SOC 2 doesn't technically mandate a pentest. But try going through a Type II audit without one and watch the findings pile up. We deliver audit-ready reports mapped to Trust Service Criteria, in 5 business days.
It's not in the spec as a hard requirement. But every experienced SOC 2 auditor looks for it, and not having it creates problems.
Your auditor evaluates you against AICPA's Trust Service Criteria. Pentesting directly addresses several of them: access controls, system monitoring, incident response, availability. It's one of the strongest pieces of evidence you can put in front of an auditor.
Enterprise buyers increasingly won't sign vendor contracts without SOC 2 certification. And when they review your SOC 2 report, they notice if there's no pentest evidence. Having it makes deals close faster.
A Type II audit covers 6-12 months of your control environment. The auditor wants to see that you identified risks, tested for vulnerabilities, and fixed what you found. A pentest gives them exactly that evidence trail.
Auditors who see no evidence of independent security testing may flag it as a finding or exception in your report. That's the kind of thing enterprise customers notice and ask about. Easier to just do the test.
Each section below shows the Trust Service Criteria requirement and what we actually do to test it.
The requirement: Your systems restrict access to authorized users through authentication and access controls.
What we do: We try to authenticate as unauthorized users, bypass MFA, escalate privileges, and access things we shouldn't be able to. If your access controls have gaps, this is where we find them.
The requirement: Your organization monitors its systems and detects security events.
What we do: While we're testing, we check whether your monitoring picks up our activity. Do alerts fire? Does your team notice? Our report documents your detection capabilities honestly, which is exactly what the auditor wants to see.
The requirement: Your organization identifies and responds to risks, including potential business disruptions.
What we do: The pentest itself is a risk identification exercise. We find real vulnerabilities, document them, and provide remediation guidance. If you do a follow-up retest, that demonstrates your risk response cycle in action. Auditors love seeing that loop closed.
The requirement: Your organization monitors and maintains system availability.
What we do: We assess backup systems, failover mechanisms, and DDoS protections. If there are weaknesses in your availability architecture, we'll document them. Uptime matters to your customers, and it matters to the auditor.
The requirement: Your organization communicates and enforces its privacy policies.
What we do: We test whether access controls and data protections actually prevent unauthorized access to customer data. If someone can reach data they shouldn't, that's a privacy control failure we'll document.
The requirement: Data is protected from unauthorized access, use, and disclosure during transmission, processing, and storage.
What we do: We test encryption, look for unencrypted data in transit, check data protection mechanisms, and try to access or modify data without authorization. The report shows your auditor whether your confidentiality controls are working.
SaaS platforms have their own attack surface. Here's how we approach it.
Your web app, customer portal, and public-facing interfaces. We focus on authentication, authorization, and data handling since that's where your customers' data lives.
AWS, Azure, GCP, whatever you're running on. We look at network segmentation, IAM policies, encryption settings, and common misconfigurations that plague cloud environments.
APIs are the backbone of most SaaS products. We test for authentication bypass, broken authorization, data exposure through API responses, and rate limiting gaps.
Databases, backup systems, encryption implementation, and the access controls around customer data. We verify that sensitive data is actually protected at rest and in transit.
Load balancers, failover configs, backup infrastructure, DDoS protections. If your SLA promises uptime, we check whether your architecture can deliver it under pressure.
Documentation built for your auditor's review, not just a pile of findings.
Every finding mapped to the relevant Trust Service Criteria. Executive summary for leadership, technical details for your engineering team, CVSS scores, and fix guidance. Formatted so your auditor can review it efficiently.
A one-page summary designed for your SOC 2 auditor. Key results, risk categories, and control effectiveness conclusions. Gives the auditor what they need without making them dig through 100 pages.
After you've fixed things, we come back and verify. The follow-up report documents your control improvement and shows the auditor that your risk response process actually works. This is the evidence that makes auditors comfortable.
90-minute consultation to walk through findings, help prioritize remediation, and discuss how to position results for your auditor. We've seen what auditors ask about, and we can help you prepare.
Scoped for your SaaS platform. Best results when you test early in your audit period so you have time to show remediation.
Custom-scoped to your SaaS environment
Timing your pentest right can make the difference between a clean audit and one full of caveats.
This gives your auditor exactly what they want to see: you found problems, you had a process for fixing them, you actually followed through, and you verified the results. That's the narrative that produces a clean SOC 2 report.
What SaaS companies ask before scheduling.
Not in black and white. But your auditor will evaluate your risk assessment and control environment. If they don't see evidence of independent security testing, they're likely to flag it. In practice, every SOC 2 company we've worked with needed one.
Early in your audit period. If you're on a 12-month audit, test in month one or two. That gives you the rest of the period to remediate and optionally retest, so the auditor sees a complete improvement cycle.
We work with your team to minimize impact. Most testing is non-destructive and can happen during low-traffic windows. You'll see the scope in advance so your ops team can plan accordingly.
The report is yours. Many SaaS companies share portions of their pentest results during vendor security reviews. It's a good sales tool when prospects ask about your security program.
That's actually useful for your audit. It shows you're identifying real risks. We document everything and give you clear fix guidance. Remediate, retest, and you've got a documented improvement cycle your auditor will be happy to see.
Pentesting complements vulnerability scanning and your internal risk assessments. It's a different angle. Scanners find known issues; a pentest simulates what an attacker would actually do. They work together, not as substitutes.
For each new audit period, you'll want a current pentest. Most companies test annually. Your auditor expects to see testing evidence that covers the current audit window, not something from two years ago.
Audit-ready testing mapped to Trust Service Criteria. Scoped for your platform. 5-day turnaround.
Reports formatted for Type II review
Cloud platforms, APIs, and modern architectures
Finds what the auditor would flag