Is a pen test legally required for SOC 2?

No. The AICPA SOC 2 standard does not legally require a pen test. The standard requires monitoring (CC4.1) and detection of vulnerabilities (CC7.1). Auditors interpret these as requiring independent vulnerability assessment, which is most cleanly satisfied by a pen test.

How often do I need a pen test for SOC 2?

Most auditors expect annual testing within the audit period. For a Type II with a 6-month observation window, the pen test should be either within the window or completed shortly before with remediation tracked through the window.

Can a vulnerability scan replace a pen test?

Sometimes, but rarely cleanly. Vulnerability scanners (Burp, Nessus, OWASP ZAP) miss application logic flaws that pen tests catch. Some auditors accept a scanner-only program if the scope and remediation cadence are documented; most prefer a third-party pen test as the primary evidence.

Will my pen test findings cause my SOC 2 to fail?

Findings alone don't cause failure. What matters is remediation tracking and risk-acceptance documentation. A pen test with 12 findings, all triaged with owners and timelines, is fine. A pen test with 12 findings sitting untouched 6 months later is a problem.

DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

Do I need a penetration test for SOC 2?

By Editorial team · Published 2026-04-26 · Last updated 2026-04-26

Not strictly required by AICPA, but functionally yes — most auditors require a recent pen test as part of CC4.1 monitoring evidence.

Short answer: not strictly required by the SOC 2 standard, but in practice almost always required by your auditor. The Trust Services Criteria do not list 'penetration test' as a control. Most auditors interpret CC4.1 (monitoring activities) and CC7.1 (system operations) as requiring evidence of independent vulnerability assessment — and a pen test is the cleanest way to provide that evidence.

What the AICPA standard actually says

The Trust Services Criteria require monitoring of internal controls (CC4.1) and detection of vulnerabilities (CC7.1). The standard is silent on the specific method. A pen test satisfies these criteria; so does a vulnerability scan with appropriate scope and remediation tracking. Most auditors prefer a pen test because it is harder to fake and easier to audit.

What auditors typically require

A third-party (external firm) penetration test performed annually.
Scope covering production environment, primary application, and any internet-facing infrastructure.
Remediation tracking for findings — what was found, what was fixed, what was accepted as risk.
Test methodology document or summary letter from the test provider.

What a pen test costs at startup scale

Annual third-party pen test pricing for a small SaaS application typically runs $4,000 to $15,000. The variance is driven by scope: a single web application is at the low end; a multi-product platform with API endpoints, mobile apps, and infrastructure components is at the high end. Some boutique CPA firms (Prescient Assurance) offer combined audit + pen test packages at a discount.

Common shortcuts that don't fly with auditors

Internal pen tests by your own team. Auditors require independence — the test must be performed by a third party.
Bug bounty programs alone. Useful, but not a substitute. Bounties are not scoped vulnerability assessments.
Vulnerability scanner output (Burp, Nessus, OWASP ZAP) only. Acceptable for CC7.1 sometimes; a pen test is cleaner.
A pen test from 18 months ago. Auditors expect a test within the audit period.

Choosing a pen test provider

Common pen test firms in the SaaS ecosystem include Cobalt, NetSPI, Bishop Fox, HackerOne (paid pen test, not bug bounty), and a long tail of boutique firms. CREST or OSCP credentials on the testing team and a clear scoping process are stronger signals than brand recognition. Book 3 to 6 weeks ahead — most firms have that long a queue.