What is a pentest attestation letter

Q: Who should sign the attestation letter?

The named engineer who ran the test — not a generic firm signature, not 'the team.' SOC 2 auditors in 2025-2026 fieldwork increasingly ask for the individual's name and credentials to satisfy the independence and competency assessment. A letter signed 'by our security team' is a red flag that prompts follow-up questions.

01. what it contains

Six things every attestation letter must include.

An incomplete letter fails review. Each of these six elements serves a specific purpose for the auditor. If any is missing, expect a follow-up request before your audit closes.

Named engineer

The full name of the individual who conducted the test. Not "our senior team." Auditors verify independence and competency at the individual level, not the firm level.

Engagement scope

Which systems, applications, and network ranges were tested. Must match the scope described in the penetration testing statement of work. If the scope differs from your compliance system description, the gap becomes a finding.

Engagement dates

The window during which testing occurred. Must fall within the audit period. A pentest completed before the period started may not satisfy the control without supplemental evidence.

Methodology reference

The named methodology followed: PTES, OWASP WSTG, OWASP MSTG, NIST SP 800-115, or a documented custom framework. "Industry best practices" is not acceptable in 2025-2026 fieldwork.

Retest confirmation

Statement that remediation retesting was completed, with the retest date. Each finding should be marked resolved, partially resolved, or accepted. "Retest in progress" is not complete evidence.

Firm and engineer signature

Signed by the named engineer, not just a firm letterhead. Some auditors also ask for the engineer's certifications (OSCP, GPEN, CEH, or equivalent) to confirm competency.

What auditors reject

The most common rejection reason in 2025-2026 fieldwork is a letter signed "by our security team" with no named individual. The pattern is consistent across Big Four and regional firms: the auditor requests a named engineer attestation, the vendor says they do not provide named attribution, and the audit delays two weeks while the client either switches vendors or waits for a corrected letter. This is a procurement problem that surfaces at the worst possible time.

Why does it matter who specifically signed the letter? SOC 2 requires the auditor to assess the competency and independence of the testing party. That assessment happens at the individual level. If the letter names only a firm, the auditor cannot satisfy their own documentation requirement. They ask, the vendor stalls, the schedule slips.

The second most common rejection is a letter that confirms testing happened but says nothing about remediation and retest. That letter is evidence of half the control. The control requires both identification of vulnerabilities and a response to them. Auditors reading the 2024 trust-services-criteria update consistently interpret this as requiring confirmed remediation, not just identified issues. A letter that ends at "we completed testing on [date]" and has no retest section will receive a request for supplemental evidence. At that point, if the retest has not actually happened, the gap is real and the audit stops moving until it is addressed.

Engagement dates outside the audit period are a frequent problem for organizations that run their pentest in Q1 and present it for a Q3-Q4 audit. The relevance threshold varies by auditor and framework, but retesting within 12 months of the audit date is the safe threshold for SOC 2. For PCI DSS, the annual testing window is explicit in Requirement 11.3.1. A test from 14 months ago, however thorough, may require the auditor to flag the control as out-of-cycle. The fix is another test, which costs time and money that could have been avoided with better timing.

Finally, a letter that claims "proprietary methodology with 20 years of development" fails the methodology requirement. Custom frameworks can pass review, but only when they are documented and referenced by name. A claim of proprietary methodology with no citation is indistinguishable from no methodology. The auditor needs something to point to. If the methodology is genuinely custom, it must be written down, and the letter must reference where to find it.

The format that passes review

A one-page attestation letter that includes all six elements passes review at every audit firm we have encountered. The format is straightforward when a vendor treats it as a standard deliverable rather than an afterthought.

The checklist:

Named engineer with full name and relevant certifications (OSCP, GPEN, CEH, or equivalent)
Scope statement matching the compliance system description verbatim or by reference
Engagement dates (start and end of active testing)
Named methodology (PTES, OWASP WSTG, OWASP MSTG, NIST SP 800-115, or documented custom)
Retest confirmation with retest date and status of each finding (resolved, partially resolved, or accepted with rationale)
Engineer signature, not just firm signature

When all six are present, the auditor attaches the letter to the control and moves on. Our full field notes on SOC 2 audit expectations cover how the review process has tightened over the last two fieldwork cycles and what to prepare before the auditor walks in.

Every pentest.systems engagement includes a signed, named-engineer attestation letter as a standard deliverable. It is not an add-on, not an upgrade tier, and not something clients need to request. See what every engagement produces and how we approach SOC 2 penetration testing specifically.

03. common questions

Frequently asked questions.

What's the difference between an attestation letter and a penetration test report?

The report documents all findings, severity ratings, working proofs of concept, and remediation recommendations. It is the technical deliverable for your engineering team. The attestation letter is the compliance artifact: a short signed document (typically one page) that confirms the test happened, who ran it, what was tested, what methodology was used, and that retest is complete. Auditors attach the letter to the control; the full report is available on request.

Who should sign the attestation letter?

The named engineer who ran the test, not a generic firm signature, not "the team." SOC 2 auditors in 2025-2026 fieldwork consistently ask for the individual's name and credentials to satisfy their independence and competency assessment. A letter signed "by our security team" prompts follow-up questions that delay fieldwork.

What happens if the attestation letter is missing information?

The auditor flags it as incomplete evidence and may require a corrected letter before issuing the report. In SOC 2 engagements, missing retest confirmation or an unnamed engineer delays fieldwork completion. The fix is straightforward, a corrected letter from the testing firm, but the delay is real when your audit window is tight.

→ related

Need an attestation letter that passes review?

Every engagement includes a signed attestation letter from the named engineer. 30-minute scoping call to confirm scope and audit timeline. Free.

Book a 30-min scoping call See deliverables

What is a penetration test attestation letter?

Six things every attestation letter must include.

Named engineer

Engagement scope

Engagement dates

Methodology reference

Retest confirmation

Firm and engineer signature

What auditors reject

The format that passes review

Frequently asked questions.

More on deliverables and compliance.

Engagement deliverables

SOC 2 penetration test

PCI DSS penetration test

SOC 2 pentest evidence in 2026

Need an attestation letter that passes review?