Fun fact, not having a penetration test is the #1 reason that our team sees SOC 2 reports fail when going through a security review.

This usually stems from a really common misconception that a SOC 2 report is a “certification”, a binary check mark that will magically usher you through security reviews, when the reality is that a SOC 2 report is just an audited list of your security controls.

The CPA who performs your SOC 2 audit isn’t trying to make a value based decision on whether or not your controls are valuable, simply if they are actually as you have described them.

From the CPA’s point of view they don’t care whether or not you included a penetration test as part of your security controls.

But when you take your SOC 2 report and give it to a CISO, CTO, or IT Manager as part of a security review? THEY are going to care a lot about the penetration test (and everything else listed, or not, in your SOC 2 report.)

Having a penetration test performed is considered the “gold standard” method for identifying vulnerabilities & weaknesses within your security posture.

There are many different kinds of penetration tests (black box, white box, gray box, internal, external, automated, manual, etc.) but at a high level what CISO’s are looking for is that you hired an ethical hacker to try and break into your application & have identified (and remediated) any major vulnerabilities.

A 2023 report by Positive Technologies showed that 96% of organizations were found to be vulnerable to some form of cyberattack during penetration testing. A similar report from Edgescan stated that 1/3 of identified vulnerabilities had either or critical severity (potential business impact if exploited).

TLDR - don’t waste tens of thousands of dollars on a SOC 2 report without getting a penetration test.

What matters when getting a Penetration Test for a SOC 2 attestation?

Okay so we’re going to get a penetration test so we actually pass our security reviews at the end of this SOC 2 process. It’s going to cost money. What matters during this process to make sure that we get the biggest bang for our buck?

Here’s the main things we normally recommend clients to consider:

1. [Security] A Penetration Test that will actually improve your security posture.

2. [Reporting] An easily understandable, professional, well written report.

3. [Credentials] A test performed by a highly credentialed penetration tester.

4. [Retesting] You want to make sure you won’t get billed twice for retesting after you have fixed any identified vulnerabilities.

Probably 80% of people who ask us for a penetration test normally ask us because it’s part of a sales cycle & they have a client asking us to see the report generated from a penetration test.

Even so - I always like to recommend that having a penetration test performed is an excellent opportunity to take a breath, and remember that the purpose of this thing is to improve our security posture.

It’s good to be secure.

Venture backed startups (or any company with any level of “success”), are often rapidly growing organizations, hacked together with duct tape & optimism. They also generally have millions of dollars in their bank account, and are easily identified on Crunchbase, Hacker News, and Product Hunt.

Read: these are REALLY good targets for threat actors.

The rule of scale is that anything bad that can happen, will happen. Applying this to your security posture, with enough exposure any flaws in your system are eventually going to be compromised.

Even if you need this ASAP to close a deal - make sure you’re building a good foundation for your rapidly growing organization by getting a valuable penetration test that’s going to help you identify any security vulnerabilities in your product.

It’s easy and cheap to go on upwork and find a penetration tester with no real credentials or actual experience, hire them, and slap together a “penetration test”. There’s also a number of services that will run a bunch of automated tools and again compile it into a report with penetration test at the top.

But neither of these options are going to actually help you build real security, and neither of them are going to help you pass a security review. We see these types of reports get kicked back and rejected every day.

If this is going to matter for your business, help you get secure, and unlock more revenue, make sure to do it right.

We highly recommend using a penetration tester that has gone through Offensive Security training & certification and holds a OSCE, OSCP or OCE certification. These are considered some of the best ethical hackers in the world, and are currently one of the highest quality programs and certifications available.

The country of origin also can become important when selecting a penetration tester. Certain countries have a higher level of fraud, to the extent even certain payment processes will stop operating in those geographic locations.

You’ll normally want to use a NATO based penetration tester with strong english skills. This will help not just limit the potential for fraud but make sure that once it’s all said and done you’re left with a strong well written report that is going to make it easy to remediate vulnerabilities and pass any security review that asks for it.

Oneleet’s approach to Penetration Testing for SOC 2 Compliance

Penetration Testing is our company's bread and butter. Our CEO & Co-Founder Bryan spent almost a decade as a penetration tester, and our company began as a software platform for penetration testing.

Oneleet started off performing a “compliance penetration test” for Y Combinator startups going through the SOC 2 process. We had ended up being turned into the informal Vanta help desk, which is what dragged us into becoming a complete platform for security & compliance.

But because of this, we are probably the best company in the world for providing a cost effective yet highly impactful penetration test that will identify any major vulnerabilities and result in a SOC 2 report that will help you pass security reviews.

Usually what we’ll do is considered a “gray box” penetration test where we have some access to your system, but not everything, and then an OSCE certified penetration tester will go in and attack what they think is going to be the highest impact depending on exactly what your product is doing.

The scope of this will range from a 20-40 hour engagement for early stage startups, to 100+ for larger enterprises or companies with large surface areas that need multiple applications tested.

If you’re ready to get a penetration test or simply want to learn more, come chat with us! This is always a bit of an art, and after learning more about your system we can provide a more accurate quote.