Originally published by MJD.Written by Mike DeKock, CPA. We get asked a lot about whether penetration testing is required to complete a SOC 2 report. The short version of the answer is “no” - there are no explicit requirements for penetration testing (or any controls) within a SOC 2 report. The longer version is nuanced but generally gets answered by asking a few questions: Do you have any customer contracts requiring a penetration test? If yes, then it’s required. Granted, that one is easy, ...