An authorized, simulated attack against your systems to identify exploitable vulnerabilities before real attackers do.
Penetration testing (often shortened to pen testing) is an authorized, scoped exercise where security professionals attempt to exploit vulnerabilities in your systems the way a real attacker would. The FTC Safeguards Rule requires annual penetration testing for firms with 5,000 or more consumer records that do not implement continuous monitoring (16 CFR 314.4(d)(2)). Tests can be external (internet-facing assets) or internal (assumed-breach scenarios). Findings are documented with severity ratings and remediation recommendations.
Pen testing is the FTC's expected substitute for continuous monitoring. Skipping both is a clear compliance gap if your firm is above the record threshold. A small-firm external pen test typically costs $5,000 to $15,000 annually. Insurance carriers increasingly require evidence of a recent test before issuing coverage. Document the scope, the testing firm, the findings, and what you remediated.
The Continuous Control Testing (Professional) module handles this for your firm, personalized to your software, team size, and state requirements.
See plans and pricingOngoing automated monitoring of systems for security threats, misconfigurations, and policy violations, as an alternative to periodic testing.
Automated scanning of systems to identify known software vulnerabilities, misconfigurations, and missing patches.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy