Your auditor wants to see specific controls. We've mapped each CyberGrid deliverable to the exact framework references they're looking for — SOC 2, ISO 27001, PCI DSS, HIPAA. Hand them the report. They know where it goes.
For Type II reports, your auditor needs evidence of operating effectiveness over time. A CyberGrid pen test (or quarterly automated assessment) lands directly in the evidence file for the CC-series Common Criteria below — the controls most companies struggle to evidence without a third-party test.
| Control | Criterion | What CyberGrid evidences | Applicable to |
|---|---|---|---|
| CC4.1 | Monitoring activities — entity demonstrates control monitoring | Annual pen-test report + quarterly automated-assessment reports demonstrate that the entity monitors the design and operating effectiveness of its security controls through independent testing. | Both |
| CC6.1 | Logical access — restrict logical access to information assets | Pen test specifically tests for IDOR, broken access control, privilege escalation, and authentication bypass. The report documents which access controls were tested and the findings (open / fixed). | Pen test |
| CC6.6 | Logical access — protects against external threats | External penetration test of internet-facing systems demonstrates that external attack vectors have been evaluated. Automated assessment provides ongoing coverage between tests. | Both |
| CC6.7 | Transmission & movement of data | testssl.sh + nuclei TLS templates verify TLS configuration; pen test verifies application-layer enforcement (cookie flags, transmission over HTTPS, mixed content). | Both |
| CC7.1 | System monitoring — detect threats to system performance & security | Pen-test report identifies gaps in monitoring (e.g., absent rate limiting, lack of WAF alerting). Automated assessment provides ongoing exposure monitoring. | Both |
| CC7.2 | System monitoring — anomalies are evaluated & addressed | Pen-test identifies whether the system would detect / alert on anomalous activity. Retest report demonstrates that identified anomalies were addressed. | Pen test |
| CC8.1 | Change management — identify, design, develop, secure changes | Pen test conducted on production-like environment validates that the change-management process produces secure changes. Findings indicate gaps in the secure-development pipeline. | Pen test |
| A1.2 | Availability — protects against environmental disruption (where elected) | External-perimeter scan identifies exposed services and CVEs that could be exploited for DoS / availability impact. | Automated |
| C1.1 | Confidentiality — identifies & maintains confidential information (where elected) | Pen test verifies that confidential data (PII, business-confidential records) is not exposed via the application surface — broken authorization, info disclosure, log leakage. | Pen test |
Many SOC 2 auditors accept a third-party pen-test report as the primary evidence for CC4.1 (monitoring), CC6.1 (logical access), and CC6.6 (external threats), provided the report is dated within the audit period and the scope covers the in-scope systems. We map every finding to the relevant Trust Service Criterion in the report appendix — your auditor pulls the appendix into their evidence collection.
ISO 27001:2022 added technical-testing requirements to Annex A. A.8.8 (vulnerability management), A.5.7 (threat intelligence) and A.8.29 (security testing in development) are the controls a CyberGrid engagement most directly evidences.
