Skip to main content
    SOC 2 Compliance

    SOC 2 Penetration Testing: Requirements, Scope, and Pricing

    Two speeds, one standard. AI SOC 2 pentest in 48 hours from $1,500. Hybrid (AI + senior US pentester) audit-ready in 5โ€“6 days from $5,000.

    First report in 48h ยท From $1,500 ยท Free remediation retest

    US-Based Senior Testers AICPA CC6.x / CC7.x Mapped

    Get Scoped for Your SOC 2 Pentest in 24 Hours.

    Sample report

    Share a few details and pick a time to chat right after.

    SOC 2 Type II ReadyAI 48h / Hybrid 5โ€“6 daysHuman-Validated Findings

    No commitment. We'll follow up within 1 business day.

    How a SOC 2 Pentest Runs

    From scope to audit-ready in 5 days

    Scope your SOC 2 boundary, our AI agents discover and exploit, a senior tester validates every finding, and you receive an auditor-ready report.

    From kickoff to auditor-ready report, delivered in 48 hours.

    Most SOC 2 auditors require pentest evidence 30 to 60 days before audit. Don't start too late.

    We specialize in SOC 2 pentest work for SaaS companies, AI platforms, and tech startups. If your auditor requires a pentest as part of SOC 2 Type I or Type II evidence, we scope, test, and deliver โ€” an AI SOC 2 pentest in 48 hours or a hybrid SOC 2 pentest audit-ready in 5โ€“6 days.

    Trusted by Companies Where Security Isn't Optional

    Phish Firewall logo
    Newo AI logo
    TopLeft logo
    Derma Monitor logo
    Avara Software logo
    High Point Networks logo
    Phish Firewall logo
    Newo AI logo
    TopLeft logo
    Derma Monitor logo
    Avara Software logo
    High Point Networks logo

    What customers say

    The best choice for penetration testing

    "The testing was thorough and the reports were structured precisely for the regulatory requirements. Explanation of issues along with steps to reproduce and remediation advice were detailed and clear, making corrections a breeze."
    JM

    Jeremy M.

    Director ยท IKO Corp ยท Medical Devices

    SOC 2 Pentest 101

    What Is a SOC 2 Penetration Test?

    A SOC 2 penetration test is an independent, exploit-validated security assessment of the systems in scope for a SOC 2 Type 1 or Type 2 audit. It produces the third-party evidence AICPA auditors use to confirm that Trust Service Criteria controls CC6.1, CC6.6, CC6.7, CC7.1, and CC7.2 are operating effectively, not just documented. A qualifying SOC 2 pentest must include all of the following:

    • Defined scope covering production systems that store or process customer data.
    • Active exploitation attempts โ€” not just an automated vulnerability scan.
    • Findings mapped to SOC 2 controls with CVSS severity, evidence, and reproduction steps.
    • Independent third-party tester (your internal security team cannot satisfy the requirement).
    • Retest evidence confirming high and critical findings were remediated within the audit window.

    Is a penetration test required for SOC 2?

    The AICPA does not list a pentest by name in the SOC 2 Trust Service Criteria, but in practice a SOC 2 pentest is required: auditors need third-party, exploit-validated evidence to attest that controls CC6.1, CC6.6, CC6.7, CC7.1, and CC7.2 are operating effectively. A vulnerability scan, an internal review, or a self-attestation will not satisfy the requirement.

    • SOC 2 Type 1: strongly recommended before issuance to validate control design.
    • SOC 2 Type 2: expected at least annually inside the audit window, plus after any material change to in-scope systems.
    • What counts as qualifying: independent third-party tester, defined production scope, active exploitation (not a scan), findings mapped to CC6.x / CC7.x, and retest evidence within the audit window.
    Requirements

    SOC 2 Penetration Testing Requirements

    Exactly what auditors expect, how often you need to test, and what scope a qualifying SOC 2 pentest must cover.

    Does SOC 2 require a penetration test?

    Yes, in practice. The AICPA does not name a pentest as a literal Trust Service Criteria control, but every major SOC 2 auditor expects third-party, exploit-validated evidence that controls CC6.1, CC6.6, CC6.7, CC7.1, and CC7.2 are operating effectively. Both SOC 2 Type 1 and SOC 2 Type 2 audits use the pentest report as primary evidence. See our SOC 2 penetration testing pricing or compare frameworks on the compliance penetration testing overview.

