Skip to main content


I had a disappointing email today. Working with a prospect who wanted to get their SOC 2 Type 2 certification, they needed a pentest. Technically not fully required, but in my experience it helps a great deal. Cut them a deal and provided a few options, including a very basic network assessment for the hosting infrastructure (it's all about the scope y'all)

But they had at least one of their own prospects asking for a pentest report, so I warned them that this won't work. They need their actual app to be tested. They're not sure, asking for what would be the bare minimum.

I explain that if they limit their scope for the SOC2, they can go cheap, but it won't help with their prospect. Wait a few days and get the "We're going in another direction email." I hear through the grapevine that they had a second prospect asking for a pentest report. I wish them well and let them know I'm here if things change. Maybe I was undercut, but whatever. Best part? There in the healthcare field, targeting hospitals/clinics, so I hope they get their priorities straight.

in reply to JohnsNotHere

@JohnsNotHere :verified: Honestly, as a person whose focus is always on compliance and meeting compliance needs, compliance teams need to start realizing that our job is to fight *against* these kinds of bad decisions. Getting good reports is the only way we stop the ransomware epidemic.

And I'm speaking as someone who lost the fight not to go with the lowest bidder this year.

in reply to silverwizard

@silverwizard These "shortcuts" are great examples of why compliance != security. I understand the need to meet certain standards in some industries, but honestly it's just a matter of time before you become a headline with these types of decisions.

I don't take them personally and I do try to give my honest opinion, all while being respectful. Some folks will never learn though, and it's not worth the headache at the end of the day. Horse to water and all that...