Trust Services Criteria. Auditor-aligned. Type II ready.
The SOC 2 Trust Services Criteria do not literally require a penetration test. Nearly every CPA firm performing a SOC 2 Type II engagement asks for one anyway, as the primary evidence for CC4.1 (monitoring of controls) and CC7.1 (detection of system vulnerabilities). Cyber Node delivers that evidence for Australian SaaS and FinTech businesses selling into US enterprise customers.
What auditors actually ask
The AICPA's 2017 Trust Services Criteria (with the 2022 points of focus update) are principles-based. The Common Criteria below are where pen test evidence is expected.
CC4.1 Monitoring of controls
"The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning." Penetration testing is the standard separate evaluation auditors expect to see.
CC7.1 Detection of system vulnerabilities
"The entity detects and acts upon security events, including anomalies and known vulnerabilities." Pen testing both exercises the detection capability and produces the vulnerability list.
CC6.1, CC6.6, CC6.7 Logical and physical access
Access control testing validates these. Findings typically reflect broken access control, privilege escalation paths, or session management gaps.
CC7.2, CC7.3 Incident handling and response
Pen test activity generates the signal that exercises detection. Absence of detection is itself a finding.
CC8.1 Change management
Testing after significant change supports this control. Most CPA firms expect retesting when material architectural change lands within the audit window.
What we deliver, what we refer
In scope for Cyber Node
SaaS web app and API testing
Cloud infrastructure review (AWS, Azure, GCP)
Identity and access testing
Auditor walkthrough with your CPA firm
Findings mapped to TSC points of focus
Evidence upload into Vanta or Drata
Out of scope, we refer
SOC 2 attestation (Type I or Type II)
Must be performed by an independent CPA firm. We refer.
TSC gap assessment and readiness work
Vanta and Drata partners, or SOC 2 consultancies.
Policy and procedure authoring
Platform templates through Vanta, Drata, or equivalents.
Continuous control monitoring
Vanta, Drata.
Type II observation window management
Your CPA and implementation partner.
SOC 2 FAQ
No, not literally. The Trust Services Criteria do not explicitly require a pen test. In practice, nearly every CPA firm performing a SOC 2 Type II engagement asks for pen test evidence as part of CC4.1 (monitoring of controls) and CC7.1 (detection of system vulnerabilities). Cyber Node delivers that evidence.
Type I is a point-in-time report, Type II covers an audit window (typically six to twelve months). Most US enterprise customers only accept Type II. Pen testing evidence is usually an input to both, but it lands with greater weight in a Type II.
Yes. We work with US CPA firms performing SOC 2 Type II engagements for Australian SaaS clients. Reports are formatted for auditor walkthroughs and we join the CPA's session where it is useful.
Yes. A scoped web app and infrastructure test typically evidences SOC 2 CC4.1 and CC7.1 alongside ISO 27001 A.8.8 and A.8.29. The report is mapped to both frameworks.
We upload pen test evidence into your Vanta or Drata instance and work alongside your implementation partner. We do not sell the platforms or deliver the ISMS implementation itself; that sits with Vanta/Drata partners and GRC consultancies.