    How often is a SOC 2 pentest required?

    At minimum once per audit window. SOC 2 Type 2 covers 3 to 12 months, so most teams schedule one annual hybrid pentest and add monthly AI validation scans between audits so the report reflects current production state. Any material change to in-scope systems (new region, new auth flow, major rearchitecture) should trigger an additional test inside the same window.

    What scope is required for a SOC 2 pentest?

    A qualifying SOC 2 pentest must cover every production system that stores, processes, or transmits customer data: customer-facing web applications, public and partner APIs, external network surfaces, admin portals, and any third-party integration that touches the trust boundary. Internal-only systems out of scope for the audit can be excluded, but the boundary must be documented for the auditor.

    What does the auditor expect to see in the report?

    The auditor expects a written report from an independent third party that includes: defined scope and rules of engagement, evidence of active exploitation (not just a scan), findings with CVSS severity, reproduction steps, and screenshots, every finding mapped to CC6.x or CC7.x controls, remediation guidance, and a retest letter confirming high and critical findings were closed inside the audit window. StealthNet delivers all of the above in one PDF, see a redacted example on the homepage sample report.

    The Problem

    Most Companies Fail Their First SOC 2 Pentest.

    Your auditor flags pentest quality

    Traditional firms deliver reports that don't map to CC6.x and CC7.x controls, which forces rework and delays.

    You waited too long

    Annual testing windows don't align with audit timelines, leaving you scrambling at the last minute.

    You're overpaying

    Legacy firms charge $20K to $60K for the same coverage StealthNet delivers with AI pentests starting at $1,500 and hybrid pentests starting at $5,000.

    The Solution

    Pentest Reports Built for SOC 2, Not Retrofitted for It.

    AI SOC 2 Pentest

    $1,500

    • 48-hour delivery (AI-only)
    • Exploit-validated findings
    • Pre-formatted for SOC 2 CC6.x / CC7.x controls

    Best for: Early-stage companies, Type I preparation, pre-audit validation

    Most Popular

    Hybrid (AI + Human) SOC 2 Pentest

    Starting at $5,000

    Typical engagements range from $5,000 to $10,000 depending on scope

    • AI attack simulation + senior US-based pentester validation
    • Audit-ready report in 5โ€“6 days
    • Dedicated project manager + private Slack channel
    • Compliance-ready report + free retest included

    Best for: SOC 2 Type II, production SaaS platforms, investor-facing audits

    Deliverables

    Everything Your Auditor Needs. Nothing They Don't.

    Executive Summary

    Business impact overview for leadership and auditors

    Technical Findings

    CVSS-rated, exploit-confirmed, with screenshots and evidence

    SOC 2 Control Mapping

    Every finding mapped to CC6.x / CC7.x trust criteria

    Remediation Report

    Free retest showing all fixes validated and verified

    Why StealthNet

    AI Handles Speed. Humans Validate Everything.

    A named, US-based senior tester validates every finding before your report is delivered.

    Reports are pre-formatted for SOC 2, so there is no manual reformatting and no delays at audit time.

    Two speeds, one standard โ€” an AI SOC 2 pentest in 48 hours or a hybrid pentest audit-ready in 5โ€“6 days.

    Cost
    Traditional
    โ€”$20K to $60K
    StealthNet
    AI: $1,500 / Hybrid: from $5,000
    Delivery
    Traditional
    โ€”3 to 6 weeks
    StealthNet
    AI: 48 hours / Hybrid: 5โ€“6 days
    SOC 2 Formatting
    Traditional
    โ€”Manual / extra cost
    StealthNet
    Included
    Retest
    Traditional
    โ€”Extra charge
    StealthNet
    Free
    Continuous Validation
    Traditional
    โ€”Not offered
    StealthNet
    Available as add-on
    Sample Timeline

    SOC 2 Pentest Timeline: Audit-Ready Report in 5โ€“6 Days

    From scoping call to a SOC 2-ready report on day 5โ€“6, with a free retest before your audit window closes.

    1. Day 0

      Intake call

      30-minute scoping call. We confirm in-scope systems, audit window, and auditor expectations.

    2. Day 1

      Scope locked + kickoff

      Test plan, rules of engagement, and credentials handoff via private Slack channel.

    3. Day 2โ€“4

      Active hybrid testing

      AI-driven attack simulation validated by a senior US-based pentester. Daily progress updates and high/critical findings posted live to your Slack channel.

