Guide
SOC 2 Penetration Testing Requirements, Explained
SOC 2 does not strictly mandate a penetration test, but in practice auditors and enterprise customers expect one, usually at least annually and after significant changes. A pentest provides strong evidence for the risk-assessment and monitoring criteria, and most companies pursuing SOC 2 Type II run one as part of the process.
Does SOC 2 require a penetration test?
Technically, the SOC 2 Trust Services Criteria don't contain a line that says "you must run a penetration test." SOC 2 is principles-based. But several criteria, particularly around risk assessment and monitoring of controls, are most convincingly satisfied with evidence of active security testing. In real engagements, auditors routinely ask for a recent pentest, and your enterprise customers almost certainly will.
So the honest answer: not strictly required by the letter of SOC 2, effectively expected in practice.
How often, and what scope
- Frequency: at least once per year, and after any significant change to the application or infrastructure.
- Scope: the production application and APIs that handle customer data, plus relevant infrastructure.
- Evidence: keep the report, the remediation record, and proof you retested fixes.
Where continuous testing fits
A once-a-year pentest gives you the report auditors want, but it says nothing about the other 50 weeks. Continuous automated testing strengthens your SOC 2 story in two ways: it demonstrates ongoing monitoring of your control environment, and it produces a running record of issues found and remediated between formal engagements.
Kyro generates per-finding reports with severity, reproduction steps, and fix status you can track over time, useful artifacts when an auditor asks how you continuously monitor for vulnerabilities. start a free scan to start building that record.
Type I vs. Type II
A Type I report assesses control design at a point in time; Type II assesses operating effectiveness over a period (typically 3-12 months). Continuous testing is especially valuable for Type II, where you must show controls worked throughout the period, not just on audit day.
Find these bugs in your own app
Kyro runs an AI security hunter against your SaaS and emails you the moment it confirms a real, reproducible vulnerability.
Start a free scanFrequently asked questions
Does SOC 2 require a penetration test?
Not by the strict letter of the Trust Services Criteria, but auditors and enterprise customers effectively expect one. A penetration test is the most common way to evidence the risk-assessment and monitoring criteria, so most companies pursuing SOC 2 run one at least annually.
How often do you need a pentest for SOC 2?
At least annually, and after any significant change to your application or infrastructure. Continuous testing between engagements further supports your evidence, especially for SOC 2 Type II.
Does automated testing count toward SOC 2?
Continuous automated testing supports the monitoring and risk-assessment criteria and produces useful evidence of ongoing remediation. Most auditors still want a formal penetration test report annually, so use automated testing alongside it rather than as a full replacement.