SOC 2 Compliance: Do I need a pentest or vulnerability scanning?

If you’re a CTO, CISO, Director of IT, or any of these related titles, you may also have to be a developer, a security engineer, a project manager, a lawyer, a risk manager, and a compliance expert. 

While compliance (SOC 2 compliance especially) is one of the most common reasons people first come to Red Sentry for cybersecurity, the framework can be confusing and we get a lot of questions around what is needed.

In my opinion, cyber security assessments will be like seatbelts before long. Seatbelts were invented in the 1800s, but very few people wore them until the government started requiring them (fun fact: New Hampshire is the only state in the US that does not require seat belts currently). While cyber security is growing rampantly, vulnerability assessments and security audits are still underused in many industries. Many people know they should do more, but because of budget, manpower, or other reasons, it gets put to the backburner… UNLESS their stakeholders require it. Because of the interconnectedness of business today, I believe that the government will impose minimum requirements for the majority of companies that touch the internet at some point. Whether that minimum requirement is an annual pentest, quarterly vulnerability scans, or just more defensive measures like increased firewalls, who knows. 

But for now, there are common frameworks that regulate specific spaces, and they have unique, sometimes confusing, requirements. As a disclaimer, I am not a compliance auditor by any means, but I have been involved with the topic on behalf of our clients for years. 

So let’s take a look into SOC 2 specifically, as this is one of the most common frameworks companies abide by. 

Who gets SOC 2 compliance? 

The most common organizations that undergo SOC 2 audits are SaaS companies and those that store client info in the cloud. One of the main purposes of a SOC 2 report is to show stakeholders and clients that a company has appropriate internal controls over data security and privacy. 

SOC 2 Type I deals with policies and procedures that were in place at a specific point in time, whereas SOC 2 Type II looks at a time period of at least 6 months. Most companies seeking SOC 2 compliance are striving for the SOC 2 Type II Report. 

What does SOC 2 require for cybersecurity? 

A common misconception is that SOC 2 requires penetration testing. SOC 2 requires appropriate policies and procedures based on your specific environment and how data is stored there. Technically, the words “penetration test” are not in the requirements. However, it has become a standard practice to satisfy the audit and that's the reason why many people think it is a pen testing compliance.

Here are the specific SOC 2 controls that penetration testing and vulnerability management may have an influence on, with CC4.1 and CC7.1 being the main two:

CC4.1 - The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

CC4.2 - The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

CC7.1 - To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

CC7.2 - The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.


The American Institute of Certified Public Accountants (AICPA) developed SOC with regards to its Trust Services Criteria (TSC). These criteria are what the SOC 2 audit will actually look for. When it comes to cybersecurity, the AICPA has designated penetration testing as one of the options for satisfying the criteria. They also reference vulnerability scans satisfying other criteria, even though they do not specifically mandate what is required. 

Basically, there is flexibility in the verbiage of the framework to allow for the uniqueness of companies, but the auditor will be looking to make sure these criteria are met, and penetration tests and vulnerability scans will play an important role. 

So do you need a pentest and vulnerability scans?

Long story short, yes. While not specifically defined, penetration tests (at least annually) and a continuous vulnerability management platform are the easiest and best ways to satisfy these cybersecurity areas. Auditors will be looking for these things as they analyze your company.

What types of tests do you need? That again depends on your environment. If you have a web application, you will most likely need a web application penetration test. If you have both internal and external assets, you will probably need pentests for both of those areas. If you store your data in AWS, you may need a cloud pentest. 

Red Sentry’s SOC 2 Package

If you’ve been through a SOC 2 audit, it can be excruciating, long, and expensive. And the last thing you need is to deal with months of pentesting and 5 different cybersecurity vendors on top of everything else. Red Sentry has created a unique offering to get you closer to your SOC 2 Report. 

Red Sentry’s SOC 2 Package includes a penetration test (for whatever appropriate environments you need tested) as well as 12 months of our continuous monitoring platform for vulnerability management. This package will satisfy the cybersecurity requirements you need, at a fraction of the cost of others. 

Contact us today to get your SOC 2 Cyber Security Package!

Valentina Flores
Valentina began her career as a police detective, assigned to a federal taskforce and eventually landing in cybercrimes. Red Sentry has created a hybrid approach that allows businesses to get a thorough manual pentest quickly, while also utilizing the Red Sentry software, to ensure year around security.

What Results You Can Expect

Below are just some of the reasons why you should choose Red Sentry.

No Lead Times

We make the process smooth. We have no lead times (for those ASAP pentests).

Dedicated Project Manager

Your PM will communicate with your team throughout the pentest process.

No Hidden Fees

There are no hidden fees or overage fees. The price you see, is what you get.


We offer a retest once you patch up any vulnerabilities.

Affordable Pentests

We make pentesting affordable by cutting out any fluff hourage.

Actionable Reporting

We report all criticals and highs to your team immediately during testing.

You're in Good Hands

Save time, avoid false positives, truly operationalize security, and manage costs.

Schedule a Pentest
Stars Review

Rated 4.8 on G2 & Capterra

"The Healthcare sector has been heavily affected by cyber attacks this past year. As we have so much sensitive data in our business, security is one of my main concerns. Since we’ve been using Red Sentry, I feel more confident because my team knows which patches need to be applied first and how to test them afterwards.”
Dana White
CTO, American Cosmetic Surgery Network
"We hold most of our data inside our Cloud infrastructure, which not many cybersecurity companies are focused on. Being able to have a thorough look at our Cloud security allows us to report our status to our clients and assure them we are taking a proactive approach to cybersecurity.”
Gabe Killian
VP Software Security, Procella Health
"Great enterprise tools for risk assessments. We were up and running on the software in just one day. Very easy team to work with and extremely affordable for the amount of visibility and features you get.”
David Lewandowski
CTO, United Networks of America
"We are pleased to have a strategic partnership with Red Sentry that offers our joint customers a leading integrated security solution that reduces risk and helps to keep threats out of the environment. Together, we are delivering highly accurate network assessments and intelligent automation of workflow processes and policies for a diverse customer base."
David Cartwright
Head of Commercial Cyber Security for Osi Vision

See how we compare

We strive to bring the best pentest solution, for the cheapest price. And did we mention that we are fast?

Other Pentest Solutions

Red Sentry

Time to Launch: Weeks to Months
Time to Launch: < 7 days
Price: High (excessive fluff hours charged)
Price: Most Affordable (Ask about Price Matching)
Support: Medium
Support: High with dedicated PMs and Team Leads
False Positive Rate: Medium
False Positive Rate: Low
Customer Satisfaction: 
Customer Satisfaction: High

Discover your vulnerabilities

Schedule a Pentest
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.