Short answer: no. SOC 2 does not explicitly require a penetration test. Longer answer: try showing up to a SOC 2 Type II audit without one and see what happens. Or better yet, try sending your SOC 2 report to an enterprise security team without a pentest to accompany it and see how far you […]
Does SOC 2 Actually Require a Pentest? The Honest Answer. Read More »
If you have been a CTO at a HealthTech company for more than a year, you have probably already been through at least one pentest. You know the drill — scoping call, NDA, test credentials, findings report, retest. You have seen what a good engagement looks like and what a bad one looks like. You
What a HealthTech CTO Should Actually Demand From a Pentest Vendor Read More »
The email arrived on a Tuesday. Your enterprise prospect’s security team needs a penetration test report before they can move the deal to legal review. They want it in two weeks. Your first instinct might be to panic. Your second might be to Google “fast pentest” and click on whatever comes up first. Both are
How to Scope a Pentest When You Have Two Weeks Before a Prospect Deadline Read More »
You were making progress on a deal. The demo went well, pricing was aligned, and the prospect seemed genuinely interested. Then an email arrived from someone on their security or procurement team with a spreadsheet attached. Somewhere between 50 and 300 questions about your encryption standards, access controls, incident response process, and whether your platform
You were in the middle of a promising enterprise sales conversation when the prospect’s security team sent over a vendor questionnaire. Most of it was manageable. Then you hit question 14: “Please provide your most recent penetration test report, including scope, methodology, key findings, and remediation status.” You did not have one. Or you had
Your Enterprise Client Asked for a Pentest Report. Now What? Read More »
When a SaaS founder signs up for Vanta or Drata, the pitch is compelling and genuinely accurate: connect your cloud environment, sync your tools, and watch the platform automate the evidence collection that would otherwise take your team hundreds of hours. Dashboard turns green. Readiness score climbs. You book an auditor feeling like the hard
Vanta Can’t Answer Your Auditor’s Questions. Here’s Who Does. Read More »
The report arrived. Your auditor issued a clean opinion. You sent it to the prospect who had been waiting on it for six weeks, the deal moved forward, and your team felt a genuine sense of relief. Then about two weeks later, someone asked a question that nobody had a clean answer to. “So who’s
You Got Your SOC 2 Report. Now Who’s Actually Running Your Compliance Program? Read More »
You did the right things. You signed up for Vanta, connected your AWS environment, synced your HR tool, and watched the dashboard turn green. You spent weeks chasing down control owners, got your policies published, and pushed your readiness score above 90%. You booked an auditor. You felt ready. Then audit week arrived. The auditor
The Part of SOC 2 Audit Prep That No Platform Can Do For You Read More »
You just got a serious conversation going with a hospital system, a large health plan, or a digital health platform that has enterprise customers of their own. The call went well. The product demo landed. And then someone on their security team sent over a vendor questionnaire with 80 questions about your data handling practices,
As we move through 2026, the gap between passing an audit and being secure has never been wider. For SaaS and MedTech founders, the pressure to maintain compliance is at an all time high, but the threat landscape has evolved beyond what standard automated tools can detect. At Packet33, we have observed a shift in
The 2026 Pentest: Why Manual Logic Validation Outperforms Automated Scans Read More »
