Penetration Test Information Page

As an information security best-practice, Secureframe highly recommends that organizations perform an annual third-party penetration test of their internal and external environments and web applications, to ensure awareness of any potential vulnerabilities to your system(s) and to allow you the opportunity to remediate and mitigate any findings.

Though performing a pen test is highly recommended, it is not necessarily a hard pass/fail control requirement as it relates to SOC 2. What is required is that organizations implement a comprehensive vulnerability assessment program for their in-scope system(s) and applications(s) to identify vulnerabilities and track their remediation. Each auditor sets their own individual requirements regarding the activities needed to satisfy this control.

While this control can, in some cases, be accomplished through the use of various paid and open-source tools and manual activities; it is generally less costly and resource-intensive to have a pen test performed by a third party, and all auditors will accept a pen test report as evidence. A pen test will also provide a much more in-depth assessment and analysis of any discovered vulnerabilities, and most pen test firms will offer guidance on the steps necessary to remediate any critical or high vulnerabilities discovered.

Secureframe has established partnerships with the following pen test firms:

Your Customer Success Manager can make a warm introduction to Lost Rabbit Labs, Federacy, Insight Assurance, Prescient Security, TrustFoundry, Vonahi, and CyAlpha. You can self-schedule a demo with Cobalt here.

We encourage you to evaluate several firms and make a selection based on the best fit for your business goals and budget requirements.

Was this article helpful?

Have more questions? Submit a request



Article is closed for comments.