Pentest SOC 2 Type II — Trust Services Criteria
Pentest aceito por auditor SOC 2 Type II. Mapeamento direto CC4.1 (monitoring), CC7.1 (system operations), CC6.6 (change). Para cliente US enterprise.
Why now
The real pain
SaaS B2B brasileiro vendendo nos US precisa de SOC 2 Type II. Auditor americano (Deloitte, EY, BDO, KPMG, A-LIGN, Schellman) examina o relatório de pentest com lupa. Erro comum: empresa BR contrata fornecedor sem credencial, relatório é rejeitado, ciclo de 12 meses é perdido.
Standard and reference
/attack-surface
SOC 2 Type II
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
CC4.1 — Monitoring activities
Pentest como evidência de monitoring contínuo de controle.
CC7.1 — System operations
Validação de detecção, response, recovery.
CC6.6 — Change management
Pentest pós-mudança significativa, validação de regression.
CC6.1 — Logical access
MFA, RBAC, JIT access, off-boarding.
CC6.8 — Vulnerability management
Pentest periódico, retest, plano de remediação.
A1 (Availability), C1 (Confidentiality), P1 (Privacy)
Critérios adicionais conforme escopo SOC 2.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
SaaS B2B brasileiro com clientes US enterprise (Fortune 500), em ciclo SOC 2 Type II anual.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — SOC 2 Type II
Auditor americano aceita o relatório?
Sim. Modelo PCI/SOC-aligned em inglês, com mapeamento direto pra TSC e PoC reproduzível por finding.
Faixa de preço?
SaaS pequeno (1 produto): R$ 35-70k. Médio (multi-produto + integrations): R$ 70-150k. Enterprise: R$ 150-300k.
/contact
Cotar pentest SOC 2
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.