Penetration Testing for SOC 2 Compliance
SOC 2 does not explicitly mandate penetration testing. Nowhere in the Trust Services Criteria will you find the words “you must conduct a pentest.” Yet virtually every SOC 2 Type 2 audit conducted today expects penetration testing evidence. The reason is straightforward: the Common Criteria controls, particularly CC6 (Logical and Physical Access Controls) and CC7 (System Operations), require you to demonstrate that your security controls actually work. The most credible way to demonstrate that is to test them the way an attacker would.
Why SOC 2 Auditors Expect Pentesting
The SOC 2 framework is built around five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the mandatory baseline, and it is where penetration testing becomes practically essential. CC6.1 requires logical access controls that restrict unauthorised access. CC6.3 requires controls over system boundaries and network segmentation. CC6.6 addresses controls against threats from outside the system boundary. CC7.1 requires monitoring of systems for anomalies that indicate malicious acts. CC7.2 requires procedures to detect and respond to security incidents.
An auditor reviewing these controls needs evidence that they work under adversarial conditions, not just that they exist. A firewall rule document shows intent. A vulnerability scan shows theoretical coverage. But a penetration test report shows what happens when someone actually tries to bypass those controls. It proves whether your access controls hold, whether your network segmentation prevents lateral movement, whether your monitoring detects malicious activity, and whether your incident response process activates when it should.
This is why experienced SOC 2 auditors from firms like Schellman, A-LIGN, and Coalfire routinely request penetration testing evidence during their examinations. It is not a box-ticking exercise. It is the most efficient way to validate that an interconnected set of security controls functions as intended.
What Auditors Look for in Pentest Evidence
Not all penetration test reports satisfy SOC 2 auditors equally. There are specific elements that auditors evaluate when reviewing your testing evidence, and missing any of them can result in follow-up requests or qualified findings.
First, scope alignment. The pentest must cover the systems and applications that are in scope for your SOC 2 examination. If your SOC 2 boundary includes your production web application, your API layer, and your cloud infrastructure, the pentest needs to address all three. A test that only covers external network scanning while ignoring application-layer testing leaves a gap that auditors will flag.
Second, severity classification using industry-standard scoring. Auditors expect CVSS (Common Vulnerability Scoring System) scores for each finding. This gives them an objective, repeatable metric to assess risk. A report that uses informal labels like “high” or “critical” without CVSS backing lacks the precision auditors need to evaluate your control environment.
Third, remediation guidance. Each finding must include specific, actionable remediation steps. Generic advice like “update your software” is insufficient. Auditors want to see targeted recommendations: which component needs updating, what configuration change resolves the issue, what compensating control applies if immediate remediation is not possible.
Fourth, re-test evidence. This is where many organisations fall short. Auditors want to see not just that you found vulnerabilities, but that you fixed them and verified the fixes. A report showing critical findings with no follow-up re-test raises questions about your remediation process. The ideal evidence trail shows: initial finding, remediation action, and re-test confirmation that the vulnerability is resolved.
Fifth, testing methodology and tester qualifications. Auditors assess whether the testing was conducted competently. This includes the methodology used (OWASP, PTES, or similar recognised frameworks), the tools and techniques employed, and the qualifications of the testers. For autonomous AI pentesting platforms, auditors evaluate the platform's methodology, its coverage depth, and its ability to produce evidence equivalent to or exceeding manual testing.
How Often Should You Test for SOC 2?
SOC 2 Type 2 examinations cover a period of time, typically 12 months. During that period, auditors expect to see evidence of ongoing security testing, not a single point-in-time assessment. The minimum expectation from most auditors is an annual penetration test. However, annual testing creates a problem that auditors increasingly recognise: it provides a snapshot of security at one moment, leaving the remaining 11 months unvalidated.
Best practice, and what leading auditors now recommend, is quarterly or continuous testing. This approach aligns with the SOC 2 principle of ongoing monitoring described in CC4.1 (COSO Principle 16), which requires management to select, develop, and perform ongoing evaluations. Continuous testing demonstrates that your security controls are validated throughout the audit period, not just at one point within it.
