Skip to content
PENTEST // SOC 2

SOC 2 Penetration Testing

SOC 2 does not explicitly require a penetration test. That is the honest answer, and most vendors bury it.

In practice your auditor will still ask for one, because a pentest is the cleanest evidence that your monitoring controls (most commonly mapped to CC4.1) actually operate. This page covers what auditors accept, when to schedule the test, and the exact evidence pack to hand over.

CC4.1
Where auditors map the test
5-7 days
Kickoff to audit-ready report
FREE
Retest after remediation
$2,499
Fixed, whole evidence pack
THE HONEST ANSWER

Does SOC 2 require a penetration test? No.

No clause in the Trust Services Criteria says the words "penetration test."

SOC 2 is built on the COSO framework, and the Trust Services Criteria describe outcomes, not a prescriptive control list. Your auditor decides what evidence demonstrates each criterion is met. Nothing in the criteria names penetration testing, so a vendor opening with "SOC 2 requires a pentest, buy ours" is starting the relationship with a false claim.

The accurate version has two halves: SOC 2 does not require a pentest, and almost every SOC 2 auditor expects one anyway. The distinction matters because it changes what you are buying. You are not buying a checkbox named "pentest." You are buying evidence for a monitoring criterion, and that evidence has to be shaped correctly to be accepted.

CC4.1

Why auditors expect one anyway

A penetration test is the cleanest "separate evaluation" evidence for the monitoring criteria, most commonly mapped to CC4.1.

CC4.1 asks whether your company performs ongoing or separate evaluations to confirm its internal controls are present and functioning. An independent, dated penetration test with a defined methodology is the textbook separate evaluation: someone outside the control's day-to-day operation tested it and wrote down what broke.

That is why auditors reach for it. It compresses a judgment call ("is this company actually checking its own security?") into a single dated artifact with findings, severities, and a remediation trail. Skipping it forces your auditor to accept weaker substitutes and forces you into a longer conversation. An annual pentest is the cheapest way to keep that conversation short, which is why nearly every SaaS company going through SOC 2 runs one.

TIMING

Type I vs Type II: when to schedule the test

Schedule the pentest early enough that findings are remediated and retested inside your audit window.

A Type I report evaluates control design at a single point in time, so the pentest (and ideally the fixes) should exist before the as-of date. A Type II report evaluates operating effectiveness across an observation window, and the test, the remediation, and the retest only count as evidence if they land inside that window.

The common failure mode: a team books the pentest in the last month of the window, findings come back, and there is no time left to fix and retest before the auditor closes evidence collection. Rule of thumb: book in the first half of the window, and budget at least four weeks for remediation on top of the test itself.

Our engagement runs 5 to 7 days from kickoff to report, and the retest after your fixes is free, which leaves most of your window for the actual remediation work rather than vendor logistics.

SCOPE

The scope auditors expect

For a SaaS company, auditors expect the external attack surface, the production web application, and its APIs, tested at least annually and after major changes.

External surface: what an unauthenticated attacker on the internet can reach. DNS, TLS, certificates, exposed services.
The web application, authenticated: session handling, access control, injection, business-logic abuse.
APIs: REST or GraphQL endpoints, including authentication and object-level access control.
Cadence: annually at minimum, plus after major changes. A new auth flow, a re-architecture, a major release.

SCOPE HONESTY

We test web applications and APIs only. If your audit scope includes internal networks, mobile apps, or physical controls, those slices need a different vendor, and we will say so at scoping instead of quietly absorbing them.

EVIDENCE

The evidence pack you hand the auditor

Four artifacts close the request: the report, the remediation record, the retest evidence, and an attestation letter.

1. Penetration test report

Scope statement, methodology (OWASP, NIST 800-115), dated findings ranked by severity, and reproduction steps for each. This is the primary artifact; everything else hangs off it.

2. Remediation record

Proof each finding was triaged and fixed: tickets, commits, or a fix log that maps one-to-one to the report's finding IDs. Your ticket tracker usually is this record.

3. Retest evidence

An updated report showing the fixed findings were retested and closed. The piece teams forget most often, and the piece that proves the control loop actually operated.

4. Attestation letter

A signed, dated summary of the engagement you can hand to the auditor (and to enterprise customers) without shipping the full findings.

LINE BY LINE

How our deliverables map

Every artifact in the pack above comes out of one fixed engagement.

The auditor asks forWhat we deliver
Independent test reportExecutive PDF: scope statement, OWASP / NIST 800-115 methodology, severity-ranked findings with reproduction steps. One real engineer over 75 AI scanner modules; every finding human-verified.
Remediation recordFindings ship as developer JSON / SARIF, so each one drops straight into your ticket tracker. Your ticket trail plus our finding IDs form the record.
Retest evidenceFree retest after you patch. We re-run against the fixed findings and issue an updated report showing them closed. No extra charge.
Attestation letterSigned and dated attestation PDF, written to be shared with auditors and customers.
Price for the whole pack$2,499 fixed. Web app + API, 5 to 7 days from kickoff, retest and attestation included.

See the exact format before you buy anything: the sample pentest report shows the findings layout, severity model, and attestation block your auditor will receive.

