Penetration testing closes security gaps so you ace your audit.
No more guesswork
Get an outside perspective
Strengthen your security year after year
Here’s how a pen test works
Secure your infrastructure in three
Define your scope
We test your defenses
Get your results
Protecting the world’s leading brands
Conquer security. Streamline compliance.
Dig into the details
Learn more about penetration testing and all the other ways we support our clients in their compliance journey
What happens during a pen test? Do I need to prepare?
During a pen test, an ethical hacker or pen tester will simulate an attack to enter your system. If successful they will attempt to gain access to the most sensitive information possible and determine how long it takes an internal security team to notice that they are in the network.
To prepare, you need to set the scope of the pen test and provide the pen tester with data about your system. After the pen test, findings will be shared with management and the IT team. Recommendations are prioritized so your team can focus on any critical findings as soon as possible.
How often should a pen test be performed?
A pen test should be performed at least annually or when one of the following occurs:
- The addition of significant change to infrastructure or applications
- The modification of end-user access policies (permissions or roles)
Some organizations with a fairly static environment and code base may only need to test every other year. However, there may be compliance or regulatory factors that require annual testing. Every Strike Graph customer receives an annual pen test as part of their subscription to ensure their security posture is rock solid.
Is a pen test the same as a vulnerability scan? Do I need both?
A pen test simulates an outsider or hacker gaining access to the organization’s environment. The goal is to assess how security is managed within a system. Pen tests utilize a formally repeatable process to infiltrate, exploit and ultimately report on a target.
A vulnerability scan is a subset of pen test activities and is designed to test a network and related systems against a known set of common vulnerabilities. It is typical to run vulnerability scanning at a more frequent cadence than a pen test.
Both result in actionable items, however, a pen test will simulate a ‘live’ threat or attack, whereas vulnerability scans look at the weaknesses already in your system. A well-rounded security program will perform both types of tests.
Does my SOC 2 audit require a pen test?
Penetration testing is not a requirement for SOC 2 compliance. However, it is necessary to ensure that controls are in place to detect and prevent unauthorized access to systems, applications, and data. In addition to a pen test, you may also consider periodic vulnerability scans to address your unique IT risks as this can help further streamline your aduit.
Can’t find the answer you’re looking for? Contact our team!