Compliance Testing
SOC 2 Penetration Testing
Reports your auditor will accept.
Sherlock Forensics delivers SOC 2 penetration testing mapped to Trust Services Criteria CC6.1, CC7.1 and CC7.2. Deliverables include a detailed findings report with CVSS scoring, executive summary, remediation roadmap and attestation letter structured for auditor review. Standard engagements start at $5,000 CAD and Comprehensive engagements at $12,000 CAD.
Why It Matters
Why Your SOC 2 Audit Needs a Penetration Test
Auditors Expect It
While SOC 2 does not use the words "penetration test," Trust Services Criteria CC6.1, CC7.1 and CC7.2 require you to demonstrate that security controls are tested and vulnerabilities are identified. A penetration test is the clearest way to meet that requirement, and most CPA firms expect one in your evidence package.
Maps to Trust Services Criteria
CC6.1 covers logical and physical access controls. CC7.1 addresses detection of unauthorized or malicious activity. CC7.2 focuses on monitoring system components for anomalies. Every finding in our report is mapped to the specific criteria it satisfies, giving your auditor a direct reference.
Structured for the Audit
Our reports are not generic vulnerability lists. They are formatted for auditor consumption with CVSS-scored findings, remediation status tracking and an attestation letter confirming scope, methodology and qualifications. If your auditor requests format adjustments, we accommodate them at no extra cost.
Timing
Type I vs Type II: When to Test
| SOC 2 Type | What It Evaluates | Pentest Timing |
|---|---|---|
| Type I | Control design at a single point in time | One pentest before the audit date |
| Type II | Control effectiveness over 6-12 months | At least one pentest during the review period; many auditors prefer two |
First-Time SOC 2
If you are pursuing your first SOC 2 report, schedule a penetration test at least 4 weeks before your audit window opens. This gives you time to remediate critical findings and demonstrate that controls are in place before your auditor reviews the evidence.
Annual Renewal
For Type II renewals, schedule your pentest early in the observation period. This ensures findings are remediated well before the audit closes. If your auditor requires a second test, schedule the retest in the final quarter of the review period to show sustained control effectiveness.
What You Get
SOC 2 Pentest Deliverables
Findings Report
Detailed technical findings with CVSS v3.1 scoring, proof-of-concept evidence, exploitation steps and mapping to the specific Trust Services Criteria each finding affects. Organized by severity for efficient triage.
Executive Summary
A concise overview for leadership and your auditor covering scope, methodology, risk posture, key findings and overall assessment. No jargon, just the information decision-makers need.
Remediation Roadmap
Prioritized remediation plan organized by risk impact, effort and compliance relevance. Each finding includes specific, actionable fix guidance so your team knows exactly what to do and in what order.
Attestation Letter
A formal letter confirming the penetration test scope, methodology, tester qualifications and engagement dates. Designed for direct inclusion in your SOC 2 evidence package. Your auditor can reference it without follow-up questions.
Pricing
SOC 2 Pentest Pricing
| Tier | Price (CAD) | Includes |
|---|---|---|
| Standard | $5,000 | External network and web application testing, findings report, executive summary, remediation roadmap, attestation letter |
| Comprehensive | $12,000 | Everything in Standard plus internal network testing via ShadowTap, cloud configuration review, expanded remediation roadmap, retest of critical findings |
Frequently Asked Questions
SOC 2 Penetration Testing FAQs
- Does SOC 2 require a penetration test?
- SOC 2 does not explicitly mandate a penetration test, but Trust Services Criteria CC6.1, CC7.1 and CC7.2 require organizations to demonstrate they test security controls and identify vulnerabilities. A penetration test is the most effective way to satisfy these criteria, and most auditors expect one.
- What is the difference between SOC 2 Type I and Type II for penetration testing?
- Type I evaluates control design at a specific point in time, so a single pentest before the audit date is sufficient. Type II evaluates control effectiveness over 6 to 12 months and requires at least one pentest during the review period. Many auditors prefer testing at both the beginning and end of the observation window.
- What Trust Services Criteria does a SOC 2 pentest address?
- A SOC 2 penetration test primarily addresses CC6.1 (logical and physical access controls), CC7.1 (detection of unauthorized or malicious activity) and CC7.2 (monitoring of system components for anomalies). Our reports map every finding to the specific criteria it affects.
- What deliverables does a SOC 2 pentest include?
- Deliverables include a detailed findings report with CVSS scoring, an executive summary for leadership, a remediation roadmap prioritized by risk and an attestation letter confirming scope, methodology and results. All deliverables are structured for auditor review.
- How long does a SOC 2 penetration test take?
- Standard engagements take 5 to 10 business days from kickoff to final report. Comprehensive engagements with internal network testing take 10 to 15 business days. We recommend scheduling at least 4 weeks before your auditor needs the report.
- Will my auditor accept your pentest report?
- Yes. Our reports are structured for SOC 2 auditor review with CVSS-scored findings mapped to Trust Services Criteria, remediation status tracking and a formal attestation letter. If your auditor requests format adjustments, we accommodate those at no additional cost.
- How much does a SOC 2 penetration test cost?
- Standard SOC 2 penetration testing starts at $5,000 CAD and covers external network and web application testing with full deliverables. Comprehensive engagements start at $12,000 CAD and add internal network testing, cloud configuration review and retest of critical findings. Order online or contact us for custom scoping.
Get Started
Ready for your SOC 2 pentest?
Standard from $5,000 CAD. Comprehensive from $12,000 CAD. Reports structured for your auditor with attestation letter included.
Order OnlineScope Your SOC 2 Penetration Test
Tell us about your SOC 2 timeline, environment scope and auditor requirements. We will provide a fixed-price quote within one business day.
Call 604.229.1994- Phone
- 604.229.1994
- Burnaby Office
- Burnaby, BC, Canada
- Coquitlam Office
- Coquitlam, BC, Canada
- Typical Timeline
- 5-15 business days from kickoff to final report