    4. Day 5โ€“6 Audit-Ready

      Audit-ready report delivered

      Senior-reviewed PDF report delivered on day 5โ€“6. Findings mapped to CC6.1, CC6.6, CC6.7, CC7.1, CC7.2 with CVSS, evidence, and reproduction steps. Executive summary and attestation letter included.

    5. Day 7โ€“30

      Remediation + free retest

      We retest every high and critical finding inside the audit window and issue a clean retest letter for your auditor.

    5โ€“6 day report
    Senior-reviewed PDF
    CC6.x + CC7.x mapped
    AICPA-aligned evidence
    Free retest
    Inside your audit window
    Free Resource

    SOC 2 Pentest Checklist + Fast-Track for Any Compliance Framework

    Download the SOC 2 checklist as your starting point. The Fast-Track engagement covers ISO 27001, HIPAA, PCI DSS, NIST, CMMC, FedRAMP, FDA, and more with the same methodology and timeline.

    SOC 2 does not explicitly mandate penetration testing, but auditors and enterprise customers commonly expect evidence that controls are tested, findings are tracked, and remediation is validated. This checklist helps teams prepare audit-ready documentation before their SOC 2 window. The Fast-Track engagement itself supports any compliance framework, SOC 2 is just where most teams start.

    • Map pentest evidence to SOC 2 Trust Services Criteria
    • Define in-scope systems, APIs, cloud assets, and third-party dependencies
    • Package auditor-ready reports, remediation evidence, and retest validation
    • Avoid common audit gaps around scope, ownership, and unresolved findings
    • Same engagement methodology applies to ISO 27001, HIPAA, PCI DSS, NIST, CMMC, FedRAMP, FDA, and more
    48-hour reports AI + human validation Compliance-ready reporting
    StealthNet AI
    Full checklist inside
    Gated Resource

    Get the Checklist

    Sent to your inbox instantly. Need a different framework? Tell us in the timeline field.

    By submitting, you agree to receive the checklist and occasional related emails. Unsubscribe anytime.

    Type 1 vs Type 2

    SOC 2 Type 1 vs Type 2 Penetration Testing

    The pentest evidence auditors expect differs by audit type. Here's what each requires.

    Audit scope
    Traditional
    โ€”Point-in-time control design
    StealthNet
    3 to 12-month operating effectiveness window
    Pentest requirement
    Traditional
    โ€”Strongly recommended for readiness
    StealthNet
    Expected within the audit window
    Frequency
    Traditional
    โ€”Once before Type 1 issuance
    StealthNet
    At least annually; after material changes
    Report contents
    Traditional
    โ€”Scope + findings + remediation plan
    StealthNet
    Above plus retest evidence within the window
    Typical timing
    Traditional
    โ€”4โ€“6 weeks before audit
    StealthNet
    30โ€“60 days before audit close

    StealthNet delivers Type 1 and Type 2 SOC 2 pentests on the same two-track cadence โ€” AI in 48 hours, hybrid audit-ready in 5โ€“6 days โ€” so your auditor has clean evidence whether you're issuing your first SOC 2 report or your fifth.

    AICPA Trust Service Criteria

    How SOC 2 Pentest Findings Map to CC6.x and CC7.x

    Every StealthNet SOC 2 report tags findings against the specific Trust Service Criteria your auditor will test.

    CC6.1

    Logical access controls

    Authentication, authorization, BOLA / IDOR, privilege escalation, session handling. The most commonly tested control in any SOC 2 pentest.

    CC6.6

    Boundary protection

    External perimeter, VPN, firewall, and segmentation testing. Demonstrates that internet-facing systems are protected against unauthorized access.

    CC6.7

    Data in transit

    TLS configuration, certificate validation, downgrade attacks, sensitive-data exposure across application and API surfaces.

    CC7.1

    System monitoring & vulnerability detection

    Validates that your detection and response stack actually catches the exploit attempts our testers run. Findings include alerting gaps.

    CC7.2

    Anomaly detection & incident response

    Tests whether anomalous activity (brute force, mass enumeration, privilege escalation) is detected, escalated, and contained.

    CC8.1

    Change management

    Optional add-on. Validates that recent production changes have not introduced regressions to the security posture documented at Type 1.

    Pentest vs Vulnerability Scan

    SOC 2 Penetration Test vs Vulnerability Assessment

    Both appear in SOC 2 evidence packages โ€” but they answer different questions and only one satisfies the AICPA expectation for active testing.

