SOC 2 Type II auditors scrutinize your vulnerability management program across the full audit period. The days of point-in-time scans satisfying auditors are over. KENSAI provides the continuous evidence trail that modern SOC 2 audits require.
Start SOC 2 Assessment → Book a DemoSOC 2 is based on the AICPA's Trust Services Criteria (TSC). Vulnerability management evidence is required primarily under the Common Criteria (CC) related to system operations and change management:
The entity uses detection and monitoring procedures to identify changes to configurations, new vulnerabilities, and anomalies. Auditors want to see: ongoing vulnerability scanning, documented processes, and evidence that monitoring is continuous — not just quarterly.
Security incidents (including exploitation of vulnerabilities) are identified and responded to. Vulnerability management feeds directly into the incident response process.
Changes to infrastructure, data, software, and processes are authorized, designed, developed, documented, tested, reviewed, and implemented. Vulnerability scanning after changes is expected evidence.
The entity selects and develops risk mitigation activities including vulnerability identification and remediation. This is where your vulnerability prioritization and remediation SLAs are evaluated.
💡 Type I vs Type II: SOC 2 Type I is a point-in-time assessment. Type II covers a period (typically 6-12 months). For Type II, auditors will sample vulnerability scan evidence from throughout the audit period and look for consistent, repeatable execution. A single scan in month 11 won't pass.
Based on common auditor requests across SOC 2 engagements, here's what you'll need to provide:
| Evidence Type | Frequency | What Auditors Want |
|---|---|---|
| Vulnerability scan results | Monthly or continuous | Timestamps, scope, findings count, severity breakdown |
| Penetration test report | Annual | Methodology, scope, findings, remediation status |
| Remediation tracking | Continuous | Ticketing trail from discovery to fix to retest |
| Patch management records | Continuous | Critical patches applied within SLA (typically 30 days) |
| Vulnerability management policy | At audit | Written policy with severity definitions and remediation SLAs |
| Risk acceptance documentation | Per exception | Signed risk acceptance for unpatched known vulnerabilities |
While SOC 2 doesn't explicitly mandate penetration testing frequency, virtually all credible SOC 2 reports include annual penetration testing evidence. Auditors view this as evidence of a mature vulnerability management program.
Key requirements for SOC 2 pentest evidence:
Daily or weekly scans with timestamped reports provide the continuous evidence trail SOC 2 Type II auditors require across the full audit period.
Define and track remediation SLAs by severity. KENSAI generates reports showing compliance with your documented vulnerability remediation timelines.
Trigger scans automatically after infrastructure changes to meet CC8.1 requirements for security testing of changes.
Export scan history, remediation metrics, and trend analysis in formats designed for auditor review. Reduce audit prep time significantly.
Document risk acceptance decisions for vulnerabilities that cannot be immediately remediated, with approver signatures and review dates.
Demonstrate to auditors that all in-scope systems are covered by your vulnerability management program with comprehensive asset inventory.
KENSAI provides the continuous vulnerability scanning, remediation tracking, and auditor-ready reporting that SOC 2 Type II requires. Start building your evidence trail today.
Start SOC 2 Compliance → Talk to a Compliance Expert