Do I Need a Penetration Test for SOC 2?

  1. Home
  2. Security for Busy People
24 Mar

Do I Need a Penetration Test for SOC 2?

If you’re gearing up for a SOC 2 audit, you’ve probably heard a lot of conflicting advice about whether you need a penetration test. Some consultants will tell you it’s mandatory. Others will say you can skip it. The truth — like most things in security — is a little more nuanced.

The Short Answer

No, penetration testing isn’t strictly required for SOC 2.
But if you’re serious about passing the audit (and building real trust with customers), you probably want one anyway.

Let’s Break That Down

SOC 2 is built around five Trust Services Criteria:

  • Security (always required)
  • Availability
  • Confidentiality
  • Processing Integrity
  • Privacy

Most companies going through SOC 2 Type I or Type II are focused on the Security category, and that’s where penetration testing enters the picture.

While the SOC 2 framework doesn’t name specific technical controls, it does expect you to show that your environment is secure — and that you’re identifying and addressing potential risks in a methodical way. In fact, criteria like CC4.1 (Risk Assessment) and CC7.1 (Monitoring for Security Events) practically beg for penetration testing as supporting evidence.

You could technically rely on policies and a solid vulnerability management process, but a well-documented pentest shows auditors — and clients — that you’re not just checking boxes. You’re actually stress-testing your systems like an attacker would.

What Auditors Want to See

SOC 2 auditors aren’t looking for perfection — they want to see that you’re thinking like a risk-aware company.

A penetration test helps demonstrate:

  • That you’re proactively identifying real-world threats
  • That your dev and security teams are collaborating on fixes
  • That you’ve validated controls, not just written them down

Most auditors won’t reject you for not having a pentest, but many will ask for one, especially if you’re handling sensitive customer data or if your app has public-facing components.

At Asteros, we’ve worked with companies going through their first SOC 2 who weren’t sure what auditors expected. In most cases, adding a pentest to the evidence package helped everything go smoother — and gave clients a stronger story to tell their own customers.

What Kind of Pentest Should You Get?

It depends on your architecture, but if you’re a SaaS product or manage a customer-facing app, you’ll likely want:

  • A Web Application Penetration Test (to test the core functionality and user roles)
  • Possibly an External Network Test (to check exposed infrastructure)

At minimum, the test should be:

  • Manual-first (automated scans won’t cut it)
  • Mapped to a recognized security standard like the OWASP Application Security Verification Standard (ASVS)
  • Delivered with both technical and executive-friendly reporting

We base our assessments on the ASVS, which gives structure and depth to the testing process — covering everything from authentication to cryptography to access controls. It also helps connect the dots to frameworks like NIST and the Trust Services Criteria, so your test results actually support your SOC 2 goals.

So, Do You Need a Penetration Test for SOC 2?

No. But you probably should get one.

Think of it like this:

SOC 2 asks how you know your systems are secure. A penetration test is one of the clearest ways to answer that question.

If you’re on the fence — or you’ve been told different things by different providers — let’s talk. We’ve helped companies run their first test, prep for audits, and explain findings to stakeholders in plain English.

Need a pentest to support your SOC 2 audit? Let’s chat! 👇


    🔒 No spam. You aren't joining an email list. Just a quick reply from a real security professional: