Compliance Coverage
Penetration Testing
That Delivers Audit-Ready Evidence
Your compliance boundary defines the scope. Your assessor's controls define the testing. Your auditor receives reports mapped to the exact framework requirements they check. Your security team closes real technical risk. One engagement delivers it all.
THE COMPLIANCE GAP
Where Penetration Testing and Compliance Diverge
The Reality
An organization completed its annual compliance assessment with a clean result. Three months later, a senior penetration tester traced a full compromise path through assets that sat outside the compliance boundary.
Compliance frameworks define a floor, not a ceiling. PCI DSS covers your cardholder environment. HIPAA covers ePHI safeguards. CMMC covers your CUI enclave. Each operates within a defined boundary. AI integrations, cloud identity paths, and third-party connections sit outside that boundary and represent real attacker opportunity. The most defensible posture addresses both.
-Compliance Mapping
Your Compliance Framework Drives Every Engagement
We map every engagement to the specific controls your auditor evaluates. The matrix below shows the requirement, what we test against it, and what your deliverable contains so you walk into every audit with evidence already assembled.
| Framework | What Auditors Check | What We Test | What You Receive |
|---|---|---|---|
| SOC 2 | CC4.1, CC6.1, CC7.1 Monitoring activities, logical access controls, and system operations | Access control paths, privilege escalation, external attack surface, authentication and session management | Vulnerabilities mapped to Trust Services Criteria with exact control references your assessor checks |
| HIPAA | 45 CFR 164.308(a)(8), 164.312 Periodic evaluation of technical safeguards and access controls protecting ePHI | Systems and data flows that touch ePHI, access control paths, authentication, audit logging, transmission security, and business associate connections. | Vulnerabilities mapped to 164.308(a)(8) and 164.312 with the regulation cited alongside each one, and remediation evidence that feeds directly into your HIPAA risk analysis. |
| PCI DSS 4.0 | 11.4.1, 11.4.2, 11.4.3, 11.4.5 Annual internal and external penetration testing, segmentation validation, and application layer testing | Cardholder data environment boundary, network segmentation, external and internal attack paths, application layer vulnerabilities | Segmentation test results and vulnerabilities mapped to Requirement 11.4 with evidence your QSA can submit directly |
| CMMC | CA.L2-3.12.1, CA.L2-3.12.3 Periodic assessment of security controls and monitoring within the CUI enclave | CUI enclave boundary, access control paths, privileged account management, network segmentation | Practice-level evidence mapped to CMMC assessment objectives with control reference notation |
| FedRAMP | CA-8, CA-8(2) NIST SP 800-53 Rev 5 Penetration testing requirement for cloud service providers including red team exercises for High and Moderate systems | Cloud infrastructure, identity and access management, API security, boundary controls, and data exposure paths | Vulnerabilities mapped to NIST 800-53 controls with evidence packaged for 3PAO submission |
| ISO 27001 | Annex A 8.8, Clause 9.1 Technical vulnerability management and performance evaluation through penetration testing | Information assets, access control paths, network security, application security, privileged access, and third-party connection security | Vulnerabilities mapped to Annex A controls with remediation guidance packaged for certification audit submission |
| NIST CSF 2.0 | PR.AA, DE.CM Access control and continuous monitoring requirements | Identity and access management, network monitoring coverage, detection capability gaps, and access paths | Vulnerabilities mapped to CSF 2.0 functions and categories with prioritized remediation guidance |
| NIST AI RMF | GOVERN, MAP, MEASURE AI risk governance and technical control evaluation | AI model endpoints, agent workflows, prompt injection exposure, trust boundaries, and data access paths | AI-specific vulnerabilities mapped to NIST AI RMF functions with remediation guidance |
| GLBA | FTC Safeguards Rule 16 CFR Part 314 Technical testing requirements for financial institutions protecting customer financial data | Customer data access paths, authentication controls, encryption implementation, and third-party connection security | Vulnerabilities mapped to Safeguards Rule requirements with evidence packaged for FTC examination |
-Framework Coverage
What Every Framework Actually Requires from a Penetration Test
Every compliance framework defines its own testing scope, evidence requirements, and audit mechanism. Your framework requirements shape every engagement so your deliverables satisfy your assessor directly.
SOC 2 / AICPA 
Technology / SaaS / Financial Services / Healthcare
SOC 2 Type I and Type II
SOC 2 assessors evaluate whether controls protecting customer data operate effectively. Penetration testing satisfies the monitoring and logical access criteria auditors check most closely. We scope every SOC 2 engagement to cover those criteria so the report serves as direct evidence your assessor can use without additional mapping work.
