SOC 2 penetration testing: what to expect
SOC 2 penetration testing is a security assessment required to demonstrate that your organization's controls meet the AICPA Trust Services Criteria. Security controls CC6.8 and CC7.1 specifically require evidence of periodic vulnerability testing and monitoring. Without a valid pentest report, your auditor cannot confirm that your systems resist intrusion — and your SOC 2 Type II report will be incomplete.
What is SOC 2 and why does it require penetration testing?
SOC 2 is an auditing framework developed by the AICPA for service organizations that store, process, or transmit customer data. It is organized around five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most audits cover Security at a minimum.
Within the Security category, two criteria directly require technical security testing:
- CC6.8 — The organization implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software.
- CC7.1 — The organization detects and monitors for vulnerabilities and threats that could impair the achievement of security commitments and system requirements.
Auditors interpret these criteria to require evidence of periodic penetration testing — not just vulnerability scanning. A pentest provides documented, human-validated proof that your controls were tested against real attack techniques.
What scope does a SOC 2 pentest cover?
The pentest scope should mirror the systems included in your SOC 2 audit boundary. Typically this includes:
- Cloud infrastructure — servers, containers, and cloud provider configurations (AWS, Azure, GCP) that host the in-scope service.
- Web applications and APIs — the customer-facing product and any internal APIs that process or transmit in-scope data.
- Authentication systems — SSO, identity providers, MFA implementations, and session management.
- Network perimeter — external-facing services, firewall rules, and exposed management interfaces.
The goal is to test every layer where an attacker could reach or exfiltrate the data your auditor is evaluating. If a system is in scope for your SOC 2 audit, it should be in scope for the pentest.
An application security assessment is often run in parallel to cover web-layer vulnerabilities in depth, while the penetration test validates the full attack surface.
How often do you need a pentest for SOC 2?
At minimum, once per year. SOC 2 Type II audit periods typically cover 6 to 12 months, and auditors expect at least one penetration test to have been completed within that observation period.
For most organizations, an annual pentest aligned with the start of the audit period is sufficient. High-risk environments — those handling financial data, health records, or high volumes of PII — may benefit from quarterly testing or a penetration testing as a service model that provides continuous coverage throughout the year.
Timing matters. Completing the pentest at the beginning of the observation period gives you time to remediate findings, obtain retest evidence, and present a clean record to the auditor. A pentest completed in the final weeks of the period leaves no room for remediation evidence.
What should the pentest report include?
Auditors reviewing your SOC 2 evidence package will look for specific elements in the pentest report. A report that lacks these components may not satisfy the auditor's evidence requirements:
- Executive summary — a non-technical overview of the engagement, scope, objectives, and overall risk posture.
- Methodology — whether the test was black-box (no prior knowledge), gray-box (partial knowledge, most common for SOC 2), or white-box (full access). SOC 2 auditors typically prefer gray-box methodology because it simulates a realistic threat with access to architecture documentation.
- Findings by severity — each finding classified by severity (Critical, High, Medium, Low) with a description of the vulnerability, affected system, and evidence of exploitation.
- Remediation guidance — concrete steps to fix each finding, not just descriptions of the risk.
- Retest results — evidence that remediated findings were retested and confirmed resolved. This is critical for SOC 2: auditors want to see the full remediation cycle, not just the initial findings.
A vulnerability management program that tracks findings from initial discovery through remediation and retest provides the audit trail auditors expect.
How to choose a penetration testing provider for SOC 2
Not every penetration testing firm produces reports that satisfy SOC 2 auditors. When evaluating providers, look for:
- Experience with SOC 2 scope — the provider should understand which systems are typically in scope and how auditors interpret CC6.8 and CC7.1. Ask for sample report structures.
- Gray-box methodology — this is the industry standard for compliance-driven pentests. It balances realism with efficiency and produces findings relevant to your audit scope.
- Written remediation guidance — each finding should include actionable steps, not just severity ratings.
- Retest included — confirm that at least one retest cycle is included in the engagement to generate remediation evidence.
- Turnaround time — allow at least four to six weeks before your audit period closes: two weeks for the engagement and report, plus time for remediation and retest.
WhiteJaguars delivers gray-box penetration tests structured around SOC 2 evidence requirements, with detailed reports and a remediation retest included. Talk to our team to scope your SOC 2 pentest before your next audit cycle.
Related reading: Red Team vs Penetration Testing — understand when each approach applies to your security program.