SOC 2
SOC 2 Penetration Testing
Testing scoped to your Trust Services Criteria - evidence designed to support your SOC 2 auditor's review, delivered by a UK-based, in-house team.
UK-based testers · Trust Services Criteria experience · Findings tagged against CC and additional categories
Why this matters
Why SOC 2 needs penetration testing.
SOC 2 is a US AICPA framework - but if you're a UK SaaS company selling to North American customers, your prospects' procurement teams will ask for it. The audit examines your controls against the Trust Services Criteria: Security (mandatory), and optionally Availability, Confidentiality, Processing Integrity, and Privacy.
Penetration testing isn't called out as a single criterion, but it provides evidence for several. Most relevantly, CC4.1 (control monitoring activities) and CC7.1 (detection of vulnerabilities) require demonstrable processes for identifying control failures and vulnerabilities. A pentest is the cleanest evidence that those processes work.
The distinction that matters: Type I examines control design at a point in time; Type II examines operating effectiveness over a period (typically 6-12 months). A Type II audit will want to see pentests performed during the audit period, not just one done before it started.
What gets tested - and which Pentiq service covers it.
If you're SOC 2 with Confidentiality (most SaaS), your test scope typically includes web app, API, and cloud. Add Availability and infrastructure resilience testing comes into play.
| Control area | What's assessed | Pentiq service |
|---|---|---|
| Security - CC6.1 | Logical and physical access controls | External & Internal Infrastructure Testing |
| Security - CC6.6 | Boundary protection | External Infrastructure Testing |
| Security - CC7.1 | Detection and monitoring of vulnerabilities | Vulnerability Scanning Subscription |
| Security - CC7.2 | System component anomalies | Internal Infrastructure Testing, Red Teaming |
| Security - CC4.1 | Monitoring activities | All testing services with portal evidence |
| Confidentiality - C1.1 | Information classification & protection | Web Application & API Testing |
| Availability - A1.2 | Environmental & infrastructure protections | Cloud Penetration Testing |
Scope my test
Get a tailored SOC 2 test scope.
Tell us which Trust Services Criteria you're audited against and we'll come back with a scoped engagement - usually within one working day.
What's in scope?
Select everything you'd like tested. Pick more than one if it applies.
Prefer to talk first? Book a 20-minute scoping call ->
Engagement
What a Pentiq SOC 2 engagement looks like.
Scoping
A short call with your technical contact to confirm scope, agree the test plan, and book delivery dates against your SOC 2 timeline.
Testing
Testing runs against the agreed scope. Findings appear in your Pentiq portal in real time, so your team can start triaging without waiting for a final report.
Reporting & remediation
Final report delivered through the portal: executive summary, technical findings mapped to SOC 2 control areas, and remediation guidance for each issue.
Optional re-test
We re-test fixed findings before your SOC 2 assessment so you walk in clean.
Engagement length depends entirely on scope - we confirm a realistic timeline during the scoping call.
Common questions
Frequently asked questions.
Is penetration testing required for SOC 2?
The standard doesn't mandate it by name, but auditors expect it as evidence for criteria like CC7.1 and CC4.1. Going to audit without recent pentest evidence usually results in either a qualified opinion or remediation requirements before the report is issued.
Type I or Type II - does it change the testing approach?
Type I examines control design at a single point. Type II examines operating effectiveness over a 6-12 month period - which means your pentest evidence has to fall within that period. Many organisations time their annual pentest to occur in the first quarter of their audit period so the evidence is fresh throughout.
We're a UK company - why does SOC 2 matter?
Because your enterprise customers in North America (and increasingly globally) include SOC 2 as a procurement requirement. SOC 2 has become the de facto SaaS trust signal, and UK companies selling to US enterprises typically need it alongside or instead of ISO 27001.
How does this differ from ISO 27001 testing?
The testing itself is similar - scope tends to focus on your SaaS application, supporting infrastructure, and cloud. The reporting differs: SOC 2 reports map findings to Trust Services Criteria; ISO reports map to Annex A controls. We tag findings against whichever framework you ask for.
Can one pentest cover both ISO 27001 and SOC 2?
Yes, and most organisations do exactly this. The technical work is the same; the reporting is dual-tagged. Plan it once, get evidence for both.
What about our subprocessors?
SOC 2 expects you to manage subprocessor risk, but you're not expected to pentest their environments. You should review their SOC 2 reports (or equivalent) and ensure your contracts oblige them to maintain their own. We can help you assess subprocessor reports as part of a broader engagement.
Bridge letter period - what happens between audits?
Bridge letters cover the period between your last Type II report and the current date. Auditors expect controls (including testing) to continue uninterrupted during the bridge period. An annual pentest cycle is what auditors typically look for here; a one-off generally doesn't meet the same expectation.