SOC 2 Type II

SOC 2 Security Testing & Vulnerability Management

SOC 2 Type II auditors scrutinize your vulnerability management program across the full audit period. The days of point-in-time scans satisfying auditors are over. KENSAI provides the continuous evidence trail that modern SOC 2 audits require.

Start SOC 2 Assessment → Book a Demo

SOC 2 Common Criteria for Vulnerability Management

SOC 2 is based on the AICPA's Trust Services Criteria (TSC). Vulnerability management evidence is required primarily under the Common Criteria (CC) related to system operations and change management:

CC7.1 — System Monitoring

The entity uses detection and monitoring procedures to identify changes to configurations, new vulnerabilities, and anomalies. Auditors want to see: ongoing vulnerability scanning, documented processes, and evidence that monitoring is continuous — not just quarterly.

CC7.2 — Incident Response

Security incidents (including exploitation of vulnerabilities) are identified and responded to. Vulnerability management feeds directly into the incident response process.

CC8.1 — Change Management

Changes to infrastructure, data, software, and processes are authorized, designed, developed, documented, tested, reviewed, and implemented. Vulnerability scanning after changes is expected evidence.

CC9.2 — Risk Mitigation

The entity selects and develops risk mitigation activities including vulnerability identification and remediation. This is where your vulnerability prioritization and remediation SLAs are evaluated.

💡 Type I vs Type II: SOC 2 Type I is a point-in-time assessment. Type II covers a period (typically 6-12 months). For Type II, auditors will sample vulnerability scan evidence from throughout the audit period and look for consistent, repeatable execution. A single scan in month 11 won't pass.

What SOC 2 Auditors Actually Ask For

Based on common auditor requests across SOC 2 engagements, here's what you'll need to provide:

Evidence TypeFrequencyWhat Auditors Want
Vulnerability scan resultsMonthly or continuousTimestamps, scope, findings count, severity breakdown
Penetration test reportAnnualMethodology, scope, findings, remediation status
Remediation trackingContinuousTicketing trail from discovery to fix to retest
Patch management recordsContinuousCritical patches applied within SLA (typically 30 days)
Vulnerability management policyAt auditWritten policy with severity definitions and remediation SLAs
Risk acceptance documentationPer exceptionSigned risk acceptance for unpatched known vulnerabilities

Penetration Testing for SOC 2

While SOC 2 doesn't explicitly mandate penetration testing frequency, virtually all credible SOC 2 reports include annual penetration testing evidence. Auditors view this as evidence of a mature vulnerability management program.

Key requirements for SOC 2 pentest evidence:

How KENSAI Supports SOC 2 Compliance

✓ Continuous Scanning Evidence

Daily or weekly scans with timestamped reports provide the continuous evidence trail SOC 2 Type II auditors require across the full audit period.

✓ Remediation SLA Tracking

Define and track remediation SLAs by severity. KENSAI generates reports showing compliance with your documented vulnerability remediation timelines.

✓ Change-Triggered Scanning

Trigger scans automatically after infrastructure changes to meet CC8.1 requirements for security testing of changes.

✓ Auditor-Ready Reports

Export scan history, remediation metrics, and trend analysis in formats designed for auditor review. Reduce audit prep time significantly.

✓ Risk Acceptance Workflow

Document risk acceptance decisions for vulnerabilities that cannot be immediately remediated, with approver signatures and review dates.

✓ Asset Coverage Reports

Demonstrate to auditors that all in-scope systems are covered by your vulnerability management program with comprehensive asset inventory.

Building a SOC 2-Ready Vulnerability Management Program

  1. Define your vulnerability management policy — Document severity definitions, remediation SLAs (e.g., Critical: 7 days, High: 30 days, Medium: 90 days)
  2. Inventory all in-scope assets — Complete asset inventory is the foundation; you can't scan what you don't know about
  3. Implement continuous scanning — At minimum weekly scans; daily preferred for internet-facing systems
  4. Establish remediation workflows — Tickets, owners, deadlines, and closure criteria with evidence
  5. Annual penetration testing — Engage a qualified third party at least annually
  6. Document exceptions — For vulnerabilities that cannot be immediately remediated, document risk acceptance with business justification
  7. Demonstrate trend improvement — Auditors want to see a program that's improving over time, not static

Pass Your SOC 2 Audit With Confidence

KENSAI provides the continuous vulnerability scanning, remediation tracking, and auditor-ready reporting that SOC 2 Type II requires. Start building your evidence trail today.

Start SOC 2 Compliance → Talk to a Compliance Expert

Related Articles

EU Commission Investigates AWS Cloud Breach, Council Sanctions Chinese & Iranian CISA: Langflow CVE-2026-33017 Actively Exploited, UK Sanctions Xinbi $19.9B Cryp Redirecting...