SOC 2 penetration testing: what auditors actually expect for CC4.1 and CC7.1

SOC 2 never says 'you must run a penetration test' in so many words — which is exactly why teams get caught out. Auditors expect penetration testing as evidence for the Trust Services Criteria on monitoring (CC4.1) and vulnerability management (CC7.1), and your enterprise customers increasingly demand it in security questionnaires. Matproof Sentinel delivers the OWASP-methodology testing and audit-ready documentation a SOC 2 auditor needs, from €149, with a free scan to start.

Run a free pentest scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

How penetration testing maps to the SOC 2 Trust Services Criteria

SOC 2 is built on the Trust Services Criteria, and several of the Common Criteria are difficult to evidence without penetration testing. CC4.1 (the entity selects and develops monitoring activities to evaluate whether controls are operating) and CC7.1 (the entity uses detection and monitoring procedures to identify vulnerabilities) effectively expect a programme that finds vulnerabilities before attackers do — and a penetration test is the most direct evidence that such a programme exists and works. CC7.2 and the risk-assessment criteria (CC3.x) similarly benefit from the concrete, prioritised findings a test produces. While a SOC 2 auditor will accept a range of evidence, in practice most expect to see at least an annual penetration test, vulnerability scanning, and a remediation log — and your prospects' procurement teams will ask for the pentest report directly in their vendor security review. A Type II report covers a period of time, so the testing evidence must show coverage across that window, not just a single point-in-time scan at the end.

CC4.1 & CC7.1: penetration testing is the cleanest evidence that your monitoring and vulnerability-management controls actually identify weaknesses.
Type II = a period, not a point: a Type II report needs testing evidence spanning the review window — continuous testing fits this better than a single annual scan.
Procurement gate: enterprise buyers routinely ask for your pentest report in the security questionnaire — having a current one shortens sales cycles.
Auditor expectation: SOC 2 doesn't list pen-testing explicitly, but most auditors expect an annual test plus vulnerability scanning and a remediation log.

What a SOC 2 penetration test should cover

Web application security — OWASP Top 10 (2021): broken access control, injection, cryptographic failures, security misconfiguration, and insecure design across your SaaS application.
API security — OWASP API Security Top 10 (2023), driven by your OpenAPI spec: BOLA, broken authentication, and excessive data exposure (the classic multi-tenant SaaS risks).
Multi-tenancy isolation — authenticated testing across two identities to prove one customer/tenant cannot reach another's data (the breach that ends a SaaS company).
Authentication & session management — MFA enforcement, session handling, JWT and API-key security, and password-policy controls (CC6.x logical access).
Infrastructure & configuration — TLS configuration, security headers, exposed services, and known-CVE exposure across your perimeter.
Audit-ready output — methodology, CVSS ratings, proof-of-exploit, and remediation tracking, mapped to the relevant Trust Services Criteria for your auditor's workpapers.

Sample finding

Critical

Cross-tenant data access via missing authorization check (multi-tenant SaaS)

Authenticated grey-box testing with two tenant accounts found that the /api/reports/{reportId} endpoint authorized on authentication but not on ownership: a user in tenant A could retrieve reports belonging to tenant B by supplying B's report ID. For a SOC 2 SaaS vendor this is the highest-severity class of finding — a direct failure of the logical-access controls under CC6.1 and a breach of the confidentiality commitment most SaaS SOC 2 reports include. It is also exactly the issue an enterprise prospect's security team probes for before signing.

Fix: Enforce tenant-scoped authorization on every object-referencing endpoint: confirm the requested resource belongs to the caller's tenant, ideally via a centralized authorization layer rather than per-endpoint checks. Add automated tests that assert cross-tenant access is denied, and re-run the penetration test to confirm the fix before it reaches the SOC 2 evidence window.

Reference: OWASP API1:2023 Broken Object Level Authorization · OWASP A01:2021 Broken Access Control · CWE-639 · SOC 2 CC6.1 / CC6.3

SOC 2 penetration testing options

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Matproof Sentinel for SOC 2

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about SOC 2 penetration testing

Does SOC 2 require a penetration test?

Not by explicit line item — SOC 2 is principles-based around the Trust Services Criteria rather than a prescriptive checklist. However, auditors expect penetration testing as evidence for the monitoring (CC4.1) and vulnerability-management (CC7.1) criteria, and in practice most SOC 2 examinations include an annual penetration test plus vulnerability scanning. Your enterprise customers will also request the pentest report directly. So while it is technically not mandated, operating without one will create friction with both auditors and buyers.

Which SOC 2 criteria does penetration testing support?

Most directly CC4.1 (monitoring activities) and CC7.1 (identifying vulnerabilities through detection and monitoring). It also supports CC3.x (risk assessment) by surfacing concrete, prioritised risks, CC6.x (logical access) by validating authentication and authorization controls, and CC7.2 (security incident response readiness) by demonstrating you find issues before they become incidents.

How often do I need to pentest for SOC 2 Type II?

A Type II report covers a period (commonly 6–12 months), so your testing evidence needs to demonstrate coverage across that window — not just a single scan the week before the audit closes. An annual penetration test is the baseline, but continuous (PTaaS) testing is a stronger fit for Type II because it produces ongoing evidence throughout the review period and catches regressions introduced by deploys during the window.

Is a vulnerability scan enough for SOC 2, or do I need a penetration test?

Vulnerability scanning supports CC7.1 but auditors and customers increasingly distinguish it from penetration testing. Scanning finds known issues by signature; penetration testing actively exploits and chains weaknesses to demonstrate real impact (e.g. cross-tenant data access). For a credible SOC 2 programme — and to satisfy enterprise procurement — do both. Matproof Sentinel combines continuous scanning with exploit-validated penetration testing in one report.

Will Matproof Sentinel's report be accepted by my SOC 2 auditor?

Sentinel's report contains the elements auditors look for: documented scope and methodology, findings with CVSS ratings, proof-of-exploit, and remediation tracking, mapped to the relevant Trust Services Criteria. It serves as strong evidence for CC4.1 and CC7.1. For high-assurance examinations some auditors also like to see an identifiable tester sign the engagement; the common approach is continuous Sentinel testing plus a periodic human-led engagement, using the Sentinel reports as the ongoing evidence trail.

Go deeper — related blog articles

Get SOC 2-ready penetration testing evidence

Satisfy CC4.1 and CC7.1, and answer the security questionnaire with a current report. Matproof Sentinel delivers OWASP-methodology testing, multi-tenancy isolation checks, and audit-ready documentation — from €149, with a free scan to start.