Start here
SOC 2 Penetration Testing
SOC 2 does not explicitly require a penetration test. That is the honest answer, and most vendors bury it.
In practice your auditor will still ask for one, because a pentest is the cleanest evidence that your monitoring controls (most commonly mapped to CC4.1) actually operate. This page covers what auditors accept, when to schedule the test, and the exact evidence pack to hand over.
Does SOC 2 require a penetration test? No.
No clause in the Trust Services Criteria says the words "penetration test."
SOC 2 is built on the COSO framework, and the Trust Services Criteria describe outcomes, not a prescriptive control list. Your auditor decides what evidence demonstrates each criterion is met. Nothing in the criteria names penetration testing, so a vendor opening with "SOC 2 requires a pentest, buy ours" is starting the relationship with a false claim.
The accurate version has two halves: SOC 2 does not require a pentest, and almost every SOC 2 auditor expects one anyway. The distinction matters because it changes what you are buying. You are not buying a checkbox named "pentest." You are buying evidence for a monitoring criterion, and that evidence has to be shaped correctly to be accepted.
Why auditors expect one anyway
A penetration test is the cleanest "separate evaluation" evidence for the monitoring criteria, most commonly mapped to CC4.1.
CC4.1 asks whether your company performs ongoing or separate evaluations to confirm its internal controls are present and functioning. An independent, dated penetration test with a defined methodology is the textbook separate evaluation: someone outside the control's day-to-day operation tested it and wrote down what broke.
That is why auditors reach for it. It compresses a judgment call ("is this company actually checking its own security?") into a single dated artifact with findings, severities, and a remediation trail. Skipping it forces your auditor to accept weaker substitutes and forces you into a longer conversation. An annual pentest is the cheapest way to keep that conversation short, which is why nearly every SaaS company going through SOC 2 runs one.
Type I vs Type II: when to schedule the test
Schedule the pentest early enough that findings are remediated and retested inside your audit window.
A Type I report evaluates control design at a single point in time, so the pentest (and ideally the fixes) should exist before the as-of date. A Type II report evaluates operating effectiveness across an observation window, and the test, the remediation, and the retest only count as evidence if they land inside that window.
The common failure mode: a team books the pentest in the last month of the window, findings come back, and there is no time left to fix and retest before the auditor closes evidence collection. Rule of thumb: book in the first half of the window, and budget at least four weeks for remediation on top of the test itself.
Our engagement runs 5 to 7 days from kickoff to report, and the retest after your fixes is free, which leaves most of your window for the actual remediation work rather than vendor logistics.
The scope auditors expect
For a SaaS company, auditors expect the external attack surface, the production web application, and its APIs, tested at least annually and after major changes.
SCOPE HONESTY
We test web applications and APIs only. If your audit scope includes internal networks, mobile apps, or physical controls, those slices need a different vendor, and we will say so at scoping instead of quietly absorbing them.
The evidence pack you hand the auditor
Four artifacts close the request: the report, the remediation record, the retest evidence, and an attestation letter.
1. Penetration test report
Scope statement, methodology (OWASP, NIST 800-115), dated findings ranked by severity, and reproduction steps for each. This is the primary artifact; everything else hangs off it.
2. Remediation record
Proof each finding was triaged and fixed: tickets, commits, or a fix log that maps one-to-one to the report's finding IDs. Your ticket tracker usually is this record.
3. Retest evidence
An updated report showing the fixed findings were retested and closed. The piece teams forget most often, and the piece that proves the control loop actually operated.
4. Attestation letter
A signed, dated summary of the engagement you can hand to the auditor (and to enterprise customers) without shipping the full findings.
