Do you need a penetration test for SOC 2?
Is it required?
If you’re preparing for SOC 2, you’ve probably asked yourself: “Do we actually need a penetration test?”
It’s a valid question, especially since the SOC 2 framework never explicitly uses the term “penetration test”. What SOC 2 technically requires is that you identify and remediate security vulnerabilities, which can be done through either a vulnerability assessment or a penetration test.
However, in practice, auditors and security-conscious customers expect a penetration test.
Key takeaways
- Not explicitly required but expected: Penetration testing is not mandated by SOC 2, but auditors use it as a standard way to validate the Security (Common Criteria) requirements.
- Early, you can plan it for later.
- It’s your strongest evidence: a pen test proves your system can withstand real attacks, not just on-paper intentions.
- Different types exist: external, internal, white-box, black-box. Your choice depends on your infrastructure, your customer or prospect request and SOC 2 scope.
Why auditors expect a pen test
The foundation of SOC 2 is the Security Principle, which requires systems to be protected against unauthorized access and related risks.
You can claim you do vulnerability testing, but a professional penetration test provides objective proof. It shows you aren’t just compliant on paper and you’re actively testing your defenses.
The type of penetration test
| Type | What it simulates | When it’s useful |
|---|---|---|
| External pen test | Attacks from the public internet (public APIs, web apps). | Minimum expected for SOC 2. |
| Internal pen test | Threats from within your network or compromised employee credentials. | More relevant for larger orgs or hybrid environments. |
| Black box | No system knowledge given to the tester. | Realistic threat simulation. |
| White box | Full access to source code, infrastructure, architecture diagrams. | Most thorough and efficient form. |
If you’re early, it’s okay not to do it
You do not need a penetration test, and SOC 2, if:
- You’re pre-product or very early stage.
- Your infrastructure is still changing frequently.
- No client or partner is asking for pen-test.
- You’re still validating product-market fit.
In fact, doing a pen test too early can be wasteful:
- You’ll have to redo it when systems change.
- Audit evidence becomes outdated quickly.
- Engineering time is better spent building the product.
Best practice:
Build your product → implement basic security hygiene → pursue SOC 2 (and pen testing) when a customer or partner explicitly requires it.
How Probo helps
Probo doesn’t conduct penetration tests directly, but we:
- Help you choose the right vendor and scope.
- Ensure the test aligns with SOC 2 auditor expectations.
- Track remediation of vulnerabilities.
- Organize all evidence in an audit-ready format.
So you don’t have to manage yet another project.
Conclusion
A penetration test isn’t technically mandatory in SOC 2 but it has become the industry norm and auditor expectation. However, if your startup is still early, or no one is asking for it yet, it is perfectly okay to wait.
Frequently asked questions
1. When should we do our penetration test?
After your security controls are in place but before your audit window begins, ideally 1–2 months prior (so you have time to fix all findings).
2. How often is a penetration test required?
Auditors generally expect it annually. SOC 2 only requires annual vulnerability testing, but a pen test is considered the gold standard.
3. Vulnerability scan vs. penetration test: what’s the difference?
- A vulnerability scan is automated and looks for known issues.
- A penetration test is manual, targeted, and simulates real attacks.
Auditors strongly prefer the latter.
4. What if the penetration test finds critical vulnerabilities?
That’s normal. Auditors don’t expect perfection, just a process. What matters is:
- You prioritize fixes,
- You remediate issues,
- You can show evidence of doing so.
5. How much does a penetration test cost?
Typically $2,000 to +$25,000+, depending on scope, infrastructure complexity, and testing type.
