First-time SOC 2 candidates usually over-invest in policies and under-invest in evidence. Policies tell the auditor what you say you do. Evidence proves you actually do it. Most control failures at audit time are evidence gaps, not control gaps.

Categories of evidence you'll need

Configuration snapshots: MFA enforcement settings, logging configuration, firewall rules. Screenshots or API exports are fine, provided they're timestamped.
Operational logs: access logs, change logs, scan reports over the audit window (usually 3–12 months). Cyvex scan reports cover the vulnerability management control directly.
Ticket trails: evidence that findings were triaged and either fixed or risk-accepted, within your defined SLA.
Review artifacts: access reviews, risk assessments, vendor reviews. Usually a signed document or a dated sheet.

Export what you can, explain what you can't

Anything that can be exported from a tool should be — auditors trust system-generated exports more than screenshots. See the audit export guide for Cyvex's evidence bundle format.

Plan for the gaps

Most orgs miss 2–3 evidence categories on their first pass. Common gaps: formal quarterly access reviews, documented change approvals, and vendor risk reviews. Nothing an auditor can't work around, but every gap costs you time and credibility.