SOC 2 usually requires that a company conduct vulnerability scanning on a regular basis and take proper steps to address those risks.
A company can meet SOC 2 audit requirements for vulnerability scanning through the following actions:
- Perform a third-party penetration (pen) test at least annually from a reputable vendor or firm
- Identify and resolve identified critical and high-risk vulnerabilities
The pen test requirement may vary from auditor to auditor, but as a security best practice we'd highly recommend getting a pen test.