The practical barrier to continuous testing has always been cost. Traditional penetration tests cost between $15,000 and $50,000 per engagement. Running those quarterly means $60,000 to $200,000 annually, a budget that most mid-market companies cannot justify. This is precisely where AI-driven pentesting changes the economics of compliance.
What a SOC 2 Compliant Pentest Report Needs
A penetration test report that satisfies SOC 2 auditors must contain specific elements. Here is what your report should include as a minimum.
An executive summary that describes the scope, methodology, testing period, and high-level results. This is what your auditor reads first. It should clearly state what was tested, how it was tested, and the overall risk posture.
A detailed findings section with each vulnerability documented individually. Each finding should include: a descriptive title, the affected system or component, a CVSS v3.1 score with the vector string, a clear description of the vulnerability, steps to reproduce (proof of concept), the business impact, specific remediation guidance, and references to relevant CVE identifiers where applicable.
A mapping to SOC 2 controls. The most useful reports for auditors explicitly map each finding to the relevant Common Criteria control point. For example, an authentication bypass finding maps to CC6.1. A network segmentation weakness maps to CC6.3. This mapping saves your auditor significant time and demonstrates that your testing programme is designed with SOC 2 compliance in mind.
Re-test results showing remediation verification. Each finding that was remediated should have a corresponding re-test entry confirming the fix. This creates the complete evidence loop that auditors require: identify, remediate, verify.
Annual Pentest vs Continuous AI Testing for SOC 2
| Dimension | Annual Manual Pentest | Continuous AI Testing (Revelion) |
|---|---|---|
| Testing frequency | Once per year | On-demand, weekly, or after every deploy |
| Coverage during audit period | Single point-in-time snapshot | Continuous coverage across full audit period |
| Time to results | 2-4 weeks after engagement start | Hours |
| Re-test after remediation | Requires scheduling, additional cost | Immediate, included |
| CVSS scoring | Yes | Yes, with proof-of-concept evidence |
| SOC 2 control mapping | Sometimes, depends on tester | Automatic |
| Cost per year | $15,000 - $50,000+ | From £10 per test |
| Detects new vulns between tests | No | Yes, with continuous scheduling |
How Continuous AI Pentesting Maps to SOC 2
Revelion generates reports that map directly to SOC 2 Common Criteria controls. Every finding includes CVSS v3.1 scoring, detailed proof-of-concept evidence, specific remediation guidance, and CVE references where applicable. When you remediate a finding and re-run the test, the platform automatically generates re-test evidence showing the vulnerability is resolved. This creates the complete audit trail that SOC 2 auditors require, without manual effort.
The continuous testing model also addresses a growing concern among auditors: the gap between annual tests. If you deploy new features monthly but only pentest annually, you have 11 months of untested changes in production. Continuous AI testing closes that gap. You can run a full penetration test after every significant deployment, generating fresh evidence that your controls remain effective as your application evolves. This directly supports CC4.1 (ongoing monitoring) and CC7.1 (anomaly detection through regular testing).
For organisations pursuing SOC 2 for the first time, continuous testing also accelerates readiness. Rather than discovering a backlog of vulnerabilities during a single annual engagement, you identify and remediate issues incrementally. By the time your audit period begins, your security posture is already validated and your evidence is already collected. See how Revelion compares to enterprise pentesting platforms like Pentera if you are evaluating tools for your SOC 2 compliance programme.
Getting Started
Whether you are preparing for your first SOC 2 audit or looking to strengthen evidence for your next Type 2 examination, continuous penetration testing is the most efficient path to robust compliance evidence. It costs a fraction of traditional engagements, runs on your schedule, and produces audit-ready reports that map directly to the controls your auditor evaluates.
Related Content
What is Autonomous AI Pentesting?
A comprehensive guide to autonomous AI penetration testing: how intelligent agents perform reconnaissance, exploitation, and reporting without manual intervention, with real benchmark results.
Revelion vs Pentera
Pentera is an enterprise security validation platform starting at ~$50,000/year. Revelion starts free with 20,000 credits. See the full feature-by-feature comparison.