Use Case · Compliance

A Pentest That Survives Your Audit.

Most compliance frameworks expect or require a real penetration test. A scan exported to PDF does not satisfy an auditor who knows the standard. Here is what each framework actually asks for, and the evidence that passes review.

File · Answer first

Answer first

The faster question than whether you need a pentest is which of two camps your framework sits in. PCI DSS and CMMC name testing in the requirement text, so the test is non-negotiable. SOC 2, ISO 27001, and HIPAA do not say the word, but the examiners who assess them read the control language as an expectation of independent, manual testing with attack-path evidence, which means a scan export quietly fails the same bar. Either way you need a real test, and an auditor who knows the standard separates a scan export from a tested finding in about thirty seconds. The rest of this page maps each framework to the evidence its examiner actually accepts.

File · What each

What each framework actually asks for

The frameworks differ in whether they say the word "penetration test" out loud. They converge on the same thing in practice: evidence that a competent human tried to break the in-scope systems and documented what an adversary could do.

  • [01] SOC 2. The Trust Services Criteria (CC4.1 monitoring, CC7.1 detection of system changes) do not mandate a pentest by name. Examiners operationalize them as an annual third-party test with manual validation and attack-path narrative. A scan alone does not demonstrate the control. See SOC 2 penetration testing.
  • [02] PCI DSS 4.0.1. Requirement 11.4 explicitly requires penetration testing, internal and external, at least annually and after significant change. It also requires segmentation testing to prove the cardholder data environment is actually isolated. This one is not an interpretation. See PCI DSS penetration testing.
  • [03] HIPAA. The Security Rule requires a risk analysis (164.308(a)(1)(ii)(A)). A penetration test is the evidence that the analysis reflects real exposure of ePHI rather than a paper exercise. See HIPAA penetration testing.
  • [04] CMMC. Level 2 maps to NIST SP 800-171 and is assessed against those controls; Level 3 layers on a subset of NIST SP 800-172, whose enhanced requirements lean toward adversarial, threat-realistic assessment. For defense contractors handling CUI, testing is part of clearing the assessment. See CMMC Level 2 penetration testing.
  • [05] ISO 27001:2022. Annex A controls A.8.8 (technical vulnerability management) and A.8.29 (security testing in development) drive auditors to expect a technical assessment of the controls in your Statement of Applicability. See ISO 27001 penetration testing.

File · The gap

The gap a scanner leaves

A scanner reports what its signature database already knows. It cannot chain a low-severity finding into a high-severity attack path, it cannot prove segmentation actually holds, and it cannot tell an auditor what an adversary would have done with a finding inside your boundary. Those are exactly the questions a competent examiner asks. Hand an experienced auditor a Nessus or Burp export with the in-scope systems renamed and your logo on the cover, and they will grade it as the scan it is.

The full breakdown of why a scan and a test are not interchangeable is here: penetration test vs vulnerability scan. For audit purposes the line is simple. Scans cover volume between tests; the audit wants the depth only manual testing produces.

Operator Note

Operator Note

Scope the test to the audit boundary, not the network diagram. The system description, the cardholder data environment, the ePHI flow, or the CUI boundary is what the auditor is examining, so that is what the test should cover. A test that ranges outside the boundary wastes budget; a test that misses part of the boundary leaves a gap fieldwork will find.

Operator Note OPR · STANDARD-OF-WORK
“An auditor is not reading your report for the CVSS scores. They are reading it to see whether a human tested the thing they are about to attest to. A scan export answers a different question than the one being asked.”
Bailey Besheer, Managing Director of Cybersecurity Services

File · The evidence

The evidence auditors actually want

  • [01] Scope statement tied to the framework boundary, so the auditor can see the test covered what they are attesting to.
  • [02] Attack-path narrative per finding, not just a severity label. Examiners increasingly ask what an adversary would do with each finding.
  • [03] Segmentation results where the framework requires them (PCI DSS), proving isolation actually holds rather than asserting it.
  • [04] A retest delta document mapping each remediation back to the original finding, so the auditor sees the issue closed within the audit window. This is what unlimited remediation validation produces, with no per-finding charge.
  • [05] An executive summary the auditor and your leadership can both read without translation.

File · Timing the

Timing the test before your audit date

Work backward from fieldwork. A typical engagement runs two to four weeks of active testing plus a one-week report cycle, and you want remediation and a retest to land before the auditor arrives. That means starting roughly six to eight weeks ahead of fieldwork for a clean cycle. If your date is tighter than that, say so on the scoping call. We scope around the audit window and tell you the realistic timeline, not the optimistic one. The full mechanics of a manual engagement are on the penetration testing page.

File · FAQ

Frequently Asked Questions

Q1 Does SOC 2 require a penetration test?

SOC 2 does not name a penetration test in the criteria. The Trust Services Criteria (CC4.1 and CC7.1) require evidence of independent security testing, and examiners operationalize that as an annual third-party penetration test with manual validation and attack-path narrative. A vulnerability scan alone does not demonstrate the control to an examiner who knows the standard.

Q2 Will a vulnerability scan pass my audit?

Rarely, and not for the frameworks that matter here. PCI DSS 4.0.1 explicitly requires penetration testing and segmentation testing in requirement 11.4. For SOC 2, ISO 27001, HIPAA, and CMMC, a scan export shows the auditor a list of potential issues, not that anyone tested the boundary. Auditors who know the difference treat a scan-and-PDF as a scan.

Q3 How fast can you test before my audit date?

Start about six to eight weeks ahead of fieldwork for a clean test, remediate, and retest cycle. If your date is tighter, we say so on the scoping call and test the boundary the auditor examines first.

Q4 Does the report meet my framework's evidence requirements?

Yes. We produce a scope statement tied to the audit boundary, an attack-path narrative per finding, segmentation results where the framework requires them, an executive summary, and a retest delta document mapping each fix to its original finding. Those are the artifacts examiners ask for across SOC 2, PCI DSS, HIPAA, CMMC, and ISO 27001.

Request a Penetration Test Talk to an Operator

Talk to an Operator

Ready to See Your Environment the Way Attackers Do?

Real operators. Real attack paths. Real business impact. Talk to us about your security goals.

Talk to an Operator

Related

Map the test to your framework

Each framework page covers the controls, scope, and evidence that auditor expects.

SOC 2 penetration testing

CC4 and CC7 evidence with attack-path narrative.

PCI DSS penetration testing

Requirement 11.4 testing, including segmentation.

HIPAA penetration testing

Risk-analysis evidence across the ePHI environment.

CMMC Level 2 penetration testing

NIST 800-171 assessment for CUI boundaries.

ISO 27001 penetration testing

Annex A technical review mapped to your SoA.

Unlimited remediation validation

Retest evidence packaged for your audit window.