SOC 2 Penetration Testing Services

The entire experience with Blue Goat was outstanding. We just signed an annual contract with them. I recommend Blue Goat for anyone that develops web applications and needs a penetration test.
Blue Goat SOC 2 Testimonial
John Vance
VP, Product Development

Steps to Schedule Your SOC 2 Penetration Test:

soc 2 penetration testing


We follow a seven phase methodology designed to maximize our efficiency, minimize risk, and provide complete and accurate results. The overarching seven phases of the methodology are:

  1. Planning and Preparation
  2. Reconnaissance / Discovery
  3. Vulnerability Enumeration / Analysis
  4. Initial Exploitation
  5. Expanding Foothold / Deeper Penetration
  6. Cleanup
  7. Report Generation


Our SOC 2 Penetration Test covers the OWASP Top 10 and all web vulnerabilities and exploits, including the following, at a minimum:
  • SQL injection (Blind, Inference, Classic, Compounded)
  • OS command injection (Informed, Blind)
  • Server-side code injection
  • Server-side template injection
  • Reflected XSS
  • Stored XSS
  • Reflected DOM issues
  • Stored DOM issues
  • File path traversal / manipulation
  • External / out-of-band interaction
  • HTTP header injection
  • XML / SOAP injection
  • LDAP injection
  • CSRF
  • Open redirection
  • Header manipulation
  • Server-level issues
Our SOC 2 Penetration Test also covers the CWE / SANS Top 25 programming errors, including the following, as applicable:
  • Improper Restriction of Operations within the Bounds of a Memory Buffer
  • Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Improper Input Validation
  • Information Exposure
  • Out-of-bounds Read
  • Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • Use After Free
  • Integer Overflow or Wraparound
  • Cross-site Request Forgery (CSRF)
  • Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • Out-of-bounds Write
  • Improper Authentication
  • NULL Pointer Dereference
  • Incorrect Permission Assignment for Critical Resource
  • Unrestricted Upload of File with Dangerous Type
  • Improper Restriction of XML External Entity Reference
  • Improper Control of Generation of Code (‘Code Injection’)
  • Use of Hard-coded Credentials
  • Uncontrolled Resource Consumption
  • Missing Release of Resource after Effective Lifetime
  • Untrusted Search Path
  • Deserialization of Untrusted Data
  • Improper Privilege Management
  • Improper Certificate Validation


We think it is better to have an ethical hacker find the holes into your enterprise than an adversary. Our SOC 2 Penetration Testing provides details on exploitable vulnerabilities in a prioritized, tangible manner.  Our report allows you to better understand what your environment looks like from an attacker perspective.  This helps you prioritize efforts to mitigate risk to reduce breach likelihood or damage.

Not only do our SOC 2 Penetration Testing Services show you what your attack surface looks like to an adversary attacker, but they can be used as a safe way to test your organization’s Incident Response (IR) and digital forensics capabilities.  Our Penetration Testing services can be used to tune and test your security controls, such as your IDS, Firewall, Endpoint Security, Router ACLs, etc.


The SOC 2 Penetration Test Report includes IP addresses, URLs, mobile apps, and APIs tested, vulnerabilities discovered, steps taken during the assessment, exploitable areas discovered, and prioritized recommendations.  For any systems we are able to exploit, an “Attack Narrative” section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.

Below is a high-level comparison of SOC 2 Type I and SOC 2 Type II:

  • SOC 2 Type I – an audit of management’s description of a service organization’s system and the suitability of the design (documentation) of controls. A SOC 2 Type I audit looks at “a point in time” of the systems in scope, how the management of the organization describes the systems, and what controls are in place around the systems. An auditor will issue an opinion (attestation) based on management’s description of the controls and a review of the documentation (artifacts provided) around these controls.
  • SOC 2 Type II – an audit of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. A SOC 2 Type II audit looks at how the controls are described and used over a minimum of a 6-month time-frame. The intent is to determine if the controls are functioning as described by the management. An auditor will test the controls and provide an opinion (attestation) based on the description by management versus the operating effectiveness (test results) of the controls.

Although SOC 2 only specifies a penetration test every 180 days, we recommend a quarterly program that includes validation testing.

Explore Our Cybersecurity Services

Medical Device Cybersecurity

We understand that often the key objective of testing medical devices is to assist with FDA approval.

Penetration Testing Services

How secure is your network? When is the last time you tested your cybersecurity defenses?

HIPAA Security Risk Analysis (SRA)

We help you meet the requirement to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI. 


We help you mature your cybersecurity posture in alignment with your compliance requirements and business objectives.

Our purpose is simple — to make your organization secure

The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.