SOC 2 does not explicitly require a penetration test. In 2026, almost every auditor expects to see one anyway. The AICPA Trust Services Criteria require you to evaluate and validate security controls (CC4.1, CC7.1), and a third-party pentest is the cleanest evidence you can produce. Skip it and you will get questions you cannot answer.

Does SOC 2 Require Penetration Testing?

Technically, no. The AICPA Trust Services Criteria (2017 TSC, with revised points of focus finalized in 2022) do not contain the words “penetration test” as a line-item requirement.

Practically, yes. The points of focus under CC4.1 reference penetration testing as a method for confirming that internal control components are present and operating. Auditors running SOC 2 engagements under SSAE 18 consistently ask for pentest evidence, especially on Type II reports. If you want an unqualified opinion, assume testing is required.

How Penetration Testing Maps to the Trust Services Criteria

Penetration testing supports several Trust Services Criteria directly. Here is how the mapping works:

Trust Service Criteria	How Pen Testing Helps	What Auditors Look For
Monitoring Activities (CC4.1)	Independent evaluation that controls are present and functioning	Recent third-party pentest within the audit period
System Operations (CC7.1)	Validates that detection tools catch threats	Periodic validation of detection capabilities
Vulnerability Management (CC7.2)	Finds issues automated scanners miss	Remediation timelines and thoroughness
Change Management (CC8.1)	Confirms changes did not introduce weaknesses	Post-change security validation

Monitoring Activities (CC4.1): Prove Controls Actually Work

CC4.1 requires ongoing or separate evaluations to confirm your internal controls work. A penetration test is the canonical separate evaluation. Your auditor wants evidence that you actively looked for weaknesses, not just a vulnerability scan log.

System Operations (CC7.1): Validate Your Detection Stack

CC7.1 requires monitoring for threats and anomalies. Pentesting is not continuous, but it gives you a point-in-time check that your detection stack sees what it should. If a tester lived on your network for two weeks and your SIEM never alerted, that is a finding you want to fix before fieldwork.

When a pentest surfaces vulnerabilities your vulnerability management tooling missed, treat it as a signal to tune your continuous compliance monitoring.

Vulnerability Management (CC7.2): Go Beyond Known CVEs

CC7.2 requires timely identification, evaluation, and remediation of vulnerabilities. Scanners are good at known CVEs. Human pentesters chain low-severity weaknesses into real exploits, which is the kind of evidence auditors increasingly expect.

Change Management (CC8.1): Prove Releases Did Not Break Security

When you ship significant changes, how do you prove they did not introduce weaknesses? A pentest after a material release, migration, or re-architecture is the cleanest answer. Under CC8.1, auditors want a repeatable process, not a one-off effort.

What Type of Penetration Test Do You Actually Need?

Not all pentests are equal. The right test depends on your architecture, the sensitivity of your data, and what you need to prove.

External Network Testing: Your Internet-Facing Surface

This covers your internet-facing systems: web apps, public APIs, exposed services. External testing is where most real-world attacks start. For most SaaS startups, this is the baseline.

Internal Network Testing: Assume the Attacker Is Already Inside

Internal testing simulates an attacker who has already landed, usually via phishing or stolen credentials. It matters most if you handle regulated data or make a zero-trust claim you have not validated.

Web Application Testing: Non-Negotiable for SaaS

If your product is a web app, this is required. Testers should follow the OWASP Top 10:2025, which added Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10), merged SSRF into Broken Access Control, and promoted Security Misconfiguration to #2. Make sure the scope reflects the current list, not the 2021 edition.

API Testing: The Primary Attack Surface in 2026

APIs are now the primary attack surface for most SaaS products. Dedicated API testing should cover the OWASP API Security Top 10 (2023), including Broken Object Level Authorization, Broken Authentication, and Unrestricted Access to Sensitive Business Flows. Web app testing alone rarely catches these.

Social Engineering: Cheap to Include, Hard to Fake

Phishing simulations and voice-based social engineering test your human controls. SOC 2 requires awareness training under CC2.2, and a short phishing exercise validates whether the training works. Optional, but cheap to include.

