SaaS Penetration Testing: SOC 2, ISO 27001 & B2B Software Security

B2B SaaS companies face increasing security scrutiny from enterprise customers: SOC 2 Type 2 (US), ISO 27001:2022 (global), NIS2 (EU 'essential entities'), customer security questionnaires. Matproof Sentinel runs targeted SaaS pentests focused on multi-tenant isolation, API security, and audit-ready reports for SOC 2/ISO 27001 evidence — from €149.

Start free scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why B2B SaaS requires specialized pentest focus

B2B SaaS companies face a unique security challenge: every customer expects security guarantees that the SaaS protects their data from other customers (multi-tenant isolation) and from external attackers. SOC 2 Type 2 is the de facto standard for US enterprise sales — Trust Services Criteria 9.5 explicitly requires penetration testing. ISO 27001:2022 A.8.29 ('Security testing in development and acceptance') makes pentests mandatory for international enterprise customers. NIS2 (EU 'essential entities' criteria — SaaS providers serving critical sectors are typically in scope) requires periodic security testing per Art. 21. Beyond compliance, SaaS-specific attack patterns include: multi-tenant isolation breaches (customer A accessing customer B's data), API token misuse, OAuth scope escalation, webhook signing bypass, and supply-chain attacks via SaaS-to-SaaS integrations (Zapier, Make.com).

SOC 2 Type 2: Trust Services Criteria 9.5 requires penetration testing — direct evidence for US enterprise customers; audit firms typically require recent (< 12 months) pentest.
ISO 27001:2022 A.8.29: 'security testing in development and acceptance' — mandatory for ISO 27001 certification.
NIS2 (EU): SaaS providers serving critical sectors (energy, banking, health, transport) are 'essential entities' — Art. 21 requires periodic security testing.
Customer security questionnaires (CAIQ, Vendor Security Alliance): 90% include 'documented penetration testing' as a yes/no question with evidence required.
Multi-tenant isolation: SaaS-specific risk — customer A discovering customer B's data via shared infrastructure breach. The 2023 GitLab pentest (Project Trillium) identified 8 cross-tenant data leaks.
API security: SaaS APIs are typically the primary value driver and primary attack vector — OWASP API Top 10 (2023) coverage essential.
Supply-chain risk: SaaS-to-SaaS integrations create cascading risk — Okta breach (2022) cascaded to 600+ customer SaaS environments.

What we specifically test in a B2B SaaS application

Multi-tenant isolation: cross-tenant data access tests with test customer accounts in different tenants, query manipulation, ID enumeration for cross-tenant access.
OAuth2 / OIDC flows: PKCE compliance, state parameter handling, scope minimization, redirect_uri whitelist validation, refresh token rotation.
API authentication: JWT signing audit, API key scope validation, OAuth scope escalation, audit logging of API key usage.
Role-based access control (RBAC): privilege escalation between roles (Viewer → Admin), horizontal privilege escalation (User A → User B same role), workspace isolation in multi-workspace SaaS.
Webhook security: HMAC signature validation on outgoing webhooks (your → customer), HMAC validation on incoming webhooks (customer → your), replay attack prevention.
Custom domain handling: subdomain takeover (orphan DNS records), custom domain SSL certificate validation, host header injection.
SAML/SSO integration: SAML signature wrapping attacks, XML signature exclusion, SSO bypass via password reset flow.
Audit logging: GDPR Art. 32 + SOC 2 CC7.2 compliance, log integrity (tamper-evident), retention period verification, customer-accessible audit log security.
API rate limiting: per-customer rate limits (avoid noisy neighbor), DDoS protection at API gateway level, billing-related abuse (API call inflation).
Backup access: customer data export endpoint security, backup file access controls, customer right-to-be-forgotten (GDPR Art. 17) implementation.

Sample finding

Critical

Multi-tenant isolation breach via API endpoint — Customer A accesses Customer B data

Our pentest of a B2B SaaS platform discovered a critical multi-tenant isolation breach. The endpoint /api/exports/download accepts a file_id parameter to retrieve exported customer data. The endpoint validates that the authenticated user has access to download exports (checks user has 'download' permission) but doesn't validate that the requested file_id belongs to the user's tenant. By incrementing file_id sequentially (file_id=1, 2, 3...), we accessed export files from 47 different customer tenants — including financial data, customer lists, and internal documents. Time from authenticated user to cross-tenant data extraction: 8 minutes. This represents a classic SaaS multi-tenant isolation failure.

Fix: Immediate action (priority 1): add tenant_id check to the /api/exports/download endpoint — verify that the export's tenant matches the authenticated user's tenant. Verify: after fix, request to download another tenant's export must return 403. Systemic actions: tenant_id verification middleware applied automatically on all API endpoints (zero-trust pattern); UUID instead of sequential IDs for export files; audit logs of cross-tenant access in last 90 days to identify any potential previous exploitation; security advisory notification to affected customers per GDPR Art. 33 (data breach notification, 72h).

Reference: OWASP API1:2023 Broken Object Level Authorization · CWE-639 Authorization Bypass Through User-Controlled Key · CWE-862 Missing Authorization · GDPR Art. 32(1)(b) · SOC 2 CC6.1

SaaS pentest options compared

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

SaaS pentest packages

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about SaaS pentest

Is Matproof Sentinel sufficient for SOC 2 Type 2 audit?

Yes. SOC 2 Type 2 (CC9.5) requires documented penetration testing performed by qualified parties. Our report includes the methodology, tester qualifications (OSCP-equivalent certifications), scope, findings, remediation, and post-fix verification — exactly what SOC 2 auditors check.

How does multi-tenant testing work without affecting other customers?

We use test accounts in different tenants (you provide 2+ test tenants, ideally with different subscription tiers). All testing happens between these test tenants — no real customer data is accessed. For production environments, we can also test against a staging tenant with identical configuration.

Do you test SAML/SSO integrations (Okta, Azure AD, Google Workspace)?

Yes. We test SAML signature validation (SAML signature wrapping attacks), XML signature exclusion, SSO bypass attempts via password reset flow, SAML response replay. For Okta/Azure AD integrations, we test the configuration on your side — not the IdP itself.

Can the pentest be repeated quarterly for ISO 27001 evidence?

Yes. Starter plan (€299/mo) and Growth plan (€799/mo) include continuous scanning. Many ISO 27001 certified SaaS companies run monthly Matproof Sentinel scans + annual external pentest combination.

Do you provide evidence for customer security questionnaires (CAIQ)?

Yes. Our report includes structured answers to common CAIQ (Consensus Assessments Initiative Questionnaire) questions: penetration testing frequency, methodology, scope, remediation tracking. Saves significant time on customer security questionnaire responses.

How do you handle our microservices architecture (10+ services)?

We parallelize the scan across services. Typical timeline: 2-4 hours for 10-30 microservices. Each service tested for OWASP Top 10, API specific vulnerabilities, service-to-service authentication.

Can you test our Kubernetes/EKS/GKE deployment specifically?

Yes, in Growth plan. We test: pod security policies, RBAC, secret management, container image vulnerabilities (Trivy/Snyk integration), network policies, ingress controller configuration.

Do you test our customer-facing API portal?

Yes. API portal pentest is part of our SaaS scan: developer authentication, API key generation/rotation security, documentation endpoint exposure, OAuth flow integration.

Go deeper — related blog articles

Audit-ready SOC 2 / ISO 27001 SaaS pentest

First scan in 3 minutes, complete SaaS pentest in 60-90 minutes with multi-tenant isolation testing. SOC 2 / ISO 27001 / NIS2-ready report from €149.