Penetration Testing Program

Penetration Testing Program

Document owner: Chief Information Security Officer (CISO)
Effective date: January 1, 2026
Last updated: January 15, 2026
Review cadence: Annual program review; per-engagement scope validation
Company: Acme Cloud, Inc.
Address: 1200 Market Street, Suite 400, San Francisco, CA 94103

This document describes Acme Cloud, Inc.'s penetration testing program, including scope, methodology, frequency, remediation requirements, and evidence availability. The program supports SOC 2 CC4.1 (monitoring activities), ISO 27001 A.8.8 and A.12.6.1 (technical vulnerability management), and customer due diligence requirements documented in our Compliance Frameworks page.

Program Objectives

Penetration testing validates the effectiveness of Acme Cloud's security controls through simulated real-world attacks. Objectives include: identifying exploitable vulnerabilities before malicious actors, validating defense-in-depth architecture, testing incident detection and response capabilities, satisfying customer and regulatory assurance requirements, and providing evidence for SOC 2 and ISO 27001 audits.

Testing complements but does not replace automated vulnerability scanning, code review, threat modeling, and bug bounty findings coordinated through our Vulnerability Disclosure Policy.

Testing Scope

Test type	Scope	Frequency	Provider	Last completed
External network penetration test	Public-facing IPs, APIs, web applications, CDN configuration	Annual	Independent third party (CREST-certified)	September 2025
Internal network assessment	VPC segmentation, lateral movement, privilege escalation	Annual	Independent third party	September 2025
Application penetration test	Core SaaS application, admin console, customer API	Annual	Independent third party	September 2025
API security assessment	REST and GraphQL endpoints, authentication flows	Annual (combined with app test)	Independent third party	September 2025
Social engineering	Phishing simulation (workforce)	Quarterly	Internal + vendor platform	January 2026
Red team exercise	Full-scope adversary simulation	Annual	Independent third party	June 2025
Cloud configuration review	AWS IAM, S3, RDS, security groups	Semi-annual	Internal Security Engineering	December 2025
Wireless assessment	Corporate office (SF headquarters)	Annual	Independent third party	August 2025

Out of scope unless explicitly authorized: denial-of-service attacks against production, testing of customer tenant configurations, physical intrusion of AWS data centers, and social engineering targeting Acme Cloud customers.

Methodology

External and application tests follow industry-standard methodologies:

• OWASP Testing Guide v4.2 for web application testing
• OWASP API Security Top 10 (2023) for API assessment
• PTES (Penetration Testing Execution Standard) for network tests
• NIST SP 800-115 for technical security testing guidance
• MITRE ATT&CK for red team scenario mapping

Testing phases include: scoping and rules of engagement, reconnaissance, vulnerability identification, exploitation (where authorized), post-exploitation (internal/red team), documentation, and remediation verification.

Rules of Engagement

Parameter	Standard setting	Notes
Testing window	Business hours preferred; off-hours for production exploitation	72-hour advance notice to SRE
Production testing	Allowed with safeguards; no data destruction	Rollback plan required
Credentials	Test accounts provisioned; no customer credentials	Customer data synthetic only
DoS / load testing	Prohibited without explicit CISO approval	Separate performance testing process
Data exfiltration	Simulated only; no actual customer data removed	Use canary tokens
Third-party systems	Out of scope (AWS, Cloudflare, Okta)	Test integrations only

Authorized security researchers may conduct testing under our Vulnerability Disclosure Policy safe harbor provisions. Unauthorized testing is prohibited and may be referred to law enforcement.

Remediation SLAs

Findings are classified using CVSS v3.1 base scores with environmental adjustments for Acme Cloud context:

Severity	CVSS range	Remediation SLA	Retest required	Escalation
Critical	9.0–10.0	72 hours	Yes, within 14 days	CISO + CEO notification
High	7.0–8.9	14 days	Yes, within 30 days	CISO notification
Medium	4.0–6.9	30 days	At next annual test	Security Engineering lead
Low	0.1–3.9	90 days	At next annual test	Ticket tracking
Informational	0.0	Best effort	No	Documentation only

Remediation SLAs begin at report delivery. Extensions require CISO written approval with documented compensating controls. Critical and High findings block production releases touching affected components until remediated or mitigated.

