A SOC 2, ISO 27001, PCI DSS, or HIPAA audit window is approaching.
Your auditor's control list expects current penetration testing as evidence and your current report is either stale or absent.
For compliance leaders
Penetration testing your auditor will accept on first read.
A senior-led test mapped directly to your framework. Findings ship with the relevant control reference in the title line — SOC 2 trust criteria, ISO 27001 Annex A, PCI DSS requirements, HIPAA safeguards. The retest validates the fix before audit field work opens, included in scope.
Is this the engagement you need?
You're probably here because of one of these.
A prior audit had follow-up evidence asks.
You want this round to close on first read instead of generating a second cycle of evidence collection mid-field-work.
A customer security questionnaire references pentest report dates.
Procurement is asking when your last pentest ran and what is in scope. The date on your current report is older than the questionnaire expects.
Your compliance program is expanding.
A new framework, an additional control set, a new product line, or an extended audit boundary — you need pentest coverage that matches the new scope.
A finding from another source needs validating.
An internal red-team note, a customer-reported issue, or a bug-bounty finding raised the question of what else may exist. You want a current state-of-the-environment before audit field work.
If any of these match where you are right now, the rest of this page is for you.
How an engagement runs
Four steps, sequenced to your audit window.
- STEP 01
Scoping call (30 minutes)
We walk your framework version, your audit window, the auditor's expectations, and the control IDs that depend on a current pentest as evidence. You leave with a fixed scope, a fixed price, and a delivery date sequenced to your audit field work.
- STEP 02
Hands-on testing
A senior tester runs the engagement end-to-end. Findings emerge tagged with the relevant control reference in the title line, not relegated to a back-of-report appendix. Live channel for clarification during your audit field work if your auditor asks.
- STEP 03
Report your auditor will accept
Three audiences, one document. Board summary. Control-mapped executive section for the audit pack. Developer section your engineering team works from. Evidence package field-work ready.
- STEP 04
Retest before audit
After your engineering team ships the fixes we retest the affected items and update the report — included in scope. The version your auditor reads reflects the post-fix state, not the test-day state.
Honest answers to compliance-leader questions
Things compliance leaders ask before they hire us.
"Will this be ready in time for my audit?"
We sequence engagements to your audit window. Most engagements deliver the report two to three weeks before field work, with the retest landing in the final week before field work opens. If your timeline is too tight to do it right, we say so on the scoping call rather than after the SOW is signed.
"Will my auditor accept this report on first read?"
Our reports map findings to the control IDs of your specific framework version. Clients consistently use these reports as audit evidence without rework or follow-up evidence asks. References to past audit acceptance available after the scoping call.
"Do you map to my framework version specifically?"
Yes. SOC 2 (TSC 2017 and 2022), ISO 27001:2013 and 27001:2022, PCI DSS v3.2.1 and v4.0, HIPAA Security Rule. We confirm the framework version on the scoping call and write the report against the version your auditor cites.
"What if we are mid-transition between framework versions?"
We map findings to both versions where it matters, so your auditor sees one report regardless of which version your assessor is operating against this cycle.
"What if a critical finding surfaces during audit field work?"
Same-day disclosure to your designated contact. We can hold the finding in confidence for the duration of field work if appropriate, or coordinate disclosure with your auditor under a documented disclosure protocol agreed up front.
A real story.
“We had a SOC 2 Type II audit and an ISO 27001 certification audit in the same calendar quarter. CyberGuards scoped a single engagement that covered both control sets, mapped every finding to both frameworks in the title line, and delivered the retest two weeks before our SOC 2 field work opened. Both auditors closed every pentest-related control on first read. We did not file a single exception.”
Not ready to scope a call yet?
Download the Pentest Audit-Evidence Checklist — twelve items every pentest report needs to contain for your auditor to close the relevant controls on first read. Each item mapped to SOC 2, ISO 27001, PCI DSS, and HIPAA, plus the common reason auditors send pentest reports back when the item is missing.
- Use it as a pentest-vendor scoping checklist before you sign your next SOW.
- Use it as an audit-readiness review on a pentest report you already have.
- Read the three items pentest reports fail on most often — and how to avoid each.
No spam. We do not share your email. Direct PDF download — no inbox round-trip.
Want to walk your audit window with our lead pentester?
A 30-minute call to walk your framework, your audit timing, and the control IDs that depend on a current pentest. We come back with a fixed scope, fixed price, and a delivery date sequenced to your field work.