Home / Industry-Aligned Testing / SOC 2
SOC 2 Penetration Testing
SOC 2 Penetration Testing
Penetration testing that provides the independent security evidence auditors expect for a SOC 2 examination, mapped to the AICPA Trust Services Criteria and ready for your Type I or Type II report.
Overview
Evidence for your SOC 2 examination
SOC 2 is built on the AICPA Trust Services Criteria. A penetration test is not a single line item, but the Common Criteria, particularly CC4.1 (separate evaluations of controls), CC7.1 (vulnerability detection) and CC7.2 (monitoring for anomalous activity), mean auditors increasingly expect an annual penetration test as supporting evidence, especially for Type II.
We test your in-scope services and deliver a report your service auditor can rely on to support the security criteria and demonstrate your commitment to protecting customer data.
What you'll receive
- ✓Scoping: a test plan mapped to your in-scope Trust Services Criteria
- ✓Testing: external, internal and application coverage across the Common Criteria (CC6.x / CC7.x)
- ✓Executive report: a summary written for your service auditor and stakeholders
- ✓Technical report: dated, risk-rated findings covering your Type I or Type II period
- ✓Remediation: prioritised guidance for your control owners
- ✓Retest: a complimentary retest to confirm fixes within your audit window
Why It Matters
How testing supports SOC 2
Service auditors want independent evidence that vulnerabilities are identified and addressed. A penetration test provides that assurance for the security criteria.
Type I & Type II evidence
Supports both point-in-time and period-of-time examinations with independent, dated technical evidence.
Trust Criteria mapping
Directly relevant to CC4.1 separate evaluations, CC7.1 vulnerability detection and CC7.2 anomaly monitoring.
Customer trust
Demonstrates to prospects and existing customers that security is independently validated.
Vendor due diligence
Answers the security-testing questions that increasingly appear in enterprise procurement and vendor reviews.
What We Test
Testing aligned to the Trust Services Criteria
External attack surface testing
Internet-facing systems and services (CC6.6).
Internal network penetration testing
Lateral movement and internal exposure (CC6.1, CC6.6).
Web application & API testing
Assessment of your customer-facing platform and APIs.
Logical access & authentication
MFA, provisioning and role-based access review (CC6.1 to CC6.3).
Change & configuration review
Secure baselines and change control (CC7.1, CC8.1).
Vulnerability detection validation
Effectiveness of scanning and patching (CC7.1).
Encryption review
Protection of data in transit and at rest (CC6.7).
Cloud environment security
IAM, storage and network controls (CC6.6).
Monitoring & anomaly detection
Alerting and logging coverage (CC7.2).
Incident response readiness
Detection and containment capability (CC7.3, CC7.4).
Vendor & privileged access
Least-privilege enforcement and access lifecycle (CC6.3).
Remediation evidence & retest
Findings mapped to the Trust Services Criteria and re-tested.
Applicable Pentest Phases
The pentest phases behind a SOC 2 engagement
A SOC 2 engagement combines the assessments below across your system boundary. Each phase links to the full service.
Infrastructure Testing
External and internal network testing evidencing CC6.6 boundary protection.
Web Application Testing
Testing of your customer-facing platform against CC6.1 logical access controls.
API Penetration Testing
Testing of the service interfaces inside your SOC 2 system description.
Cloud Security Review
IAM, storage and network review of the cloud environment hosting your service.
Secure Code Review
Review of security-critical code paths, supporting CC8.1 change management.
Social Engineering
Phishing simulation that exercises workforce security awareness controls.
FAQ
Frequently asked questions
Is a penetration test mandatory for SOC 2?
A penetration test is not named as a mandatory control in the Trust Services Criteria, but CC4.1 (separate evaluations) and CC7.1 (vulnerability detection) mean auditors commonly expect one as evidence. The AICPA points of focus for CC4.1 explicitly cite penetration testing as an acceptable evaluation, and it is strongly recommended, particularly for a SOC 2 Type II report.
Which Trust Services Criteria does testing map to?
Primarily the Common Criteria: CC4.1 (separate evaluations of controls), CC7.1 (vulnerability detection) and CC7.2 (monitoring for anomalous activity), with access-control findings supporting CC6.1 to CC6.8. We map findings to these so your auditor can use the report directly.
What is the difference for Type I versus Type II?
Type I assesses control design at a point in time, while Type II assesses operating effectiveness over a period. For Type II we recommend testing within the audit window and typically at least annually.
Will the report satisfy our SOC 2 auditor?
Yes. Our reports include risk-rated findings mapped to the relevant criteria, remediation guidance and retest evidence, presented in a format your service auditor can rely on.
How often should we test for SOC 2?
At least annually, and after significant changes to in-scope systems. Aligning the test with your audit period keeps the evidence current and relevant.
Working towards SOC 2?
Talk to our consultants about scoping a penetration test for your SOC 2 examination, or get an instant quote for your assessment.