System-bound scope
Align test targets with the services, infrastructure, software, people, data, and boundaries described by management.
Trust Services evidence
Generate bounded security-testing evidence for a SOC 2 readiness or examination process without representing a penetration test as a CPA attestation.
Align test targets with the services, infrastructure, software, people, data, and boundaries described by management.
Preserve the authorization, test period, methods, findings, owner responses, remediation, and retest results.
Only the independent licensed CPA firm conducting the examination issues the SOC 2 report and opinion.
SOC 2 is an examination performed by an independent CPA firm using the AICPA Trust Services Criteria. Security-testing evidence may be relevant to management’s controls and the auditor’s procedures, but Revaizor does not issue SOC 2 reports or opinions.
Before testing, ask management and the CPA firm what period, system boundary, criteria, control descriptions, and evidence attributes are relevant. This reduces the risk of producing a technically useful report that does not fit the examination scope.
A bounded penetration test does not establish that controls were suitably designed or operated effectively throughout a period. A report should describe tested conditions and limits, while management and the CPA determine relevance to the examination.
Versioned reports, ticket references, management responses, risk acceptances, and retest records can help reviewers follow each finding. Sensitive exploit details should be restricted to authorized recipients and handled according to the organization’s evidence-retention process.
No. SOC 2 is a CPA attestation, not a certification issued by Revaizor. Revaizor can support bounded technical testing and evidence generation.
Acceptance cannot be guaranteed. Align the scope and evidence attributes with management and the independent CPA firm before testing, and let the auditor determine relevance and sufficiency.
No. A test reflects its authorized scope and time. The CPA evaluates control design and operation using the examination criteria, period, and broader body of evidence.
Tell us the target type and desired outcome. Sensitive scope details are collected after qualification.
Request a scoped pentest