TURNAROUND

If the audit deadline is close

Our kickoff-to-report turnaround is 5 to 7 days; the market norm is 4 to 6 weeks.

Published 2026 cost guides (DeepStrike, Blaze Infosec, Intruder, Astra) describe the typical engagement running 4 to 6 weeks end to end, from scoping call to final report. That is survivable if you booked early in your observation window. It is a real problem if your auditor asked for the report this month.

Our standard delivery is 5 to 7 days from kickoff. If the report has to exist within three days, expedited 72-hour delivery is available for $1,000 on top of the fixed price. The retest after your fixes stays free either way.

METHOD

Black box, grey box, or white box

Grey box is the right default for SOC 2.

Black box

No credentials, no documentation. Simulates a cold outside attacker, but spends much of the budget rediscovering what you already know about your own app.

Grey box

The tester gets credentials and API documentation. Authenticated coverage of the application, which is where your customers' data actually lives.

White box

Full source code access. The deepest option, and more than most SOC 2 audits call for.

The reason grey box wins for SOC 2: your auditor cares that the test covered the in-scope system, especially the authenticated surface where access control operates. Grey box reaches that surface directly instead of hoping the tester breaks in first, so more of the budget goes to findings. We run grey box by default and black box on request.

THE COMMON FAILURE

A scanner export is not a pentest

Handing your auditor an automated scanner report labeled "penetration test" is the most common way this control gets rejected.

A vulnerability scan enumerates known issues automatically. A penetration test has a human who verifies findings, chains them, tests business logic, and signs the result. Auditors know the difference and increasingly ask which one they are looking at. If yours gets rejected in the last month of the window, you are re-buying the test with no time left. The full comparison is in penetration testing vs vulnerability scanning.

Our engagement is hybrid on purpose: PhantomDragon's 75 scanner modules produce the breadth, one real engineer verifies every finding and writes the report, and the report says so. If you only want the automated layer first, run the free Ghost Scan: it checks your surface across 9 categories, needs no card and no signup, and is honest about being a scan, not a pentest.

COST

What a SOC 2 pentest costs

Compliance-grade pentests start around $5,000 in the published market; ours is $2,499 fixed.

Fractional CISO's published vendor ranking prices compliance-grade tests around $5,000, with quality engagements at $15,000 to $30,000. The broader 2026 cost guides (DeepStrike, Blaze Infosec, Intruder, Astra) put typical web application pentests at roughly $5,000 to $35,000+, and Intruder's guide cites day rates of $1,000 to $3,000.

Our fixed $2,499 covers the web + API engagement including the free retest and the attestation letter. The delta is structural, senior engineers in Colombo plus scanner automation doing the breadth work, not a thinner report. The full breakdown of what drives pentest pricing is in the penetration testing cost guide.

Also preparing for ISO 27001? The 2022 revision treats testing differently: control A.8.8 lists periodic penetration testing among vulnerability-identification methods. See ISO 27001 penetration testing for that mapping.

QUESTIONS

SOC 2 pentest FAQ

Does SOC 2 require a penetration test?

+
Not explicitly. No Trust Services Criterion names penetration testing. In practice auditors expect one as evidence for the monitoring criteria, most commonly mapped to CC4.1, so nearly every company going through SOC 2 runs one annually.

When should I schedule the pentest for a SOC 2 Type II audit?

+
Early in the observation window, ideally the first half. The test, your remediation, and the retest all need to land inside the window to count as evidence the control operated. A 5-7 day delivery plus a free retest keeps that loop short.

What evidence does the auditor actually want?

+
Four artifacts: the test report (scope, methodology, dated severity-ranked findings), a remediation record, retest evidence showing the fixes closed, and a signed attestation letter. All four come out of one $2,499 fixed engagement with us.

Is a vulnerability scan enough for SOC 2?

+
Usually not on its own. Auditors distinguish automated scan exports from penetration tests, and a scanner report labeled as a pentest is a common late-audit rejection. A pentest adds a named human tester, manual verification, and business-logic testing.

Which box type should I pick for SOC 2?

+
Grey box. Your auditor cares that the test covered the in-scope system, especially the authenticated surface where access control operates. Grey box reaches that surface directly, so more of the budget goes to findings instead of breaking in.

Do you test internal networks or mobile apps for SOC 2?

+
No. We test web applications and APIs only. If your audit scope includes internal network, mobile, or physical testing, those slices need a different vendor, and we will say so at scoping.

What does a SOC 2 penetration test cost?

+
Fractional CISO's published ranking prices compliance-grade tests around $5,000 and quality engagements at $15,000 to $30,000. 2026 cost guides from DeepStrike, Blaze Infosec, Intruder, and Astra put typical web-app pentests at roughly $5,000 to $35,000+. Ours is $2,499 fixed, retest and attestation included.
Ghost Protocol

Walk into the audit with the pack ready.

Start with the free scan if you want to see your surface first, or book the pentest if the auditor already asked. Either way the honest answer stays at the top of this page.

AUDIT_READY_EVIDENCE // FREE_RETEST // SIGNED_ATTESTATION