SOC 2 and Pentesting: What You Actually Need
A no-nonsense guide to the penetration testing requirements for SOC 2 compliance.
SOC 2 doesn't explicitly require penetration testing. But if you skip it, your auditor will have questions — and your customers definitely will.
Does SOC 2 actually require a pentest?
SOC 2's Common Criteria CC7.1 requires that you identify and assess security vulnerabilities. While the framework doesn't spell out "pentest" by name, it's the most effective way to demonstrate you're meeting this criterion.
Every auditor we've worked with expects to see it. Every enterprise customer's security questionnaire asks for it. Just do it.
What should a SOC 2 pentest cover?
For SOC 2, your penetration test should cover:
- External testing — what can an attacker reach from the internet?
- Application testing — are your web apps and APIs secure?
- Authentication and access controls — can users access things they shouldn't?
- Data protection — is sensitive data properly encrypted in transit and at rest?
How often do you need a pentest for SOC 2?
Annually at minimum. Most companies that take security seriously do it twice a year — once as a full assessment, once as a lighter re-test to verify fixes.
If you push a major architectural change, a new product, or migrate to a new cloud provider mid-cycle, consider an additional targeted test.
What makes a good pentest report for auditors?
Your SOC 2 auditor will review the pentest report. It needs to be:
- Scoped clearly — what was tested and what wasn't
- Risk-rated — critical, high, medium, low findings
- Actionable — specific remediation steps, not vague recommendations
- Dated — within the audit period
A well-written pentest report can actually speed up your SOC 2 audit. A vague one creates more work for everyone.
What are the most common SOC 2 pentesting mistakes?
| Mistake | Why it hurts |
|---|---|
| Running only automated scans | Auditors can tell the difference |
| Testing too narrow a scope | Leaves gaps that auditors flag |
| Not retesting after fixes | Can't prove remediation worked |
| Using the same firm every year | Fresh eyes find what familiarity misses |
Need a pentest report your auditor will love? Let's talk — we've helped dozens of companies sail through SOC 2.
Frequently Asked Questions
Does SOC 2 require penetration testing?
SOC 2 doesn't explicitly say 'penetration test,' but CC7.1 requires identifying and assessing security vulnerabilities. A pentest is the most effective way to demonstrate this, and every auditor expects to see one.
How often do you need a pentest for SOC 2?
Annually at minimum. Most security-conscious companies test twice a year — a full assessment plus a lighter re-test to verify fixes. Additional targeted tests are recommended after major architectural changes or cloud migrations.
What should a SOC 2 pentest report include?
The report needs clear scoping of what was tested, risk-rated findings (critical/high/medium/low), specific remediation steps, and dates within the audit period. A well-structured report speeds up the SOC 2 audit.
What are common SOC 2 pentesting mistakes?
The most common mistakes are: running only automated scans (auditors can tell), testing too narrow a scope, not retesting after fixes, and using the same firm every year. Fresh perspectives catch what familiarity misses.
Want to secure your company?
Book a free 20-minute consultation with our security team.
Book your free call