How Often Should You Pentest for SOC 2?

Annual testing is the floor, not the ceiling. A practical cadence for 2026:

• Annual comprehensive test: Full scope aligned to your SOC 2 system description, once per 12 months, inside the Type II audit period.
• Targeted retest after material changes: New authentication flows, a platform migration, a new customer-data integration, or a material refactor.
• Quarterly or continuous for higher-risk environments: Healthcare, fintech, critical infrastructure, or anyone shipping AI features that touch customer data.

Auditors want your cadence to match your risk profile. A payments platform shipping weekly should not be on the same rhythm as a static marketing SaaS.

How to Choose a Penetration Testing Firm

Your auditor will scrutinize methodology, independence, and deliverables. Pick the firm with that in mind.

Tester Qualifications: Ask Who Is Actually Doing the Work

Look for named testers (not just a firm logo) with recognized certifications:

• OSCP (Offensive Security Certified Professional)
• OSWE or OSEP for web and evasion depth
• GPEN (GIAC Penetration Tester)
• CREST CRT or CCT (especially for UK/EU customers)

If the firm will not tell you who is doing the work, that is your answer.

Independence: Keep the Pentest Separate From the Audit

The firm running your pentest should be independent from your SOC 2 auditor and from your engineering team. Third-party reports carry weight. Internal red-team output is useful context but typically will not stand alone in an audit.

Methodology: Named, Repeatable, Documented

Your firm should be able to point to a named methodology:

• PTES (Penetration Testing Execution Standard)
• OWASP Web Security Testing Guide and API Security Top 10
• NIST SP 800-115

Ask how they document findings, whether they deliver CVSS v3.1/v4.0 scores, and whether retests are included.

Scope Definition: Match the SOC 2 System Boundary

Before any hands hit a keyboard, agree on scope in writing: in-bounds systems, out-of-bounds systems, test windows, credentials, and authorization letters. Your pentest scope should mirror the system boundary in your SOC 2 system description.

How to Use Pentest Results in Your SOC 2 Audit

Your pentest report is evidence. Treat it like evidence.

Documentation Auditors Expect

• Final report with findings and CVSS severity
• Remediation evidence for critical and high-severity findings
• Risk acceptance memos for anything you chose not to fix, signed by an accountable owner
• Dated timelines showing when testing, remediation, and retests occurred

Remediation Matters More Than the Findings

Finding issues is half the job. For SOC 2 Type II, auditors look at remediation behavior across the audit window. A messy report with clean remediation beats a clean report with no evidence of work. Pair it with automated evidence collection so nothing slips between the report and fieldwork.

Communicating With Your Auditor: Bring It Up Early

Share the report and remediation status early. Unfixed criticals discovered during fieldwork are a problem. The same findings raised proactively with a remediation plan are a non-issue.

Tools for Internal Security Testing

Professional pentesters bring expertise you cannot replicate in-house. Internal tooling still raises the floor before they arrive.

Commercial Options

For vulnerability scanning and initial assessments, see our guide to the best penetration testing tools.

Open Source Options

• Nmap for network discovery
• Burp Suite Community for web app testing
• Metasploit for exploitation
• OWASP ZAP for automated DAST
• Nuclei for templated vulnerability checks

These are useful for continuous hygiene. They do not replace a third-party pentest for SOC 2.

Five SOC 2 Pentest Mistakes That Stall Audits

Scheduling Too Close to the Audit

Leave at least 4 to 6 weeks between pentest completion and audit fieldwork. You need time to remediate and retest criticals.

Misaligned Scope

If SOC 2 covers production but your pentest covers staging, your auditor will flag it. Mirror the system boundary.

Skipping Remediation

Filing the report without remediation is the fastest way to stall an audit. If you are already in trouble, our failed SOC 2 audit recovery playbook walks through the fastest path back. Track every finding to closure or a signed acceptance.

Testing Once, Never Again

A pentest from three years ago is not evidence. Annual at minimum, timed to fall inside your Type II window.