    What it does
    Traditional
    โ€”Automated signature-based scan
    StealthNet
    Active exploitation by a human-led tester
    SOC 2 evidence value
    Traditional
    โ€”Supporting evidence for CC7.1
    StealthNet
    Primary evidence for CC6.1, CC6.6, CC7.1, CC7.2
    False positives
    Traditional
    โ€”High โ€” manual triage required
    StealthNet
    Validated โ€” every finding is exploit-confirmed
    Frequency expected
    Traditional
    โ€”Continuous / monthly
    StealthNet
    At least annually within the audit window
    Cost
    Traditional
    โ€”$0 to $5K / yr
    StealthNet
    From $1,500 (AI) or $5,000 (hybrid)

    Most SOC 2 programs need both. A continuous vulnerability scan catches drift between audits, and an annual penetration test produces the exploit-validated findings auditors require to sign off CC6.x and CC7.x. StealthNet bundles both so you do not have to manage two vendors.

    SOC 2 Type 1

    SOC 2 Type 1 Penetration Testing, Audit-Ready

    Pentest evidence formatted specifically for SOC 2 Type 1 audits, the SOC 2 Type 1 to Type 2 transition, and pre-audit readiness.

    Pre-Audit

    Pentest before SOC 2 audit

    A penetration test before a SOC 2 audit gives your auditor exploit-validated evidence that controls CC6.1, CC6.6, CC6.7, CC7.1, and CC7.2 are not just designed but effective. The single best signal we see for first-time SOC 2 success.

    ControlsCC6.1CC6.6CC6.7CC7.1CC7.2
    Web App

    SOC 2 Type 1 web app pentest

    Exercises every authenticated and unauthenticated surface on the application that holds customer data, mapped to CC6.1 logical access controls and CC7.1 system monitoring. Pre-formatted for your Type 1 readiness assessment.

    ControlsCC6.1CC7.1
    API

    SOC 2 Type 1 API pentest

    Covers REST, GraphQL, and gRPC endpoints against the OWASP API Top 10, with focused testing of broken object-level authorization (BOLA), token handling, and tenant isolation.

    ControlsCC6.1CC6.6CC7.2
    External

    SOC 2 Type 1 external pentest

    Validates your internet-facing perimeter, VPN gateways, and remote access portals. Findings ladder up to CC6.6 (boundary protection) and CC7.2 (anomaly detection) and are accepted by every major SOC 2 auditor.

    ControlsCC6.6CC7.2
    Type 1 โ†’ Type 2

    Pentest after SOC 2 Type 1

    The bridge to Type 2. Gives you operating effectiveness evidence across the audit window, surfaces drift between point-in-time Type 1 controls and live production, and seeds your SOC 2 Type 2 readiness package.

    ControlsCC6.xCC7.x
    Medtech

    Medtech SOC 2 pentest

    Has to satisfy both SOC 2 trust criteria and HIPAA Security Rule expectations on the same systems. We scope a single hybrid pentest that covers both, with a unified report your SOC 2 auditor and HIPAA reviewer can each consume.

    ControlsSOC 2HIPAA
    For MSPs

    Managed Service Provider SOC 2 Pentesting

    Built for MSPs and MSSPs that need SOC 2 pentest coverage for themselves and their managed clients.

    Layer 1

    Your MSP's own SOC 2

    A hybrid AI plus human pentest of your own infrastructure, mapped to CC6.x and CC7.x, delivered audit-ready in 5โ€“6 days.

    Layer 2

    Your downstream clients

    Per-tenant scoping with per-client reporting so every engagement can stand on its own at audit time. Co-branded reports optional.

    StealthNet Partner Program

    You own the relationship. We deliver the pentest.

    Bring the client and the SOC 2 timeline. We run the pentest, deliver a co-branded report mapped to CC6.x and CC7.x, and include a free retest.

    5โ€“50 clients/yr
    per typical MSP
    Private Slack
    single PM channel
    Free retest
    included on every report
    For Startups

    Prepping Your First Audit? Get a Startup SOC 2 Pentest That Won't Blow the Budget

    A focused startup SOC 2 pentest scope covers the production app, customer-facing APIs, and your single AWS or GCP account, mapped to CC6.x and CC7.x for your Type I or first Type II window.

    Right-sized scope

    One web app, one API, one cloud account. No fluff in the SOW so the bill matches the surface.