Logical access controls tested across all access paths
Anomaly detection validated through simulated attack activity
Cloud infrastructure and third-party connection coverage
Change management controls validated during testing
Vulnerabilities mapped to Trust Services Criteria throughout
PCI DSS 4.0 
Payments / Retail / Healthcare / Hospitality
PCI DSS 4.0
As of March 31, 2025, all 51 future-dated PCI DSS 4.0 requirements are fully mandatory. Requirement 11.4 demands a documented penetration testing methodology covering both network and application layers across the full cardholder data environment. Assessments conducted in 2026 must align to PCI DSS v4.0.1. We scope every engagement to current 4.0.1 standards and deliver evidence your QSA can submit without additional work.
Full CDE coverage across network and application layers
Segmentation validation testing per Requirement 11.4.5
Six-month segmentation retest cadence for service providers per Req 11.4.6
Methodology documentation meeting current QSA requirements
Remediation retest and attestation letter included for audit file
HIPAA / HHS 
Healthcare / Health Tech / Business Associates
HIPAA Security Rule
HIPAA's Security Rule requires covered entities and business associates to conduct periodic technical evaluations of safeguards protecting ePHI. HHS proposed mandatory penetration testing under 45 CFR 164.308(a)(1) in its 2025 Security Rule overhaul. Every HIPAA engagement scopes to the systems and access paths that touch ePHI, with evidence mapped directly to the CFR controls your assessor evaluates.
ePHI access control paths tested across all system boundaries
Authentication and audit logging controls validated
Transmission security and encryption coverage included
Third party and business associate connection security assessed
Vulnerabilities mapped to CFR controls with regulatory citation
CMMC 2.0 / DoD 
Defense Contractors / Federal Suppliers / DIB
CMMC 2.0
CMMC 2.0 became effective December 16, 2024. Level 2 certification requires third party assessment by a C3PAO against 110 security requirements drawn from NIST SP 800-171. Penetration testing supports the CA domain assessment objectives covering security control evaluation and monitoring. We scope every CMMC engagement to the CUI enclave boundary and deliver practice level evidence your C3PAO can use directly.
CUI enclave boundary and access control paths tested
Privileged account management and credential exposure assessed
Network segmentation validated against assessment objectives
CA domain evidence mapped to NIST SP 800-171 controls
Remediation support available through C3PAO assessment window
FedRAMP / GSA 
Federal Cloud / Government / Cloud Service Providers
FedRAMP
FedRAMP requires annual penetration testing by an authorized Third-Party Assessment Organization for all cloud service providers seeking or maintaining an Authority to Operate. NIST SP 800-53 Rev 5 CA-8 governs penetration testing requirements. High baseline systems must also include adversarial simulation exercises under CA-8(2). We scope every FedRAMP engagement to the current penetration test guidance and deliver evidence packaged for 3PAO submission.
All mandatory FedRAMP attack vectors covered
Adversarial simulation exercises included per CA-8(2)
Cloud infrastructure and API security tested
Evidence packaged for 3PAO submission
Remediation support through ATO window
ISO 27001 / ISMS 
Any Organization Seeking ISO Certification
ISO 27001
ISO 27001 Annex A 8.8 requires organizations to manage technical vulnerabilities through periodic testing. Penetration testing provides direct evidence of control effectiveness for certification auditors. We scope every ISO 27001 engagement to the information security management system boundary and deliver vulnerabilities mapped to Annex A controls your certification auditor can use as direct evidence.
Information assets and access paths tested
Network and application security controls validated
Privileged access and identity controls assessed
Third party connection security reviewed
Vulnerabilities mapped to Annex A controls throughout
NIST CSF 2.0 / NIST 
Any Industry Managing Cyber Risk
NIST CSF 2.0
Released February 2024, NIST CSF 2.0 added a new Govern function and strengthened supply chain risk requirements. Penetration testing provides direct evidence across the Identify, Protect, and Detect functions. Cyber insurers and regulators increasingly require proof of adversarial testing, not just self-attestation. We scope every CSF engagement to your risk profile and deliver results mapped to the specific functions and categories your organization needs to demonstrate.
Access control and identity paths tested per PR.AA
Detection capability gaps identified per DE.CM
Supply chain and third-party risk coverage included
Asset and risk prioritization validated per ID.RA
Vulnerabilities mapped to CSF 2.0 functions throughout
NIST AI RMF / NIST 
Any Organization Deploying AI in Production
NIST AI RMF
NIST AI RMF 1.0 organizes AI risk management across four functions: GOVERN, MAP, MEASURE, and MANAGE. The July 2024 Generative AI Profile added LLM-specific guidance across 12 risk categories. Prompt injection, data poisoning, and excessive agency are among the attack patterns covered under OWASP Top 10 for LLM that the profile addresses. The Generative AI Profile recommends annual penetration testing and semi-annual vulnerability scanning. Testing covers AI endpoints, agent workflows, and integration boundaries, with results mapped to the relevant RMF functions and Generative AI Profile categories.