How our deliverables map
Every artifact in the pack above comes out of one fixed engagement.
| The auditor asks for | What we deliver |
|---|---|
| Independent test report | Executive PDF: scope statement, OWASP / NIST 800-115 methodology, severity-ranked findings with reproduction steps. One real engineer over 75 AI scanner modules; every finding human-verified. |
| Remediation record | Findings ship as developer JSON / SARIF, so each one drops straight into your ticket tracker. Your ticket trail plus our finding IDs form the record. |
| Retest evidence | Free retest after you patch. We re-run against the fixed findings and issue an updated report showing them closed. No extra charge. |
| Attestation letter | Signed and dated attestation PDF, written to be shared with auditors and customers. |
| Price for the whole pack | $2,499 fixed. Web app + API, 5 to 7 days from kickoff, retest and attestation included. |
See the exact format before you buy anything: the sample pentest report shows the findings layout, severity model, and attestation block your auditor will receive.
If the audit deadline is close
Our kickoff-to-report turnaround is 5 to 7 days; the market norm is 4 to 6 weeks.
Published 2026 cost guides (DeepStrike, Blaze Infosec, Intruder, Astra) describe the typical engagement running 4 to 6 weeks end to end, from scoping call to final report. That is survivable if you booked early in your observation window. It is a real problem if your auditor asked for the report this month.
Our standard delivery is 5 to 7 days from kickoff. If the report has to exist within three days, expedited 72-hour delivery is available for $1,000 on top of the fixed price. The retest after your fixes stays free either way.
Black box, grey box, or white box
Grey box is the right default for SOC 2.
Black box
No credentials, no documentation. Simulates a cold outside attacker, but spends much of the budget rediscovering what you already know about your own app.
Grey box
The tester gets credentials and API documentation. Authenticated coverage of the application, which is where your customers' data actually lives.
White box
Full source code access. The deepest option, and more than most SOC 2 audits call for.
The reason grey box wins for SOC 2: your auditor cares that the test covered the in-scope system, especially the authenticated surface where access control operates. Grey box reaches that surface directly instead of hoping the tester breaks in first, so more of the budget goes to findings. We run grey box by default and black box on request.
A scanner export is not a pentest
Handing your auditor an automated scanner report labeled "penetration test" is the most common way this control gets rejected.
A vulnerability scan enumerates known issues automatically. A penetration test has a human who verifies findings, chains them, tests business logic, and signs the result. Auditors know the difference and increasingly ask which one they are looking at. If yours gets rejected in the last month of the window, you are re-buying the test with no time left. The full comparison is in penetration testing vs vulnerability scanning.
Our engagement is hybrid on purpose: PhantomDragon's 75 scanner modules produce the breadth, one real engineer verifies every finding and writes the report, and the report says so. If you only want the automated layer first, run the free Ghost Scan: it checks your surface across 9 categories, needs no card and no signup, and is honest about being a scan, not a pentest.
What a SOC 2 pentest costs
Compliance-grade pentests start around $5,000 in the published market; ours is $2,499 fixed.
Fractional CISO's published vendor ranking prices compliance-grade tests around $5,000, with quality engagements at $15,000 to $30,000. The broader 2026 cost guides (DeepStrike, Blaze Infosec, Intruder, Astra) put typical web application pentests at roughly $5,000 to $35,000+, and Intruder's guide cites day rates of $1,000 to $3,000.
Our fixed $2,499 covers the web + API engagement including the free retest and the attestation letter. The delta is structural, senior engineers in Colombo plus scanner automation doing the breadth work, not a thinner report. The full breakdown of what drives pentest pricing is in the penetration testing cost guide.
Also preparing for ISO 27001? The 2022 revision treats testing differently: control A.8.8 lists periodic penetration testing among vulnerability-identification methods. See ISO 27001 penetration testing for that mapping.
SOC 2 pentest FAQ
Does SOC 2 require a penetration test?
+
When should I schedule the pentest for a SOC 2 Type II audit?
+
What evidence does the auditor actually want?
+
Is a vulnerability scan enough for SOC 2?
+
Which box type should I pick for SOC 2?
+
Do you test internal networks or mobile apps for SOC 2?
+
What does a SOC 2 penetration test cost?
+
Walk into the audit with the pack ready.
Start with the free scan if you want to see your surface first, or book the pentest if the auditor already asked. Either way the honest answer stays at the top of this page.
AUDIT_READY_EVIDENCE // FREE_RETEST // SIGNED_ATTESTATION