| Control | Title | What CyberGrid evidences | Applicable to |
|---|---|---|---|
| A.5.7 | Threat intelligence | Quarterly automated assessment incorporates current threat-intelligence feeds (nuclei-templates is updated daily with new CVE checks). Pen-test methodology incorporates current MITRE ATT&CK technique coverage. | Both |
| A.5.23 | Information security for use of cloud services | External scan + pen test validate that cloud-hosted services are configured per provider security guidance (no exposed admin panels, no public storage buckets, etc.). | Both |
| A.8.8 | Management of technical vulnerabilities | Direct evidence: documented vulnerability identification process. The pen-test report + automated assessment reports + retest reports demonstrate the full vulnerability-management lifecycle (identification, severity rating, remediation, verification). | Both |
| A.8.9 | Configuration management | Scan + pen test identify configuration drift, weak defaults, exposed admin interfaces, and known-bad configurations. | Both |
| A.8.12 | Data leakage prevention | Pen test verifies that sensitive data is not exposed via application endpoints, error messages, or response headers. | Pen test |
| A.8.16 | Monitoring activities | Pen test specifically probes whether monitoring is operating effectively (e.g., does brute-force testing trigger any alert? Does anomalous behavior surface in logs?). Findings inform monitoring improvements. | Pen test |
| A.8.24 | Use of cryptography | testssl.sh validates TLS protocol versions, cipher suites, certificate chain, and HSTS. Pen test validates that cryptography is correctly applied at the application layer (no plaintext secrets, no weak randomness). | Both |
| A.8.25 | Secure development life cycle | Pen test conducted on a release validates whether the SDLC produces secure software. Findings drive SDLC improvements (e.g., add security review for auth changes). | Pen test |
| A.8.28 | Secure coding | Pen test identifies coding-level vulnerabilities (injection, deserialization, broken access control) that the report's remediation guidance traces back to specific coding patterns. | Pen test |
| A.8.29 | Security testing in development and acceptance | Direct evidence. The pen-test report itself is the primary artifact for this control. Quarterly automated assessments provide ongoing acceptance testing. | Both |
| A.8.31 | Separation of development, test, & production environments | Pen test identifies whether non-production environments are leaking into production (e.g., debug endpoints, staging credentials). | Pen test |
PCI DSS v4.0 mandates internal AND external penetration testing at least annually (Requirement 11.4). A CyberGrid pen test satisfies Req 11.4 for in-scope external systems. Req 11.3 (vulnerability scans) is satisfied by the quarterly automated assessment.
| Requirement | Title | What CyberGrid evidences | Applicable to |
|---|---|---|---|
| 6.2.4 | Software engineering techniques addressing common vulnerabilities | Pen test validates that software engineering techniques (input validation, parameterized queries, output encoding) are correctly applied in the production application. | Pen test |
| 6.3.1 | Vulnerabilities identified and addressed via formal process | Pen-test report + retest report document the identification, severity ranking, remediation, and verification of vulnerabilities. | Both |
| 11.3.1 | Internal vulnerability scans performed at least once every three months | CyberGrid's automated assessment runs quarterly on a documented cadence. Each scan produces a dated PDF report that satisfies the quarterly-scan evidence requirement. | Automated |
| 11.3.2 | External vulnerability scans performed at least once every three months | Same as 11.3.1 — for external-facing assets, the automated assessment runs against the perimeter quarterly. | Automated |
| 11.4.1 | Penetration testing methodology defined and followed | CyberGrid's published methodology (PTES + OWASP WSTG v4.2 + OWASP ASVS + CVSS v3.1) is documented at /methodology and referenced in every report. The methodology is reviewed annually. | Pen test |
| 11.4.2 | Internal penetration testing at least annually | For in-scope internal systems, schedule an annual CyberGrid pen test. Engagement Statement of Work explicitly references PCI DSS Req 11.4.2. | Pen test |
| 11.4.3 | External penetration testing at least annually | Direct evidence. The annual external pen test satisfies this requirement for in-scope perimeter systems. | Pen test |
| 11.4.4 | Vulnerabilities identified by pen test addressed & tested for resolution | The $1,999 retest specifically re-tests every finding from the initial engagement and issues a remediation addendum — direct evidence that identified vulnerabilities were addressed and verified. | Pen test |
CyberGrid is not a PCI DSS Qualified Security Assessor (QSA) and does not perform Report on Compliance (RoC) audits. Our pen test satisfies Req 11.4 evidence for organizations whose QSA accepts third-party pen-test reports — most do. Confirm with your QSA before relying on our report as the sole evidence for 11.4.
