Security Compliance: Discipline, Not a Checkbox

by | 21 May 2026

Cohesive Networks has completed its 5th consecutive Type 2 SOC 2 examination. Another full operating year of controls examined and confirmed: same auditor, same standard, no exceptions. We publish this every year not because customers ask for a badge, but because we operate in regulated industries where proof of practice matters more than proof of intent.

Examination Details

  • Selected SOC 2 Categories: Security
  • Examination Type: Type 2
  • Review Period: May 1, 2025, to April 30, 2026
  • Service Auditor:  Schellman & Company, LLC

Built Security-First, Before it was Cool

Cohesive Networks spun out of Cohesive Flexible Technologies in 2014 after a clear-eyed assessment: we weren’t a cloud migration company that happened to do security. We were a security and networking company. That distinction shaped how we built everything that followed — internal systems, controls, and architecture all designed to a standard that’s still overbuilt by today’s measure.

VNS3 itself dates to 2008, built originally to secure our own infrastructure, first our Elastic Server Image Factory cluster, then to provide IP address control and isolation in EC2-classic’s open 10/8 network environment. We didn’t build a security product and then figure out how to run it. We ran it ourselves first, on our own production systems, and we still do — internal Overlay Networks for production and support engineering, PeopleVPN for our distributed team.

That history matters.

No Access…

…By design, Cohesive has no access to customers’ VNS3-provided networks. Access and visibility are entirely in the hands of the owner. VNS3 has no backdoor, only Access URLs, API Tokens, and Remote Support multi-party authentication that customers control directly.

For customers using our SecurePass managed service, we extend that same principle rather than suspend it. When our engineers manage a customer’s environment, we do so through a dedicated secure overlay network using the same architecture we build for customers, applied to our own operations. Total network accountability, in both directions.

Looking Ahead

AI is moving into network infrastructure fast, and the compliance frameworks are running to catch up. We’re not waiting. As we build AI-assisted capabilities into the VNS3 platform (look for Connection Advisor with AI Diagnostics beta availability starting in version 7.1.1), we’re engaged with our auditors now on how SOC 2’s existing Trust Services Criteria apply, specifically to AI-assisted operations, not just human-driven ones.

The questions we’re working through are practical ones: What does change management look like when an AI agent is proposing or applying a network configuration change? What evidence do we need to show that AI-assisted access to customer network state is bounded by the same no-backdoor principle as everything else? What does a defensible audit trail look like for CC7 and CC8 when the actor in the log isn’t a person?

We don’t have all the answers yet, and we won’t publish governance claims ahead of the controls that back them up. What we can say is that we’d rather be raising these questions with our auditor while AI features are still being adopted, building governance in from the start rather than retrofitting it after the fact. That’s the same approach we took in 2008, and again in 2014, and again in 2022. It hasn’t changed.