← Get Audit Ready • ↑ Documents

<aside> 🎯

Goal: Provide evidence that an independent, qualified party tested your application for vulnerabilities.

</aside>

What the auditor wants

• Proof that a qualified, independent third party attempted to find and exploit vulnerabilities in your application.
• A penetration test report showing findings and remediation progress.

How to clear this task

<aside> 🛡️

Option A: Use the included pentest

• If you are preparing for SOC 2 or ISO 27001, an app-level penetration test is included (typically on your staging environment).
• You do not need to do anything yet.
• We will share details and kick this off once auditor engagement begins.
• After the initial test, you will have time to fix High/Critical issues.
• Once the retest is complete, upload the final clean report. </aside>

<aside> 📎

Option B: Bring your own report

• If you have a recent pentest from a third-party security vendor, click Upload Evidence.
• Upload the final PDF report.
• Make sure the report shows that any High or Critical findings were remediated and retested. </aside>

<aside> 💡

The remediation rule: auditors typically expect remediation of High and Critical findings. Low and Medium findings can be tracked in your backlog.

</aside>