← HomeBlog

2026-04-29 · Compliance

Do I Need a Pentest Before SOC 2?

You will need pentest evidence before your SOC 2 Type II is complete. SOC 2 Type II requires evidence of penetration testing as part of a functioning security program. Without it, your auditor cannot confirm that you have a working vulnerability management process, and your workpapers are likely to show a gap that undermines a clean SOC 2 Type II attestation (SOC 2 is a CPA attestation, not a certificate in the ISO sense).

TL;DR
SOC 2 Type II auditors expect to see penetration testing evidence. You do not need a pentest to start your SOC 2 journey, but you do need one before your audit observation period ends. Most companies complete their pentest 2 to 4 months before their audit closes. A remediated pentest report with documented follow-up is what auditors want to see. Faultline Security delivers audit-ready reports with compliance mapping available as an add-on.

What Does SOC 2 Actually Require for Penetration Testing?

SOC 2 is built around the Trust Services Criteria published by the AICPA. Under the Security category, the relevant control is CC7.1, which requires organizations to detect and monitor for vulnerabilities and take action to address them.

Penetration testing is the primary mechanism auditors look for to satisfy this control. It demonstrates that you actively seek out vulnerabilities in your systems, not just wait for them to be reported. An auditor reviewing your SOC 2 will ask for:

  • Evidence that a penetration test was conducted during the audit period
  • The name of the firm or individual who conducted the test
  • The scope of what was tested
  • The findings, including severity ratings
  • Evidence of remediation for critical and high findings
  • Confirmation that the testing process is repeatable (you plan to do it again)

A one-time pentest is not enough on its own. Auditors want to see that penetration testing is a recurring part of your security program, typically annual at minimum.

Do I Need a Pentest for SOC 2 Type I?

SOC 2 Type I audits your security controls at a single point in time. Whether penetration testing is strictly required depends on your auditor, but most will ask for it or note its absence as an exception in your report.

The practical answer: completing a pentest before your Type I audit is strongly advisable. It strengthens your controls evidence, reduces the likelihood of auditor exceptions, and positions you well for Type II, which covers a longer observation period and has higher scrutiny.

If you are pursuing SOC 2 Type I as a stepping stone to Type II, the best sequencing is to run your pentest early in the Type I period so you have time to remediate findings before your Type II observation window opens.

How Should I Sequence a Pentest with My SOC 2 Audit?

The most common and effective sequence:

1. Start implementing SOC 2 controls (months 1 to 3)
Work with your compliance platform or auditor to implement the core controls across access management, change management, incident response, and risk assessment. Document everything as you go.

2. Run your penetration test (months 3 to 4)
Once your core controls are in place, commission a penetration test. Testing against a more mature security environment produces better results and demonstrates to your auditor that testing happened in the context of a real security program, not as a box-checking exercise.

At Faultline, scoping takes 24 hours and testing starts within days. Essentials and Growth engagements complete in under two weeks from kickoff to report. Get a fixed-price proposal here.

3. Remediate findings (months 4 to 5)
Address critical and high findings immediately. Medium and low findings should be triaged and tracked, with a remediation plan documented even if not all are fixed before the audit closes.

4. Retest and get your remediated report (month 5)
A retest confirms that critical and high vulnerabilities have been addressed. Your pentest firm issues an updated report noting closure. This is the document your auditor wants. At Faultline, a full retest of all findings is included in the Comprehensive tier. For Essentials and Growth, no retest is included by default; you can add a full retest (20% of the engagement price) to verify fixes.

5. Enter your audit observation period (months 5 to 11)
Your auditor reviews your controls, requests evidence, and assesses your security program over the observation period. Your pentest report, remediation evidence, and letter of attestation are part of this package.

What Do Auditors Look For in a Pentest Report?

Not all pentest reports satisfy SOC 2 auditors equally. A report that will pass scrutiny includes:

  • A clear statement of scope (what systems and environments were tested)
  • The testing methodology used (PTES and OWASP WSTG, or similar)
  • The name and credentials of the testing firm
  • Dated findings with severity ratings (Critical, High, Medium, Low)
  • Evidence of remediation for critical and high findings, or a documented plan for findings still in progress
  • A retest section confirming closure of remediated issues

Reports that are too thin, undated, or lack remediation evidence give auditors reason to ask for more or flag a gap in your controls.

Faultline reports are built to satisfy SOC 2 auditor requirements out of the box. Every finding includes CVSS scores, CWE references, proof-of-concept evidence, and step-by-step remediation guidance. The compliance mapping add-on (+20% of base price) maps every finding directly to the SOC 2 controls your auditor cares about, so the report doubles as audit evidence.

Can I Use a Vulnerability Scan Instead of a Pentest?

No. Auditors understand the difference between automated scanning and manual penetration testing, and they will ask which one you have done. A vulnerability scan does not satisfy the CC7.1 control because it does not demonstrate active exploitation testing or the ability to find logic-level and chained vulnerabilities.

Some companies try to submit a vulnerability scan report as pentest evidence. This typically results in an auditor exception or a finding that your vulnerability management process is insufficient.

What Happens if I Do Not Have a Pentest When My Audit Closes?

If your SOC 2 Type II audit closes without penetration testing evidence, your auditor will usually note it as an exception in your report. In practice, that means the testing / vulnerability management area does not look covered for the period your auditor expected.

A report that shows testing gaps is significantly less useful in sales and procurement than a clean run. Enterprise customers who request your SOC 2 as part of their vendor due diligence will see the exception and may ask follow-up questions or delay procurement while you address it.

Does the Pentest Have to Be Done by a Third Party?

Yes, for SOC 2 purposes. Self-conducted penetration testing does not satisfy the independence requirement. Auditors want to see that an external, qualified party assessed your environment without bias.

The testing firm does not need to hold any specific certification, but many auditors look for testers who hold credentials such as OSCP, CEH, or GPEN. Faultline testers hold recognized offensive security certifications and have direct experience working with SOC 2 audit evidence requirements.

Frequently Asked Questions

How often do I need a pentest for SOC 2?
Annually is the standard expectation for ongoing SOC 2 compliance. After your first pentest and a clean Type II report, you will need to conduct another penetration test within each subsequent 12-month audit period to keep your evidence current. Faultline offers a 15% discount on an annual contract (4 engagements per year).

Can the pentest be done after the audit observation period starts?
Yes, but it must be completed and remediated before the observation period ends. Starting it as early as possible gives you the most time to address findings. Waiting until the last month of your observation period is high-risk.

My auditor gave me a list of required tests. Is a pentest on it?
Most SOC 2 auditors provide a controls list that explicitly includes penetration testing under vulnerability management. If yours has not, ask specifically whether CC7.1 requires a penetration test for your scope. The answer will almost always be yes.

We are a small team. Do we still need a pentest?
Yes. SOC 2 applies the same controls regardless of company size. Being a small team may mean a narrower scope for your pentest, which makes the engagement faster and less expensive. Faultline's Essentials package starts at €3,000 and covers a single application or API, which is the right starting point for most small teams.

What if my pentest uncovers issues right before the audit closes?
Work with your auditor. Many programs expect a documented remediation plan for new critical or high issues and evidence of treatment, not necessarily a fully closed state on the final day. Ask your auditor what they need in your case.

For questions about pricing, timelines, and working with Faultline, visit our FAQ page.

Faultline Security specializes in penetration testing for SaaS companies and startups. Scope your engagement in 24 hours