Webinar: Is pentesting mandatory for SOC 2?

December 5, 2024

Amanda Levine

is a penetration test required for soc 2

As we enter 2025 and are met with a new wave of increasingly sophisticated cyber threats, businesses can no longer afford to treat security as an afterthought. In a recent live webinar featuring Thoropass’ Commercial Account Manager, Jenn Orlando, Penetration Testing Manager, Andrés Maroto, and Fractional CTO of Storeroom Logix & CEO of AgileVision.io, Vladimir Rudyi, unpacked the critical role of penetration testing in maintaining robust cybersecurity—especially for organizations navigating complex compliance landscapes like SOC 2.

The TL;DR? What isn’t mandatory might still be required… at least when it comes to penetration testing. Read on for more highlights from the discussion and watch the full webinar recording here.

Beyond automated vulnerability scans

Most organizations mistakenly believe that automated vulnerability scans provide comprehensive protection. But the reality, however, is far more nuanced. Andrés Maroto, Penetration Testing Manager at Thoropass, delivered a stark reminder:

The fundamental difference lies in the approach. While vulnerability scanners can detect surface-level weaknesses, penetration testing simulates real-world attacks. “Think of it as hiring an ethical hacker to try and break into your system the same way a malicious actor would,” Maroto explained.

The evolving threat landscape

Despite advancements in artificial intelligence (AI), human expertise still remains irreplaceable in cybersecurity. Maroto emphasized that AI still struggles with detecting complex vulnerabilities, particularly around:

Access control flaws
Intricate business logic vulnerabilities
Nuanced privilege-level explorations

Modern web applications built on complex frameworks like React and Angular present additional challenges. These dynamic environments require more than automated scanning—they demand sophisticated, human-driven testing strategies.

Pentesting is more than just a compliance checkbox

For many organizations, penetration testing might seem like another regulatory requirement. However, the panelists made it crystal clear that it’s about genuine security, not just checking boxes.

Vladimir Rudyi from AgileVision.io shared his organization’s perspective, noting that:

His experience highlighted that comprehensive testing isn’t optional—it’s fundamental.

Industry-specific imperatives

Some sectors face more stringent security demands. Healthcare, finance, education, and banking consistently prioritize penetration testing due to the sensitive nature of their data.

In healthcare, for instance, data breaches can have catastrophic consequences, making robust security testing not just a nice-to-have but an imperative to business success.

Learn more about healthcare security trends in this new report.

Audience questions and answers

One of the advantages of hosting a live webinar is that the audience can ask their questions and get answers right on the spot. Here were some of the most asked questions

Q: How often should we conduct penetration testing for SOC 2 Type 2?

A: Typically once a year, though some stakeholders might request more frequent testing.

Q: Do pentesters need to be on-site?

A: Most pentests are conducted remotely, but on-site testing is possible depending on the scope and client needs.

Q: What findings need to be remediated for SOC audits?

A: Critical and high-rated issues must be addressed according to your vulnerability policy, with recommended timelines of 7-14 days for critical issues.

The CREST certification difference

Thoropass’ recent CREST accreditation underscores our commitment to rigorous testing methodologies.

This certification isn’t just a badge—it represents a structured, professional approach to cybersecurity assessment.

Learn more about CREST certification here.

The bottom line: What isn’t mandatory still might be required

Penetration testing is no longer a luxury—it’s a necessity. In a digital landscape where threats evolve rapidly, organizations must be proactive, not reactive.

As Jenn Orlando from Thoropass succinctly put it,

not just satisfy compliance requirements.

Ready to dive in?

For organizations seeking to transform their cybersecurity approach, a comprehensive penetration test might be the strategic investment that prevents potentially devastating breaches. Talk to an expert today to learn more! And for a limited time, get 30% off any framework when you purchase a penetration test from Thoropass.

Learn more

Thoropass pentetration testing

Receive quality, audit-ready reports as fast as you can say “penetration testing”

Learn more

Stay connected

Subscribe to receive new blog articles and updates from Thoropass in your inbox.

Get compliant

Stay compliant

Compliance automation

Security audits

Integrations

Watch a demo of the platform

HealthTech

FinTech

SaaS

More industries

Some of the best money I ever spent. Thoropass and being compliant ended up helping us close our second-largest customer.

SOC 1

SOC 2

ISO 27001

GDPR

PCI DSS

HIPAA

HITRUST

Other Frameworks

If my previous audits were offered to me for free, I'd still pay for Thoropass.

Our advantage

Customer stories

Meet the experts

About

Careers

Partners

We provide the expertise—so you don't have to.

Blog

Events

More Resources

Guides

Scam Hunters

Get 30% of the way to SOC 2 audit with our policy generator