterOne's automated evidence collection, the customer could continuously collect and organize relevant compliance data, cutting down hours of preparation work and reducing the risk of human error. Socotra plans to further leverage JupiterOne to streamline compliance efforts for frameworks like HIPAA and SOC 2, enabling them to unlock new revenue opportunities and support business growth.

"J1 asset analysis platform paid for itself by saving us from having to purchase separate GRC and vulnerability management tools and easily showing us leftover AWS resources we were paying for but weren't using." Mark Holtz, CISO at Socotra

Beyond audit compliance, JupiterOne’s automation capabilities allowed the customer to extend this efficiency to their configuration and policy management processes. By automating configurations and enforcing policy adherence across their infrastructure, Socotra was able to ensure configurations were regularly updated, security policies were consistently applied, and any deviations or misconfigurations were quickly flagged for remediation.