Standard Pentest Logo
Standard Pentest

SOC 2 Penetration Testing

Penetration testing is one of the most consistently scrutinized pieces of evidence in a SOC 2 audit. Auditors want to see that you tested, that you tested with rigor, and that you remediated. StandardPentest delivers a SOC 2-aligned penetration test — with a signed attestation letter, a detailed findings report, and a free retest — in 24 hours. Our deliverable is purpose-built to satisfy the Common Criteria your auditor will ask about.

How SOC 2 Treats Penetration Testing

SOC 2 does not prescribe a specific cadence or methodology, but the AICPA Trust Services Criteria treat penetration testing as expected evidence under the Common Criteria for Risk Assessment, Logical Access, and System Operations. In practice, auditors look for an annual external test, evidence of remediation, and retesting of significant findings. Most SOC 2 Type II reports include penetration testing as a key control.

Common Criteria We Help You Satisfy

  • CC4.1 — The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Our test is the separate evaluation.
  • CC7.1 — The entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities. We surface vulnerabilities your monitoring missed and recommend specific detection improvements.
  • CC7.2 — The entity monitors system components and the operation of those components for anomalies. Our test exercises your detection coverage; gaps appear in the report.
  • CC9.1 — The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. Our remediation guidance feeds your risk treatment plan.

Our Methodology

Every SOC 2 engagement runs the same standardized four-phase workflow: scoping aligned to your in-scope systems and trust criteria, automated and manual vulnerability discovery using OWASP, NIST SP 800-115, and PTES guidance, exploitation to confirm impact and reduce false positives, and reporting in a format SOC 2 auditors recognize. We talk to your auditor on request to confirm the report meets their evidentiary expectations before you submit.

What You Get

  • A signed attestation letter on company letterhead, naming the systems tested, the dates of testing, the methodology used, and the outcome — the document your auditor will ask for first
  • A detailed findings report with executive summary, scope, methodology, per-finding technical detail, CVSS 3.1 scoring, and remediation guidance
  • A separate remediation tracking document mapping each finding to your owners and target dates
  • Mapping of every finding to the relevant Trust Services Criteria for direct evidence of control coverage
  • A free retest of remediated findings within 90 days, with an updated attestation letter for your audit window

Frequently Asked Questions

Will your test satisfy our SOC 2 auditor?

Yes. Our deliverables are built from the format auditors actually ask for, and we have shipped reports accepted by every major SOC 2 audit firm. If your auditor wants something specific, we will adjust before final delivery at no extra cost.

Type I or Type II — does it matter?

The same penetration test supports both. For Type II, the timing matters: testing should fall inside the audit window, and any high or critical findings should be remediated and retested before the audit closes. We help you plan that timeline.

Do we need a separate test for each environment?

If your in-scope SOC 2 systems share infrastructure (same VPC, same identity provider, same code base), one engagement typically covers them. If they are isolated, we scope a separate engagement per environment. We confirm scope with you and your auditor up front.

How quickly can we get the attestation letter?

Twenty-four hours from kickoff for the standard engagement. If your audit window is closing this week, tell us — we can prioritize and deliver the attestation letter the same day testing completes.

Schedule a Pentest

Tell us your audit window and we'll work backwards from your deadline.