SOC 2 and Penetration Testing: What You Need to Know Before Your Audit

If you're a SaaS company, cloud service provider, or data processor, there's a good chance you've already heard the question from a prospective client: "Can we see your SOC 2 report?" SOC 2 compliance has gone from a nice-to-have to a deal-closer for companies selling to enterprise customers.

One of the most common questions that comes up during the SOC 2 journey is where penetration testing fits in. This guide gives you a clear, practical answer with no compliance jargon and no ambiguity.

SOC 2 in Plain English

SOC 2 (System and Organization Controls 2) is a framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how well a company protects customer data. It's built around five Trust Service Criteria:

• Security: Protection against unauthorized access (this is the one that's always included)
• Availability: Systems are operational and accessible as agreed upon
• Processing Integrity: Data processing is complete, accurate, and authorized
• Confidentiality: Confidential information is properly protected
• Privacy: Personal information is handled according to commitments

A SOC 2 audit is performed by an independent CPA firm that examines your controls, tests whether they work, and issues a formal report. There are two types:

• Type I: A snapshot that evaluates whether your controls are properly designed at a specific point in time
• Type II: The real test, evaluating whether your controls operated effectively over a period of time (usually 6 to 12 months)

Most enterprise clients will ask for a SOC 2 Type II report.

Does SOC 2 Require Penetration Testing?

Here's the technically accurate but practically misleading answer: SOC 2 does not explicitly mandate penetration testing.

Now here's the reality: auditors almost universally expect it.

The Security Trust Service Criteria includes a control point (CC7.1) that requires organizations to "detect and monitor for new vulnerabilities." While the AICPA doesn't prescribe specific testing methods, demonstrating that you actively test your defenses, rather than just documenting them, is the most straightforward way to satisfy auditors.

What Type of Pentest Satisfies SOC 2 Auditors?

Not every penetration test is created equal in the eyes of a SOC 2 auditor. Here's what they typically look for:

Minimum Scope

• External network penetration test that covers your internet-facing infrastructure for vulnerabilities
• Web application penetration test that covers the application(s) handling customer data

Testing Approach

• Gray-box or white-box testing is preferred because it demonstrates more thorough coverage than a black-box approach
• Manual testing, not just automated scanning. Auditors want to see evidence of human-driven testing, not just scanner output

Report Content

Your pentest report should include:

• Executive summary with overall risk posture
• Detailed findings with severity ratings (CVSS or equivalent)
• Proof-of-concept evidence for exploited vulnerabilities
• Remediation guidance for each finding
• Evidence of remediation. This is critical. Auditors want to see that you fixed the issues, not just found them

Timing Your Pentest for SOC 2 Success

Timing is one of the most common mistakes companies make. Here's how to get it right:

For SOC 2 Type II

Your observation period is typically 6-12 months. The penetration test should occur during this observation period, ideally with enough time left to remediate findings and retest before the period ends.

Recommended timeline:

1. 3 to 4 months before the observation period ends: conduct the penetration test
2. Within 2 to 4 weeks: your team remediates the findings
3. Within 30 days: the tester retests to verify fixes
4. Before the audit report: you have a clean pentest report with remediation evidence to hand to your auditor

For SOC 2 Type I

Since Type I is a point-in-time evaluation, have your penetration test completed (including remediation and retesting) before the audit date.

Going Forward

Once you've achieved SOC 2, plan for annual penetration testing to maintain compliance. Most auditors expect to see a pentest conducted within the last 12 months for each subsequent Type II report.

Common Mistakes That Delay SOC 2 Certification

1. Waiting Until the Last Minute

Penetration testing firms book up. If you wait until two weeks before your audit window closes, you may not find a qualified provider with availability, and you won't have time to fix what they find.

2. Using a Vulnerability Scan Instead of a Pentest

Automated vulnerability scans are valuable, but they are not penetration tests. Auditors know the difference. A scan checks for known issues; a pentest validates whether your defenses actually work against a motivated attacker. You typically need both: scans for ongoing monitoring, and a pentest for deep assurance.

3. Not Remediating Findings

A pentest report full of unaddressed critical and high findings is worse than no report at all. It shows the auditor you knew about the problems and didn't fix them. Always budget time for remediation after the pentest.

4. Scope That's Too Narrow

If your SOC 2 scope covers a web application and its supporting infrastructure, but your pentest only covered the network, you have a gap. Make sure the pentest scope aligns with your SOC 2 scope.

5. Choosing a Provider Without Relevant Credentials

Auditors may question the validity of a pentest performed by someone without recognized security certifications. Look for providers whose testers hold credentials like OSCP, OSWA, CREST, or CISSP.

What the Pentest Process Looks Like for SOC 2

If you're going through SOC 2 for the first time, here's what to expect from the penetration testing portion:

1. Scoping call. You and the pentesting firm define what's in scope, aligned with your SOC 2 trust service criteria. This usually takes 30 minutes.
2. Proposal and scheduling. You'll receive a quote and agree on testing dates. Book this early.
3. Testing. The tester conducts the assessment over 3 to 10 days depending on scope.
4. Report delivery. You receive a detailed report with findings, severity ratings, and remediation guidance.
5. Remediation. Your team addresses the findings. The tester is available for questions.
6. Retesting. The tester validates that vulnerabilities have been properly fixed.
7. Final report. You receive an updated report showing the remediation status. This is what you hand to your auditor.

Frequently Asked Questions

Can we use the same firm for our pentest and our SOC 2 audit?

No, and you shouldn't want to. SOC 2 auditors must be independent. The firm performing your audit cannot also perform your penetration test. These should always be separate providers.

How much should we budget for a SOC 2 pentest?

For a typical SaaS application with supporting infrastructure, expect $8,000 to $20,000 depending on the complexity and number of targets. This is a fraction of the overall SOC 2 investment and one of the highest-value components.

What if our pentest finds critical issues?

This is actually the best possible outcome: finding and fixing issues before your auditor does. A pentest with critical findings that were subsequently remediated actually strengthens your SOC 2 narrative. It shows your controls are working: you test, you find, you fix.

Do we need internal and external testing?

At minimum, you need external testing. Internal network testing is recommended if your SOC 2 scope includes internal infrastructure. Your auditor and pentest provider can help you determine the right scope.