    Audit-window aware

    Schedule the test 30 to 60 days before fieldwork so the report and retest both land inside your Type I window.

    Founder-friendly pricing

    Startup SOC 2 pentest engagements start at $1,500 for AI and $5,000 for hybrid, with a free remediation retest.

    Reusable evidence

    The same report supports your SOC 2 audit, customer security reviews, and follow-on HIPAA or ISO 27001 work.

    Most AICPA-aligned SOC 2 auditors expect external pentest evidence for both Type I and Type II. A startup SOC 2 pentest scoped to your production app and one cloud account is usually enough to satisfy CC4.1, CC6.1, and CC7.1 control evidence in your first audit.

    StealthNet's startup SOC 2 pentest starts at $1,500 for an AI engagement and $5,000 for a hybrid AI plus senior US tester engagement. Both include findings mapped to AICPA CC controls and a free remediation retest.

    Schedule the pentest 30 to 60 days before audit fieldwork. That gives your team time to remediate criticals, run the free retest, and hand a clean report to the auditor as part of the Type I or first Type II evidence package.
    Before You Submit

    Quick SOC 2 Pentest Questions

    The AICPA does not name SOC 2 penetration testing as a literal control, but in practice it is required. Auditors need third-party, exploit-validated evidence that Trust Service Criteria CC6.1, CC6.6, CC6.7, CC7.1, and CC7.2 are operating effectively, and a vulnerability scan or self-attestation will not satisfy them. Every SOC 2 Type 1 and Type 2 report we have supported in 2025 and 2026 included a third-party pentest as evidence.

    A SOC 2 penetration test from StealthNet starts at $1,500 for an AI-only engagement delivered in 48 hours and at $5,000 for a hybrid AI plus senior human engagement audit-ready in 5 to 6 days. Typical hybrid SOC 2 engagements run $5,000 to $10,000 based on the number of applications, APIs, and external surfaces in scope. See full SOC 2 penetration testing pricing.

    SOC 2 penetration testing requirements call for at least one pentest per audit window, plus an additional test after any material change to in-scope systems. SOC 2 Type 2 audits cover 3 to 12 months, so most teams run one annual hybrid pentest and add monthly AI validation scans between audits so the report reflects current production, not an 11-month-old snapshot.
    Get Scoped

    Get Your SOC 2 Pentest Scoped in 24 Hours

    Share a few details and we'll follow up within one business day.

    No commitment. We'll follow up within 1 business day.

    FAQ

    SOC 2 Penetration Testing Questions, Answered

    Common questions about SOC 2 pentest requirements, scoping, timing, and cost.

    The AICPA does not name SOC 2 penetration testing as a literal control, but in practice it is required. Auditors need third-party, exploit-validated evidence that Trust Service Criteria CC6.1, CC6.6, CC6.7, CC7.1, and CC7.2 are operating effectively, and a vulnerability scan or self-attestation will not satisfy them. Every SOC 2 Type 1 and Type 2 report we have supported in 2025 and 2026 included a third-party pentest as evidence.

    A SOC 2 penetration test from StealthNet starts at $1,500 for an AI-only engagement delivered in 48 hours and at $5,000 for a hybrid AI plus senior human engagement audit-ready in 5 to 6 days. Typical hybrid SOC 2 engagements run $5,000 to $10,000 based on the number of applications, APIs, and external surfaces in scope. See full SOC 2 penetration testing pricing.

    SOC 2 penetration testing requirements call for at least one pentest per audit window, plus an additional test after any material change to in-scope systems. SOC 2 Type 2 audits cover 3 to 12 months, so most teams run one annual hybrid pentest and add monthly AI validation scans between audits so the report reflects current production, not an 11-month-old snapshot.

    A vulnerability scan is an automated tool run that lists potential issues. A SOC 2 penetration test actively exploits those issues to prove business impact, then maps each finding to CC6.x and CC7.x controls with CVSS severity, evidence, and remediation guidance. SOC 2 auditors require the pentest, not the scan, because only active exploitation demonstrates that the control is operating effectively.

    Compare full SOC 2 pentest pricing, read our SOC 2 blog guide, review the SOC 2 auditor checklist, or see all compliance frameworks we cover.

    Related Services

    Pentest Services Included in Every Compliance Engagement

    Every compliance pentest pulls from these test-type services as needed. Scope is sized to your environment, not padded with hours.