SOC 2 Penetration Testing

SOC 2 Penetration Testing

Penetration testing that provides the independent security evidence auditors expect for a SOC 2 examination, mapped to the AICPA Trust Services Criteria and ready for your Type I or Type II report.

Overview

Evidence for your SOC 2 examination

SOC 2 is built on the AICPA Trust Services Criteria. A penetration test is not a single line item, but the Common Criteria, particularly CC4.1 (separate evaluations of controls), CC7.1 (vulnerability detection) and CC7.2 (monitoring for anomalous activity), mean auditors increasingly expect an annual penetration test as supporting evidence, especially for Type II.

We test your in-scope services and deliver a report your service auditor can rely on to support the security criteria and demonstrate your commitment to protecting customer data.

What you'll receive

  • Scoping: a test plan mapped to your in-scope Trust Services Criteria
  • Testing: external, internal and application coverage across the Common Criteria (CC6.x / CC7.x)
  • Executive report: a summary written for your service auditor and stakeholders
  • Technical report: dated, risk-rated findings covering your Type I or Type II period
  • Remediation: prioritised guidance for your control owners
  • Retest: a complimentary retest to confirm fixes within your audit window

Why It Matters

How testing supports SOC 2

Service auditors want independent evidence that vulnerabilities are identified and addressed. A penetration test provides that assurance for the security criteria.

Type I & Type II evidence

Supports both point-in-time and period-of-time examinations with independent, dated technical evidence.

Trust Criteria mapping

Directly relevant to CC4.1 separate evaluations, CC7.1 vulnerability detection and CC7.2 anomaly monitoring.

Customer trust

Demonstrates to prospects and existing customers that security is independently validated.

Vendor due diligence

Answers the security-testing questions that increasingly appear in enterprise procurement and vendor reviews.

What We Test

Testing aligned to the Trust Services Criteria

01

External attack surface testing

Internet-facing systems and services (CC6.6).

02

Internal network penetration testing

Lateral movement and internal exposure (CC6.1, CC6.6).

03

Web application & API testing

Assessment of your customer-facing platform and APIs.

04

Logical access & authentication

MFA, provisioning and role-based access review (CC6.1 to CC6.3).

05

Change & configuration review

Secure baselines and change control (CC7.1, CC8.1).

06

Vulnerability detection validation

Effectiveness of scanning and patching (CC7.1).

07

Encryption review

Protection of data in transit and at rest (CC6.7).

08

Cloud environment security

IAM, storage and network controls (CC6.6).

09

Monitoring & anomaly detection

Alerting and logging coverage (CC7.2).

10

Incident response readiness

Detection and containment capability (CC7.3, CC7.4).

11

Vendor & privileged access

Least-privilege enforcement and access lifecycle (CC6.3).

12

Remediation evidence & retest

Findings mapped to the Trust Services Criteria and re-tested.

Applicable Pentest Phases

The pentest phases behind a SOC 2 engagement

A SOC 2 engagement combines the assessments below across your system boundary. Each phase links to the full service.

Infrastructure Testing

External and internal network testing evidencing CC6.6 boundary protection.

Web Application Testing

Testing of your customer-facing platform against CC6.1 logical access controls.

API Penetration Testing

Testing of the service interfaces inside your SOC 2 system description.

Cloud Security Review

IAM, storage and network review of the cloud environment hosting your service.

Secure Code Review

Review of security-critical code paths, supporting CC8.1 change management.

Social Engineering

Phishing simulation that exercises workforce security awareness controls.

FAQ

Frequently asked questions

Is a penetration test mandatory for SOC 2?

A penetration test is not named as a mandatory control in the Trust Services Criteria, but CC4.1 (separate evaluations) and CC7.1 (vulnerability detection) mean auditors commonly expect one as evidence. The AICPA points of focus for CC4.1 explicitly cite penetration testing as an acceptable evaluation, and it is strongly recommended, particularly for a SOC 2 Type II report.

Which Trust Services Criteria does testing map to?

Primarily the Common Criteria: CC4.1 (separate evaluations of controls), CC7.1 (vulnerability detection) and CC7.2 (monitoring for anomalous activity), with access-control findings supporting CC6.1 to CC6.8. We map findings to these so your auditor can use the report directly.

What is the difference for Type I versus Type II?

Type I assesses control design at a point in time, while Type II assesses operating effectiveness over a period. For Type II we recommend testing within the audit window and typically at least annually.

Will the report satisfy our SOC 2 auditor?

Yes. Our reports include risk-rated findings mapped to the relevant criteria, remediation guidance and retest evidence, presented in a format your service auditor can rely on.

How often should we test for SOC 2?

At least annually, and after significant changes to in-scope systems. Aligning the test with your audit period keeps the evidence current and relevant.

Working towards SOC 2?

Talk to our consultants about scoping a penetration test for your SOC 2 examination, or get an instant quote for your assessment.