Last suggestion deserves a caveat. Unless more than 5% of your revenue will unconditionally require SOC2, you should avoid doing it and accept the small revenue hit.
But you are correct, if you do need it, you should do it as early as you can and buy it out of the box as much as you can. I recommend Tugboat Logic for this.
For those that do not know, an audit is going to cost AT LEAST $20k but the total cost could be more than $50k (certainly more if you are paying market rate and you account for the team's time to pull everything together). And the requirements can cause side effect costs (penetration tests, etc).
As an incident management tool, getting certified was a thing we knew we needed early.
Gotta hand it to Chris (one of our founders) who came from being Director of Platform at Monzo (a UK neobank) and had spent years battling auditors, and knew exactly how to play it.
Kinda hammers home the point of my article... but about three months into our company life, we were SOC 2 certified, and it didn't feel like much effort at all.
In case anyone is looking for actionable advice, we used Vanta to help us through the process. If you're funded, I think it's well worth the money.
But you are correct, if you do need it, you should do it as early as you can and buy it out of the box as much as you can. I recommend Tugboat Logic for this.