SOC 2 penetration testing, made auditor-ready
SOC 2 doesn't spell out 'penetration test' - but your auditor and your enterprise buyers expect the evidence. Here's what actually satisfies it, and how to get a control-mapped external pentest report for $50.
Does SOC 2 require a penetration test?
Not by name. SOC 2 is built on the Trust Services Criteria, and the criterion that matters most here is CC7.1 - detecting and identifying vulnerabilities. It doesn't mandate a specific method, but auditors need to see that you actively look for weaknesses, and a penetration test is the evidence they most commonly expect. Just as important: the enterprise customers who read your SOC 2 report often ask for a pentest outright.
What SOC 2 auditors actually accept
For external testing, auditors accept a report that is well-scoped, methodology-backed, and remediation-oriented - not a raw scanner dump. That means:
- A clear scope and rules of engagement, tied to assets you own.
- A stated methodology (OWASP WSTG, PTES, NIST SP 800-115).
- Findings with severity, evidence, and a concrete fix.
- A remediation trail for criticals and highs - proof you re-tested.
complyeah produces this by default. Where an auditor requires a human sign-off, you can add a reviewer attestation to any comprehensive report for $50, counter-signed with a verifiable digital signature.
How a complyeah pentest maps to the SOC 2 controls
Every finding lands on a control your auditor already uses:
- CC4.1 - monitoring of controls: recurring, evidenced testing of your external surface.
- CC6.1 - logical access: exposed services, weak TLS, and access-control findings.
- CC7.1 - vulnerability detection: the core pentest result, with severities and remediation.
- CC7.2 - security-event context for the issues we surface.
What we test
Your external, internet-facing surface: web applications, APIs, and exposed services on domains you've DNS-verified. It's external-only by design - no source-code review, no internal-network testing, and no social engineering. No scan runs without verified ownership and a stored authorization (see how we test responsibly).
Frequently asked
Does SOC 2 require a penetration test?
SOC 2 does not name a penetration test as a hard requirement, but the Trust Services Criteria expect you to detect and manage vulnerabilities (notably CC7.1), and most auditors - and most enterprise buyers reviewing your report - expect a pentest or vulnerability assessment as the evidence. In practice, an external pentest is the cleanest way to satisfy it.
What kind of pentest do SOC 2 auditors accept?
For external testing, most auditors accept a well-scoped, methodology-backed report (OWASP WSTG / PTES / NIST SP 800-115) with clear findings, severities, and a remediation trail. complyeah produces exactly that, and where an auditor wants a human sign-off you can add a reviewer attestation to any comprehensive report for $50.
How often should I run a SOC 2 pentest?
Commonly once per audit period (annually), plus after significant changes. Because complyeah is $50 per pentest with unlimited re-tests to confirm fixes, teams often run it far more frequently than a traditional annual engagement.
See your posture in a few minutes
Verify a domain and run a free posture scan. Upgrade to the full $50 external pentest whenever you need the auditor-ready report.