Do You Need a Penetration Test for SOC 2?
SOC 2 doesn’t literally mandate a pen test, but most auditors expect one to evidence vulnerability management. Here’s what’s actually required and why.
Short answer: SOC 2 does not literally say “penetration test” — but in practice you almost always need one. The Trust Services Criteria require you to identify and remediate vulnerabilities, and the way auditors and enterprise customers expect you to evidence that control is an annual, human-validated penetration test.
What SOC 2 actually requires
The criteria are outcome-based: they ask whether you have a process to detect, evaluate, and fix security weaknesses. A penetration test is the most widely accepted proof that this process works. A vulnerability scan alone is usually treated as insufficient because it does not validate exploitability or cover access-control and business-logic flaws.
What auditors look for in the report
- A clearly defined scope matching your in-scope systems
- Human-validated findings with severity ratings
- Remediation status for each finding
- Ideally a retest confirming critical/high issues were resolved
- Testing performed within the audit period (and after major changes)
How often?
The common expectation is at least annually, plus after significant changes to your application, authentication, or infrastructure. Continuous or quarterly testing strengthens the evidence and reduces surprises at audit time.
The efficient path
Run a scoped penetration test, remediate, and retest — then reuse that report across your SOC 2 audit and your customer security questionnaires. One assessment, multiple wins. See our SOC 2 evidence checklist and Security Assurance packages.
Ready to test your own systems? Request a security assessment or explore Security Assurance packages.
Frequently asked questions
- Does SOC 2 require a penetration test?
- SOC 2 does not explicitly mandate a penetration test by name. However, the Trust Services Criteria require organizations to identify and remediate vulnerabilities, and most auditors and enterprise customers expect an annual penetration test as the evidence that this control operates effectively.
- How often do I need a pen test for SOC 2?
- The common expectation is at least annually, plus after significant changes to the application, authentication, or infrastructure. Continuous or quarterly testing strengthens the evidence further.
- What does the pen test report need to include for SOC 2?
- Auditors look for a clearly scoped report, human-validated findings with severities, remediation status, and ideally a retest confirming that critical and high findings were fixed within a reasonable timeframe.
Prove your systems are ready.
Human-validated security assurance with an audit-ready evidence pack.
Request an assessmentRelated reading
- Penetration Test vs Vulnerability Scan: What’s the Difference?
Scans are automated and cheap; pen tests are human-validated and prove real risk. When to use each — and what auditors and customers actually expect.
- How Much Does a Penetration Test Cost?
What a pen test actually costs in 2026, the factors that move the price, and how to scope an assessment so you don’t overpay or under-test.
- Securing LLM and RAG Applications
LLM and RAG apps introduce risks traditional pen tests miss. The top AI-specific threats and a concrete checklist to test and mitigate them.