What we assess
What your SOC 2 test covers
We test the systems in your SOC 2 boundary against the Trust Services Criteria, so your report shows controls that hold up under real attack, not just on paper.
Security (Common Criteria)
The core controls every SOC 2 covers: how you protect systems and data from unauthorized access.
We test for
- Access control and authentication
- Network and perimeter security
- Vulnerability and patch management
- Change management controls
Availability
Whether systems meet the uptime and resilience commitments you make to customers.
We test for
- Redundancy and failover
- Backup and recovery
- Capacity and monitoring
- Incident response
Confidentiality
How confidential data is protected in transit, at rest, and in use.
We test for
- Encryption in transit and at rest
- Data classification and handling
- Access restriction
- Secure disposal
Processing Integrity & Privacy
Whether processing is complete and accurate, and personal data is handled properly.
We test for
- Input and processing validation
- Data accuracy controls
- Privacy notice alignment
- Consent and retention
How it works
How your engagement runs
From scope through the final retest, your team stays in the loop at every step,
with findings tracked live in our platform.
- 01
Scope & align
We scope your SOC 2 boundary and align testing to the Trust Criteria.
- 02
Test criteria
Testing mapped to the Security and Availability Trust Criteria.
- 03
Auditor report
Findings mapped to your controls, ready for Vanta, Drata, or your GRC.
- 04
Fix & retest
Fix the findings, then a free retest before your examination.
Resources
Field notes from the offensive side
Offense in Depth in Red Team Operations
Defense in depth layers protection. Offense in depth layers attack paths so a red team still reaches its objective when one route fails. Here is how it works.
Security Between Penetration Tests
An annual pentest covers two weeks and leaves fifty uncovered. Here is how to secure the rest of the year without waiting for the next scheduled engagement.
The Limits of AI in Penetration Testing
AI is changing penetration testing, but it will not replace human testers. Here is what it does well, where it falls short, and why judgment still wins.
Want to see a real report first?
Request a redacted sample report before you scope an engagement.
01Does SOC 2 require a penetration test?
Most auditors do not mandate one outright, but nearly every serious examination expects a penetration test as evidence for the Security and Availability criteria, and enterprise customers frequently ask for it directly. We run the test and give you a report your auditor recognizes.
02When should we run the test relative to our audit?
Ideally inside your audit window and early enough to remediate any findings before the examination closes. We build the timeline around your audit dates so it does not become a last-minute scramble.
03Do you work with Vanta or Drata?
Yes. We format evidence so it uploads cleanly into Vanta, Drata, or your GRC platform of choice.
Ready to test your defenses?
Talk to our team about what your SOC 2 compliance requires.
Get a Fixed-Scope Quote
Tell us what you need tested. We reply within one business day.
Thanks, we've received your message.
We'll be in touch shortly.