Choosing on Price Alone

The cheapest engagement tends to be automated scans behind a PDF template. For SOC 2 Type II evidence, pay for practitioner-led, manual testing.

How to Integrate Pentesting Into Your SOC 2 Program

Pentesting is one control in a broader program. For the full picture, see our guide to SOC 2 compliance requirements and our SOC 2 compliance checklist. SaaS founders should also review our SOC 2 checklist for SaaS startups for stack-specific guidance.

How Much Does a SOC 2 Pentest Cost in 2026?

Current 2026 market pricing for practitioner-led engagements scoped to SOC 2 looks like this:

• Web application: $5,000 to $15,000 for a single app with authenticated and unauthenticated coverage
• API: $3,000 to $8,000 for REST or GraphQL with business logic testing
• External network: $8,000 to $20,000
• Cloud (AWS/Azure/GCP): $6,000 to $18,000
• Full SaaS stack covering SOC 2 scope: $8,000 to $25,000

Most Series A-B SaaS startups budget $15,000 to $35,000 annually for a combined web app and API engagement. For total SOC 2 cost context, see our SOC 2 cost breakdown.

Track Pentest Improvement Over Time

Use findings to show security maturity to auditors and customers:

• Critical and high findings year over year
• Median time to remediation by severity
• Findings by OWASP category
• Repeat findings (a leading indicator of process debt)

How Comp AI Helps With SOC 2 Penetration Testing

Getting pentesting right for SOC 2 is not just the test. It is the documentation, remediation tracking, mapping to Trust Services Criteria, and handing your auditor clean evidence. A modern compliance automation platform keeps all of that wired together.

Comp AI handles the non-testing work. Our platform helps you:

• Schedule and track pentest engagements as audit evidence
• Document remediation with audit-ready artefacts
• Map findings to the relevant Trust Services Criteria
• Maintain continuous compliance between audits

We have helped startups get audit-ready in hours, not months. Our AI agents handle evidence collection and documentation so you can focus on fixing what the tester found.

Frequently Asked Questions

Is penetration testing required for SOC 2 compliance?

Not explicitly. The AICPA Trust Services Criteria do not list pentesting as a line-item requirement, but the points of focus under CC4.1 reference it, and in 2026 most auditors expect third-party pentest evidence for an unqualified Type II opinion.

How often should I conduct penetration tests for SOC 2?

Annual testing is standard. Add targeted tests after material infrastructure changes, significant new features, or third-party integrations that change your attack surface. Higher-risk organizations should move to quarterly or continuous testing.

What is the difference between penetration testing and vulnerability scanning?

Scanning is automated and finds known issues. Pentesting is practitioner-led and finds chains of weaknesses that scanners miss. Both are valuable, but only pentesting produces the manual-exploit evidence auditors treat as strong assurance.

How much does a SOC 2 pentest cost in 2026?

A focused web app engagement runs $5,000 to $15,000. A full SOC 2 scope covering web, API, and cloud infrastructure runs $8,000 to $25,000 at mid-market firms, with Series A-B startups typically budgeting $15,000 to $35,000 annually.

When should I schedule my pentest before a SOC 2 audit?

Leave at least 4 to 6 weeks between completion and fieldwork. That is enough to remediate critical and high findings and document the fixes.

Do I need a third-party firm?

For SOC 2 evidence, yes. Internal red-team findings are useful context, but auditors weight independent third-party reports far more heavily.

What should be in scope for a SOC 2 pentest?

Mirror the system boundary in your SOC 2 system description. For most SaaS products, that means external perimeter, web app, APIs, and the cloud control plane. Add internal network testing if you handle regulated data.

How do I present results to my auditor?

Provide the final report, remediation evidence for criticals and highs, signed risk acceptances for anything unresolved, and a dated timeline. Share early to avoid surprises during fieldwork.

Penetration testing is the cleanest way to prove your SOC 2 controls work. It is not technically required, but in 2026 you should plan on it. If you want help wiring pentesting into a full compliance program, book a demo.