AI model endpoints and agent workflows tested
Prompt injection and tool abuse coverage included
Trust boundaries and data access paths assessed
Integration and plugin security validated
Results mapped to RMF functions and GenAI Profile
GLBA / FTC 
Financial Institutions / Mortgage Brokers / Auto Dealers
GLBA Safeguards Rule
The FTC's updated Safeguards Rule under 16 CFR Part 314 became enforceable in June 2023. It explicitly mandates annual penetration testing and semi-annual vulnerability assessments for non-bank financial institutions requiring annual testing in place of continuous monitoring. The rule covers any institution significantly engaged in financial activities and handling nonpublic personal information. We scope every GLBA engagement to the systems and access paths that touch customer financial data and deliver evidence your FTC examiner expects.
Customer data access paths tested across all systems
Authentication and MFA controls validated
Encryption implementation and gaps assessed
Third party service provider connections reviewed
Annual penetration test evidence packaged for FTC examination
-Audit Readiness Timeline
Your Audit Window Drives Every Engagement Timeline
Audit readiness starts well before the assessment window opens. Every engagement scope and time around your audit window so your security team completes remediation, retesting, and evidence assembly before your auditor checks in.
Note: Tighter timelines available for near-term audits.
T minus 16 to 20 weeks
Scoping session
The scoping session maps your environment against your compliance boundary, confirms what has changed since the last assessment, and locks the exact scope your framework requires. Crown jewels, system boundaries, and testing objectives get agreed and documented before anything runs.
T minus 14 to 16 weeks
Testing window
The penetration testing team runs active testing against the scoped environment. External, internal, application, and segmentation testing covered as your framework requires. Two to three weeks depending on scope complexity.
T minus 12 weeks
Deliverables issued
The Risk Impact Brief and Technical Pentest Report ship with vulnerabilities mapped to your compliance framework controls. Your security team starts remediation using the prioritized remediation path for each vulnerability.
T minus 6 to 8 weeks
Remediation retest
The penetration testing team retests every critical and high severity vulnerability after remediation. The attestation letter issues when all in-scope vulnerabilities are verified closed.
T minus 2 to 4 weeks
Evidence Assembly
The compliance-mapped report, attestation letter, and remediation evidence get packaged for assessor submission. The team stays available for assessor questions and supplemental documentation requests throughout the audit window.
T = 0
Audit begins
Your assessor has everything they need. The penetration testing team verifies every vulnerability remediated, retested, and mapped to your compliance framework. Your team walks into the audit with a complete evidence package ready to submit.
-Audit-Ready Reporting
Every Deliverable Serves as Audit Evidence
Every vulnerability maps to the exact control reference your assessor evaluates. Business impact, remediation guidance, and compliance citations accompany every technical result so your auditor receives evidence tied directly to the controls they evaluate.
DivIHN COMPLIANCE REPORT
VULN 003 Critical
Cloud storage misconfiguration exposing cardholder data outside the CDE boundary
PCI DSS Req 11.4.5 Network Segmentation CVSS 9.3
VULN 007 High
Overprivileged IAM role letting a developer account move laterally to an ePHI database.
HIPAA ยง164.312(a)(1) Access Control CVSS 8.6
VULN 011 High
Broken object level authorization exposing customer records across API endpoints
SOC 2 CC6.1 Logical Access CVSS 7.9
Every vulnerability in the report carries the control it violates, CVSS scoring against your specific environment, reproduction steps, and a remediation path tied to your stack. The same document serves your security team and your auditor.
01 Audit-Ready Report Structure
Every vulnerability maps to the exact control your assessor evaluates, with CVSS scoring, business impact, and a remediation path tied to that control. Structured for direct submission into your audit file.
02 Remediation Verification Letter
Once our penetration testers retest every remediated vulnerability and confirm closure, we issue a signed attestation letter. This document goes directly into your audit file as final compliance evidence.
03 Audit Window Support
Our penetration testers stay available throughout your audit window for assessor questions, supplemental documentation, and technical clarifications. Your assessor gets answers from the practitioners who ran the engagement.
Beyond the Report
What Your Assessor Checks Before the Audit Closes
Assessors evaluate more than what the report contains. Timing, scope coverage, and remediation evidence each carry equal weight in determining whether the engagement satisfies your compliance requirement.
Test Validity
Has your environment changed since the last test?
Assessors check test date against your environment history, not just the calendar. A test that predates a significant infrastructure change may not satisfy the requirement. We document the scope boundary and environment state at the time of testing, so your assessor has full context.
Scope Proof
Can you prove the right systems were in scope?
Assessors verify scope documentation, not just the report. We produce a documented scope agreement before testing begins so your assessor can verify exactly what was included and why.
Remediation Evidence
Do you have evidence beyond the attestation letter?
Assessors increasingly ask for remediation evidence beyond the letter. We document screenshots, ticket references, and configuration changes tied to each closed vulnerability, so your audit file holds up under scrutiny.