Auditors and CTOs Call Out Fake Pentests


Many SOC 2 “penetration tests” aren’t actually penetration tests — and real auditors, CISOs, and engineers are calling it out.
In this video, I react to real quotes from people in the trenches: auditors frustrated with unethical upsells, CTOs complaining about worthless reports, and developers stuck fixing unverified findings from copy-pasted PDFs.
If you’ve ever paid $10k for a vulnerability scan dressed up as a pentest, you’re not crazy — this is happening a lot more than anyone wants to admit.
🔍 Topics covered:
- When SOC 2 auditors sell you the test themselves (!)
- What fake pentests look like in real life
- Why most reports don’t help your team
- How to spot garbage before you sign the contract
Want to avoid this mess entirely?
Download my free guide — Audit-Proof Your Pentest: 17 Mistakes That Will Blow Your Audit (and How to Avoid Them)