Here is a question that comes up in almost every SOC 2 project: do we actually need a penetration test? The technically correct answer is that SOC 2 does not list a pen test as a mandatory control. The practical answer is that you will almost certainly end up doing one anyway. Let us explain why, so you can plan for it instead of being surprised by it.
What SOC 2 actually says
SOC 2 is built on the Trust Services Criteria, and it expects you to have a process for identifying and addressing vulnerabilities. It does not spell out that this must be a penetration test. In principle you could satisfy the intent with a strong vulnerability management program. In practice, two forces push almost everyone toward a pen test.
Auditors expect it. A penetration test is the cleanest evidence that you actively look for weaknesses the way an attacker would. Most auditors will ask whether you have had one, and its absence invites more questions than it saves.
Your buyers demand it. This is the bigger driver. The same enterprise customers who ask for your SOC 2 report also send security questionnaires, and those questionnaires ask when you last had a penetration test and by whom. Having a recent, credible report is often what actually unblocks the deal.
Type II and the annual rhythm
For a SOC 2 Type II, you are demonstrating that controls operate over time, so a one-time test years ago does not cut it. The common expectation is an annual penetration test, and another after any significant change to your systems. It becomes part of your yearly security rhythm rather than a one-off.
Scope it so it does double duty
The efficient move is to scope the penetration test so the same engagement serves your SOC 2 evidence, your enterprise security reviews, and your own need to actually find problems. That usually means testing the production application and the infrastructure that holds customer data, and receiving a report written to be shared with an auditor and a buyer, not just your engineers.
How we handle it
We run penetration tests that are built to serve as SOC 2 and enterprise-review evidence, delivered with our partner Lorikeet Security and led by a published security researcher with six CVEs. And because we also do the compliance readiness, we make sure the test lines up with the rest of your SOC 2 work instead of being a disconnected purchase. See our penetration testing services or the full compliance program, and if a deal or an audit is waiting, book a call.