Do I Need a Penetration Test for SOC Compliance Insight?

Jonathan Eberhardt, Principal, Internal Audit Services
Erich Ficker, Principal, Cybersecurity Consulting Services

April 24, 2026
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
Penetration test for SOC compliance Thumbnail

Penetration testing isn’t explicitly required for SOC 2, but it’s strongly recommended.

It’s often expected as a best practice to validate the effectiveness of security controls to meet the Security (Common Criteria) and other Trust Services Criteria (TSC). Penetration testing is often a validating step to demonstrate in-place compliance and security posture to the SOC auditor, your clients, and board members. It’s easy to say you’re following your security plan and secure coding principles; a penetration test actually shows you’re doing these things.

Without clear penetration testing guidance, you risk audit delays, control deficiencies, or missed pportunities to build trust with customers.

Auditors may look for evidence of vulnerability management, which penetration testing supports.

What Does Penetration Testing Do for Organizations Reading a SOC Audit?

A lack of penetration testing causes real challenges in SOC 2 examinations, where auditors frequently cite deficiencies such as:

  • Incomplete vulnerability management programs
  • Insufficient evidence of annual security testing
  • Absence of documented methodology aligned with industry standards such as OWASP or NIST.

Avoid Delays

In several SOC 2 Type II engagements, delays occurred because the organization couldn’t provide proof that meaningful penetration testing was performed within the period. This led auditors to conclude that control criteria related to risk mitigation and logical security weren’t fully met.

Common Audit Delays
  • High‑severity vulnerabilities going unaddressed for extended periods
  • Missing remediation plans
  • Penetration tests limited in scope to the point that they didn’t meaningfully evaluate external attacks

These gaps often force tests to be rerun under compressed timelines, delaying report issuance by weeks or months, which in turn can stall customer contracts, prolong vendor onboarding, and create reputational concerns as clients question the maturity of the company’s security program.

Penetration Testing Strengthens Your Audit Readiness

While not an explicit checklist item, a well-scoped and timely penetration test can validate that your controls are working effectively. It also helps you proactively identify weaknesses before your SOC 2 auditor finds them—or before attackers exploit them.

Proactive penetration testing can significantly strengthen your security posture well before entering a SOC 2 audit by uncovering exploitable weaknesses early, often months before auditors review control effectiveness.

Identifying issues such as misconfigured access controls, insecure APIs, exposed cloud assets, or unpatched vulnerabilities ahead of time, provides the opportunity to remediate them systematically rather than under audit pressure.

This early discovery not only improves the maturity and reliability of security controls but also reduces the likelihood of negative audit findings that could delay SOC 2 report issuance. This can create meaningful time and cost savings because addressing vulnerabilities during normal operational cycles is far less expensive than mobilizing emergency remediation teams late in the audit period.

Moreover, when penetration testing results are incorporated into continuous security improvement efforts, your company enters the SOC 2 process with stronger evidence, fewer surprises, and a smoother, faster audit experience.

Penetration Testing Aligns With Key Trust Services Criteria

Penetration testing directly supports several SOC 2 TSC by providing concrete evidence that security controls operate effectively against real‑world threats.

For example, CC2.1 requires organizations to obtain or generate information to support the functioning of internal control. CC4.1 and CC4.2, which require organizations to conduct ongoing risk assessments and identify vulnerabilities, are strengthened through penetration testing because testers actively probe systems to reveal exploitable weaknesses that static assessments might overlook.

In the System Operations series such as CC7.1–CC7.3, SOC 2 requires organizations to monitor for security events and respond to deviations; penetration testing supports these requirements by verifying detection capabilities such as alerting, logging, and incident response workflows.

For organizations that handle sensitive data, the Confidentiality (C1.1) and Privacy (P8.1) criteria emphasize protection of information from unauthorized disclosure—penetration tests assess data exposure risks by attempting to access repositories, APIs, or storage buckets without proper authorization.

Overall, penetration testing provides practical validation that SOC 2 controls aren’t just documented but effective, demonstrating operational readiness and resilience under adversarial conditions.

This is especially relevant for Security (CC Series), Availability, and Confidentiality, where penetration testing supports control related to threat detection, incident response, and vulnerability remediation.

Not All Penetration Tests Are Created Equal

There are numerous types of penetration testing. Each type provides different benefits for different types of organizations.

Network vs. Application Layer Testing

Network layer testing validates that your systems and services, especially public-facing services like web servers and file transfer services, are configured securely, are up-to-date and don’t advertise any obvious low-hanging fruit that would draw an attacker’s attention. Malicious threat actors scan the public internet non-stop for new and critical vulnerabilities. They use this data to launch attacks, often through automated means, then dig further into your network once gaining a foothold.

