SOC 2 reports come in two types - Type I (control design at a point in time) and Type II (operating effectiveness over a 3-12 month period). CyberFortify's offensive testing evidence is core to satisfying CC6.1 and CC7.1 in both report types.
// 01 What SOC 2 actually is
An attestation report under AICPA SSAE 18 standard, covering a service organisation's controls relevant to one or more of the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy.
Two report types: Type I (control design as of a point in time) and Type II (operating effectiveness over a period, typically 3-12 months).
SOC 2 is dominant in the US SaaS market. Most enterprise-buyer security questionnaires now ask "do you have a SOC 2 Type II?" before they ask anything else. Unlike ISO 27001, SOC 2 is an attestation rather than a certification - the auditor opines on whether your controls are designed (Type I) or operating (Type II) appropriately. The deliverable is an attestation report, not a certificate.
// 02 The five Trust Services Criteria
Security (Common Criteria)
The mandatory category. Includes 33 Common Criteria (CC1.x - CC9.x) covering control environment, risk assessment, monitoring, communication and the Common Controls.
Availability
System uptime, capacity, environmental protection, backup. Often added for SaaS infrastructure providers.
Processing Integrity
Completeness, validity, accuracy, timeliness of processing. Relevant for transaction processors, payment platforms.
Confidentiality
Information designated confidential is protected. Relevant for B2B SaaS handling enterprise customer data.
Privacy
Personal information lifecycle aligned with the AICPA Generally Accepted Privacy Principles. Less common.
// 03 How pen testing satisfies SOC 2 Common Criteria
Three Common Criteria are directly satisfied by penetration testing evidence on every CyberFortify engagement.
Logical and physical access controls
"The entity implements logical access security software, infrastructure and architectures over protected information assets to protect them from security events." Pen testing validates the effectiveness of these controls in production.
Direct evidenceDetection of security events
"To meet its objectives, the entity uses detection and monitoring procedures to identify... potential security events." Pen testing - and especially red teaming - tests the effectiveness of detection.
Detection evidenceMonitoring system components
"The entity monitors system components and the operation of those components for anomalies." Penetration testing produces controlled anomalous traffic auditors review against detection logs.
Telemetry testChange management
Pen testing after material changes is the technical evidence change-management controls function. CyberFortify's free remediation retest closes this loop.
Post-change// 04 The Type I → Type II progression
Most organisations begin with Type I and progress to Type II within 6-12 months. CyberFortify's testing cadence is designed to align with this progression.
The Type II report is what enterprise buyers actually want to see. Type I is a useful step but rarely terminal - plan the Type II audit window from day one of your SOC 2 programme.
CyberFortify compliance practice// 05 Frequently asked questions
How long does a SOC 2 Type II audit take?
The audit period itself is typically 3, 6 or 12 months. Total elapsed time from gap assessment to issued report is typically 9-18 months for a first Type II.
Do auditors require pen testing?
CC7.1 and CC8.1 do not name penetration testing explicitly, but every reputable SOC 2 auditor expects pen testing as evidence of detection capability and change-management effectiveness. The big-four and second-tier auditors uniformly require it.
How does SOC 2 compare to ISO 27001?
SOC 2 is an attestation; ISO 27001 is a certifiable management system. Many CyberFortify customers run both. We can produce evidence acceptable to both audits from a single offensive engagement.