SOC 2 Penetration Testing

Requirement: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

How Matproof covers it: Matproof runs continuous (ongoing) scans and delivers separate formal penetration test reports — satisfying both evaluation modes named in CC4.1. Every scan is timestamped and stored as immutable audit evidence.

Requirement: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

How Matproof covers it: Matproof detects new vulnerabilities on every deploy (new CVEs, new code paths, new cloud resources) and flags configuration drift. This is the exact control CC7.1 describes.

Requirement: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives.

How Matproof covers it: Scheduled scans catch anomalies such as exposed services, configuration drift, and regression of previously-fixed findings.

Requirement: The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents.

How Matproof covers it: Every Matproof finding includes severity, impact, and remediation guidance — the inputs to your incident-response program. Integrations with Jira, Linear, and ServiceNow track incidents through to closure.

Requirement: The entity authorises, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

How Matproof covers it: Matproof runs as a CI/CD gate — changes are tested before merge, aligning with CC8.1's 'tests changes' language.

Is penetration testing required for SOC 2?

The AICPA Trust Services Criteria do not explicitly require penetration testing, but CC4.1 (ongoing evaluation) and CC7.1 (detection of new vulnerabilities) make it the standard control. Nearly every SOC 2 audit requests recent pentest evidence, and most auditors will issue an exception if none is provided.

What is the difference between SOC 2 Type I and Type II?

Type I is a point-in-time attestation that controls are designed and implemented. Type II assesses operating effectiveness across a 6–12 month observation window. Type II is the one enterprise customers actually ask for, and the one where continuous testing evidence matters most.

How often should we pentest for SOC 2 Type II?

At minimum annually, but evidence of continuous vulnerability detection across the full observation period is increasingly expected. Matproof's monthly scans satisfy this directly. For the Security TSC alone, most customers run scans weekly.

Will my SOC 2 auditor accept Matproof reports?

Yes. The report format includes CVSS scoring, proof-of-exploit, remediation tracking, and TSC mapping — exactly what SOC 2 auditors look for. We have customers attested with A-LIGN, Prescient Assurance, Schellman, Deloitte, and KPMG using Matproof as their primary pentest evidence.

Can Matproof cover additional TSCs beyond Security?

Yes. Availability testing verifies redundancy and failover behaviour; Processing Integrity testing catches data-handling flaws; Confidentiality testing confirms encryption and access controls; Privacy testing validates PII handling. Additional TSCs are configured per engagement.