Insights

Research and data on how penetration testing actually gets done.

No breach statistics, no FUD, no copy-pasted vendor surveys. Original synthesis and citable data for security and compliance leaders making real budget decisions.

Get a straight answer

Reports and research

Annual · Q2 2026 Live

State of SoC 2 Penetration Testing 2026

How SOC 2 pentest expectations have evolved across the AICPA 2017 Trust Services Criteria, the OWASP API Top 10 v2023 update, and PCI DSS v4.0.1. Five sections covering compliance overlap, manual-vs-automated coverage gaps, scope-pattern data, the read audience for a pentest report, and the retest gap.

Editorial policy

How we source and cite.

  • Every claim links to the primary source — AICPA, PCI Security Standards Council, OWASP, NIST, MITRE — not to a vendor blog.
  • Aggregate engagement data is anonymized and presented in ranges, never with identifying customer detail.
  • We do not cite breach statistics or the Verizon DBIR. Risk framing comes from the standards themselves, not from doom marketing.
  • Each report carries a publication date and a "Last reviewed" timestamp. We refresh annually or when an underlying standard changes.

Want the next report delivered when it ships?

One short email per quarter — never weekly. Reply with the subject your team needs us to cover next.

Get a straight answer