SOC 2 penetration testing

Ship the SOC 2 audit with zero criticals.

CREST-accredited researchers find and prove the exploits your SOC 2 auditor is about to ask about. Two weeks from kickoff to a report your auditor drops straight into the file.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by SOC 2 reporters across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most pentest reports do not survive the SOC 2 audit.

  • Templated reports get rejected. Auditors want proof of exploit, not CVSS scores from a tool.

  • Annual-snapshot pentests leave eleven months blind. Continuous-monitoring auditors flag the gap.

  • Findings without reproducers, severity rationale, and remediation get noted as low-quality in the SOC 2 file.

Here is what we ship.

Why teams pick us

Evidence, not template padding.

  • Auditor-ready evidence

    Findings shaped for SOC 2 CC4.1, CC7.1, CC8.1 evidence. Auditor drops the file straight in.

  • Proof on every critical

    Working reproducer, video, severity rationale. No 'theoretical CVSS 9.8' findings.

  • Re-test for Type II

    Ship the fix, we verify. Same engagement, no new SOW for the Type II window.

How it works

From intro to report in two weeks.

  1. Scope to the trust services

    Tell us which TSC are in scope (CC, A, C, PI, P). We map to attack surface on the call.

  2. Researchers go deep

    CREST-accredited researchers test the same way an attacker would. Chained findings end-to-end.

  3. Report your auditor accepts

    Findings tagged to controls. Reproducer plus severity plus remediation. Type II re-test included.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your SOC 2 pentest.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What SOC 2 reporters ask before they sign.

Which SOC 2 controls does the report cover?
Findings tag to CC4.1, CC7.1, CC8.1 and the TSC you select. Auditors accept it as control evidence.
How does this work with a Type II audit?
We re-test fixes inside the observation window. No new engagement required.
How long does the pentest take?
Two to three weeks per asset. Multi-asset SOC 2 scopes confirmed on the first call.
Who actually tests?
CREST-accredited researchers who publish CVEs. Resumes on file for the auditor on request.
Will you sign a letter for the auditor?
Yes. One-line scope letter on letterhead, signed by the lead pentester.

Ready to ship the SOC 2 audit with zero criticals?

20-minute scoping call with the lead pentester. No slides, just questions about your TSC scope and what your auditor flagged last cycle.

CREST · CERT-In · SOC 2 · ISO 27001