The pen test is not mandatory for SOC 2 Type 1 but is highly recommended for a SOC 2 Type 2. You do not need to select our pen partners, we only offer our partners as way to help our customers speed up the search when looking at pen test vendors. Re: the type of pen test, SOC 2 controls are not very prescriptive. It also depends on the maturity of the organization. White box testing is more easier to handle where as a black box testing is very rigorous and consume more resources from your side. Additionally, please check out this link for more details on the pen testing – https://community.trustcloud.ai/docs/trustops/controls/vulnerability-management/infra-2-pen-testing/

OR