Application layer testing is where interesting vulnerabilities become newsworthy. Web applications and APIs are difficult to write securely, and the majority of critical vulnerabilities are found here. Testing is much more nuanced and requires experience and skill on the tester’s part to follow complex workflows, identify potential points of entry, and evaluate areas of the application that are most susceptible to attack. This should be followed by manually testing these areas to ensure that code and security checks are operating as intended. Lateral and vertical movement should also be tested to ensure roadblocks are in place for both accessing other users’ data and higher privileged functions, respectively. This often results in critical alerts due to vulnerabilities that could potentially or are actively being exploited by malicious attackers.

Internal vs. External

External testing is the bare minimum when we’re discussing penetration testing and ensures that the perimeter of your network and application is secured without additional inbound routes. This will ensure that external threat actors are unlikely to gain a foothold into your environment.

Internal testing helps to ensure that if you had a threat from an internal actor, disgruntled employee, or someone that was able to breach your external perimeter using social engineering or other method, their impact would be limited. With an internal threat actor already having some legitimate access, this is challenging but it’s important to validate that their access is limited to what’s granted and they are unable or unlikely to elevate to additional privileges that could allow a great impact.

Automated Scans vs. Manual Testing

Automated scans are important and should be a normal activity in your daily/weekly/monthly security plan and processes. They are often a first step in a penetration test as well. They don’t, of course, replace a penetration test as this activity involves the all-important next steps of manual validation and exploitation to understand what impact any given vulnerability may have in your environment. This also helps you understand what data and access can be gained during the exploitation phase of the test and identify appropriate countermeasures to use to limit this additional incursion.

Tailor your penetration test scope to match the systems and environments in scope for your SOC 2 report.

How Often Should You Perform a Penetration Test?

Penetration tests should be conducted at least annually for SOC 2 environments. It’s also recommended after any significant changes to systems or infrastructure.

Organizations commonly implement a range of system changes to strengthen their security posture, especially when preparing for SOC 2 audits or remediating issues identified during penetration testing. These changes often include updating network configurations by tightening firewall rules, restricting unnecessary ports, or adding segmentation to isolate sensitive systems.

Many companies also enhance authentication and access controls by enforcing multifactor authentication, implementing single sign‑on, removing dormant accounts, or redesigning roles to ensure least‑privilege access. In addition, teams frequently apply security patches, update outdated software libraries, or upgrade unsupported systems to reduce vulnerability exposure.

Cloud environments often see adjustments such as securing misconfigured storage buckets, enabling encryption, or refining IAM roles. Application-level improvements—like fixing SQL injection flaws, strengthening input validation, or improving session management—are also common outcomes of security testing. Logging and monitoring capabilities may be expanded by increasing log retention, enabling additional audit logs, or integrating systems into a centralized SIEM.

Finally, organizations often harden servers and endpoints by disabling unnecessary services, enforcing encryption, applying CIS benchmarks, or deploying advanced endpoint detection tools, alongside updating supporting policies and procedures to ensure these improvements are sustained over time.

Penetration Testing Prior to SOC Audit FAQ

Will Not Having a Penetration Test Impact My SOC Report?

If your organization doesn’t perform penetration testing, auditors may note this as a gap or request alternative controls that provide similar assurance that vulnerabilities are identified and addressed. Ultimately, the absence of penetration testing doesn’t automatically prevent issuance of a SOC report, but it may lead to findings, management responses, or increased scrutiny depending on your organization’s risk environment.

Does the Penetration Test Need to Cover all Systems or Just What’s in Scope for the SOC Audit?

A penetration test doesn’t necessarily need to cover every system within your organization, but it should at least include the systems and environment that are in scope for the SOC audit. The purpose of the SOC examination is to evaluate controls over the services and infrastructure that support the system being reported on, so auditors will primarily focus on whether the penetration testing program adequately assesses risks to those in-scope components. If the organization performs broader enterprise-wide penetration testing, that can strengthen assurance and demonstrate a more mature security program, but it isn’t strictly required for the SOC report. At a minimum, the penetration test should cover the applications, infrastructure, and external attack surfaces that could affect the security, availability, or confidentiality of the services included in the SOC scope.

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Article
What Is a SOC Report?
Learn all the different types of SOC reports, why they’re important, and what information they provide.
Article
Article
SOC 2 Trust Services Criteria
The criteria enhances SOC 2 reporting by providing greater coverage over IT governance and operational management. Learn more.
Article
Article
SOC 2 Examination Checklist
Prepare for a SOC 2 examination and learn best practices for a successful examination, to help maintain compliance.
Article
Article
Updates to SOC 2 Guide
Learn more about updates to trust services criteria points of interest and disclosure requirements, among other things.
Article
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Baker Tilly Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.