Remediation Workflow

1. Report delivery: Third party delivers confidential report to CISO within 5 business days of test completion
2. Triage: Security Engineering triages findings within 2 business days; assigns owners and severity
3. Tracking: All findings logged in GRC platform with SLA timers and evidence attachments
4. Remediation: Engineering implements fixes per SLA; documents changes in change management system
5. Verification: Security Engineering verifies fix; requests retest for Critical/High findings
6. Retest: Third party or internal team retests within specified window; closes finding with evidence
7. Reporting: Quarterly metrics reported to Board Audit Committee (open findings, SLA compliance, trend analysis)

Evidence Availability

Document	Availability	Requirements
Penetration test executive summary	Enterprise customers under NDA	Signed evaluation agreement
Full penetration test report	Enterprise customers under NDA + CISO approval	Annual limit: one per customer
Remediation status letter	Available upon request	Current as of request date
SOC 2 bridge letter referencing pen test	With SOC 2 report	Standard NDA process
Red team executive summary	Board and select enterprise customers	Enhanced NDA

Reports are not publicly published to avoid aiding adversaries. Summary statistics (findings count by severity, remediation rate) appear in our Compliance Frameworks page.

Integration with Other Programs

Program	Integration
Bug bounty (HackerOne)	Pen test findings compared against bounty submissions; duplicate coordination
Vulnerability scanning	Weekly automated scans cover gaps between annual pen tests
Secure SDLC	Pen test findings feed into threat modeling and secure coding training
Third-Party Risk Management	Critical vendor pen test requirements for Tier 1 subprocessors
Incident Response Plan	Red team exercises test detection and response playbooks

2026 Testing Schedule

Quarter	Planned activity	Scope focus
Q1 2026	Social engineering (phishing)	Finance and executive targeting
Q2 2026	Red team exercise	Supply chain and insider threat scenarios
Q3 2026	Annual external + application pen test	Full scope per standard program
Q4 2026	Cloud configuration review	IAM privilege audit post-Q3 changes

Framework Mapping

Requirement	SOC 2	ISO 27001	HIPAA	Implementation
Vulnerability assessment	CC4.1	A.12.6.1	§164.308(a)(8)	Annual pen test
Penetration testing	CC4.1	A.8.8	Addressable	Third-party CREST-certified
Remediation tracking	CC7.1	A.12.6.1	§164.308(a)(5)(ii)(B)	GRC platform SLAs
Independent assessment	CC4.1	A.18.2.1	§164.308(a)(8)	External provider

Related Documents

• Vulnerability Disclosure Policy
• Security Overview
• Compliance Frameworks
• Incident Response Plan
• Third-Party Risk Management
• Encryption Standards

Historical Findings Summary (FY2025)

FY2025 annual penetration test identified: 0 Critical, 2 High (both remediated within 10 days), 8 Medium (all remediated within 30 days), 14 Low, 6 Informational. Common themes: API rate limiting improvements, session management hardening, and enhanced security header configuration. No customer data was accessed during testing.

Customer-Requested Testing

Enterprise customers may request: retest of remediated findings affecting their configuration, observation of annual pen test (NDA required), and documented confirmation that customer-specific integrations were in scope. Customer-initiated testing of their own tenant configuration is permitted under Vulnerability Disclosure Policy with advance notice.

Tooling & Standards

Approved penetration testing tools include: Burp Suite Professional, Metasploit (controlled use), Nmap, SQLMap (staging only), custom scripts (Security Engineering authored only). Third-party testers must provide methodology documentation and proof-of-concept evidence for all findings. Destructive testing tools are prohibited without explicit written authorization from CISO.

Internal Security Testing

Between annual third-party tests, Security Engineering conducts: monthly authenticated application scans, quarterly API security reviews, and continuous bug bounty triage. Internal testing results feed the same remediation tracking system as external pen test findings with identical SLAs.

Pen Test Report Distribution

Full penetration test reports are restricted to Security Engineering, CISO, and GRC. Executive summary (sanitized of exploit details) shared with Audit Committee annually. Customer-facing executive summary available under NDA excludes: specific exploit chains, internal hostnames, and vulnerability details that could aid attackers.

Penetration testing budget allocated annually by CISO with Board Audit Committee visibility. FY2025 spend: $185,000 external testing + internal Security Engineering time. FY2026 budget includes red team exercise and application security assessment.

Customer security teams may request joint remediation planning call for Critical/High findings affecting shared infrastructure within 10 business days of report delivery.

Contact

Acme Cloud, Inc.
1200 Market Street, Suite 400, San Francisco, CA 94103
security@acmecloud.com | trust@acmecloud.com