What auditors actually look for in your pentest report, plus a checklist to keep your SOC 2 Type II spotless.
What SOC 2 actually requires
SOC 2 doesn't mandate pentesting by name — but Common Criteria CC4.1 and CC7.1 effectively require it for any service org touching production data.
Auditors expect annual, independent testing with a defensible methodology and tracked remediation.
What the report must contain
Executive summary, scope, methodology, findings with CVSS, evidence and remediation. Bonus points for OWASP / CWE / CIS mappings.
A signed attestation letter on letterhead is the artefact auditors actually file.
Retests & remediation
Type II is about consistency. Auditors want to see findings tracked to closure and re-tested — not just acknowledged.
Choose a PTaaS partner that includes unlimited retests so closing findings doesn't blow your budget.