For covered entities and business associates that store or process ePHI, the HIPAA Security Rule requires periodic technical evaluation (§164.308(a)(8)). A CyberGrid pen test satisfies this requirement.
| Standard | Title | What CyberGrid evidences | Applicable to |
|---|---|---|---|
| §164.308(a)(1)(ii)(A) | Risk analysis | The pen-test report identifies, characterizes (CVSS), and prioritizes vulnerabilities — direct input to the required risk analysis. | Pen test |
| §164.308(a)(1)(ii)(B) | Risk management | The remediation guidance + retest report document the risk-management process: identification, mitigation, verification. | Both |
| §164.308(a)(8) | Evaluation — periodic technical evaluation | Direct evidence. HIPAA Security Rule §164.308(a)(8) requires a periodic technical and non-technical evaluation. The pen-test report (technical) + your security policy review (non-technical) together satisfy this standard. | Pen test |
| §164.312(a)(1) | Access control — technical safeguards | Pen test specifically tests for broken access control, authorization bypass, and role escalation — the access-control safeguards required by §164.312(a)(1). | Pen test |
| §164.312(b) | Audit controls | Pen test probes whether audit controls are operating (e.g., does an unauthorized access attempt produce an auditable record?). | Pen test |
| §164.312(e)(1) | Transmission security | testssl.sh + nuclei verify TLS configuration for ePHI in transit. Pen test verifies application-layer transmission security (HTTPS enforcement, secure cookie flags). | Both |
For engagements involving ePHI, CyberGrid will execute a Business Associate Agreement (BAA) before kickoff. Email hello@thecybergrid.com to request the BAA template.
For organizations using NIST CSF (federal contractors, critical infrastructure, organizations aligning to FedRAMP / FISMA), here's where CyberGrid lands.
| Category | Subcategory | What CyberGrid evidences | Applicable to |
|---|---|---|---|
| ID.RA-01 | Vulnerabilities in assets identified, validated, recorded | Pen-test and automated-assessment reports directly evidence this subcategory. | Both |
| ID.RA-04 | Potential impacts & likelihoods identified | Each finding includes CVSS v3.1 base score (severity proxy) and an impact narrative. | Both |
| PR.PS-06 | Secure software development practices integrated | Pen test validates that secure-development practices are producing secure software. | Pen test |
| DE.CM-01 | Network monitoring to detect adverse events | Pen test probes monitoring effectiveness; report identifies blind spots. | Pen test |
| RS.MI-01 | Incidents contained — vulnerabilities mitigated | Retest report evidences that identified vulnerabilities were mitigated. | Pen test |
For teams that need a full SOC 2 program — policy library, control implementation, GRC platform setup, evidence collection, and a CPA audit firm referral — we run a fixed-fee 90-day SOC 2 readiness engagement. Starter $5,999 (≤25 employees), Standard $9,999 (25-100). The audit firm and platform vendor bill separately so the line items are honest.
We map findings to controls. We do not issue audit opinions. CyberGrid's report tells you (and your auditor) which controls each finding relates to. We are not a SOC 2 auditor, a QSA, a HITRUST assessor, or an FedRAMP 3PAO. Final acceptance of any CyberGrid report as evidence is between you and your auditing body.
SOC 2 readiness ≠ SOC 2 audit. Our SOC 2 readiness service prepares you for the audit; the audit itself is performed by an independent CPA firm we refer to you. We do not perform audits, do not issue SOC 2 reports, and do not take referral commissions from the audit firm.
Audit-period date sensitivity. Most audit frameworks require the testing to be conducted within the audit period (e.g., a SOC 2 Type II report covering Jan–Dec 2026 generally requires a pen test conducted within those dates). Plan your engagement timing accordingly.
Scope matters. The pen test only evidences controls for the systems within the engagement scope. If your audit covers more systems than were tested, the report only provides evidence for the in-scope subset.
Retest cadence matches reassessment cadence. If an auditor flags a finding mid-cycle, the $1,999 retest produces a remediation addendum that can be added to the evidence file showing the finding is now closed.
Questions about a specific audit framework? Email hello@thecybergrid.com with your auditor's evidence-request template — we'll respond within one business day with the specific report sections that align.