Pen Tests

Pen Testing should only be required if your policies say you'll be performing them at some frequency - SOC2 doesn't mandate pen testing (although it is a best practice). COSTS : $8k+ for one time

You may have other options available, depending on how you have your controls defined in your policies.

If you aren't hiring someone to break into the systems or socially engineer their way in, its not a penetration test. no matter what the sales people try to call it

What's the confusion out there:

The burden around this relates to the COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

Principle 16/17 is like a rule that says you need to keep checking all the doors and windows regularly to make sure they are still locked and working properly.

So, Principle 16 doesn’t say you have to hire your friend (do a penetration test), but it’s a good idea to do it because it helps you make sure everything is really secure. Then principal 17 talks about how you report the ongoing finding

How to counter this:

Talk to your auditors.
-We use other mitigation to meet the requirements. Plan the policies accordingly.

wehave chosen to meet the vulnerability detection requirement through a layered approach that includes automated vulnerability scans (weekly), secure SDLC practices (SAST/SCA in CI/CD), AWS Security Hub monitoring, and an annual external security review. These controls provide continuous coverage and are more effective for our cloud-native environment than a point-in-time pentest.

-again the catch is this may look like you're running away from pentests (maybe to save up on costs / you feel your systems are not in place to handle them) [NEEDS ATTENTION]