Trust Services evidence

Penetration testing evidence for SOC 2

Generate bounded security-testing evidence for a SOC 2 readiness or examination process without representing a penetration test as a CPA attestation.

System-bound scope

Align test targets with the services, infrastructure, software, people, data, and boundaries described by management.

Dated evidence

Preserve the authorization, test period, methods, findings, owner responses, remediation, and retest results.

CPA-led conclusion

Only the independent licensed CPA firm conducting the examination issues the SOC 2 report and opinion.

Understand the assurance model

SOC 2 is an examination performed by an independent CPA firm using the AICPA Trust Services Criteria. Security-testing evidence may be relevant to management’s controls and the auditor’s procedures, but Revaizor does not issue SOC 2 reports or opinions.

Coordinate evidence expectations early

Before testing, ask management and the CPA firm what period, system boundary, criteria, control descriptions, and evidence attributes are relevant. This reduces the risk of producing a technically useful report that does not fit the examination scope.

  • Match assets and services to management’s approved system description.
  • Record when testing occurred and whether changes followed during the examination period.
  • Keep remediation and retest evidence distinct from the original observation.

Avoid overgeneralizing test results

A bounded penetration test does not establish that controls were suitably designed or operated effectively throughout a period. A report should describe tested conditions and limits, while management and the CPA determine relevance to the examination.

Support a durable evidence trail

Versioned reports, ticket references, management responses, risk acceptances, and retest records can help reviewers follow each finding. Sensitive exploit details should be restricted to authorized recipients and handled according to the organization’s evidence-retention process.

Frequently asked questions

Does Revaizor provide SOC 2 certification?

No. SOC 2 is a CPA attestation, not a certification issued by Revaizor. Revaizor can support bounded technical testing and evidence generation.

Will an auditor accept a Revaizor report?

Acceptance cannot be guaranteed. Align the scope and evidence attributes with management and the independent CPA firm before testing, and let the auditor determine relevance and sufficiency.

Does one clean pentest prove controls operated for the full period?

No. A test reflects its authorized scope and time. The CPA evaluates control design and operation using the examination criteria, period, and broader body of evidence.

Define your next security mission

Tell us the target type and desired outcome. Sensitive scope details are collected after qualification.

Request a scoped pentest