Penetration Testing: Hard Requirement or Best Practice?

Shannon Idea generator Vanta Team Member Conversation starter

A common question we receive at Vanta is in regards to penetration testing. Vanta users are unsure if it is a hard requirement for their audit or a best practice for security. 

It's important first to understand what penetration testing is. 

Penetration testing (pen testing) is a type of security testing where a simulated attack is carried out on a computer system, network, or application to identify weaknesses. A penetrating test aims to identify issues and resolve them before someone with malicious intent finds and exploits them. To put it simply, your organization hires an ethical hacker to test your system before an unethical hacker exploits any vulnerabilities. 

In your Vanta account, you will see requests for the following pieces of information:

Documents: Penetration test report
Tests: Records of penetration testing
Controls: Security controls evaluated

These items are not required for your SOC 2 or HIPAA audit but are considered a best practice to maintain a strong security posture. 



  • Comment author
    Sarah Wilkey Community Founding Member Conversation starter

    Very interesting, I have never looked at the control mapping, but just assumed it was required. Good to know!

    Shannon Does Vanta have any penetration testing partners/recommendations?

  • Comment author
    Shannon Idea generator Vanta Team Member Conversation starter

    Hi Sarah Wilkey!

      That's such a great question. We have a list of partners we work with, here. We have quite a few options to make sure that users can pair with a company that fits their needs. (Some of these partners even offer a discount to Vanta customers!) 

  • Comment author
    Lucien Pinto Community Founding Member Conversation starter Idea generator

    Thank you so much, Shannon, for this list !!


Please sign in to leave a comment.