Compliance pen test for SOC 2 Type 2, ISO 27001, PCI DSS, HIPAA | Swarm
SWARMv1.0.0
Compliance|Sign in
4/28+
FRAMEWORKS  /  CONTROL POINTS COVEREDAuditor-ready

The compliancepen test,by control code.

SOC 2 Type 2, ISO 27001, PCI DSS 11.4, HIPAA. Each framework, mapped row by row to the specific Swarm behavior that satisfies it. Full audit trail, validated proof-of-concept, and a dedicated read-only Auditor Clerk role: every artifact your external reviewer asks for, before they ask.

SWARMSEC.AI · COMPLIANCE PEN TEST4 FRAMEWORKS · 28+ CONTROL POINTS

01  /  Trust Services Criteria · Security · Availability

SOC 2 Type 2. Receipts, not assurance.

01
CC2.1Information for control
The audit trail captures every specialist action with timestamp, target, status, and finding ID. Auditor downloads one file.
02
CC3.2Risk identification
30+ specialists run against authorized targets each engagement. Findings are scored CVSS, surfaced live, and chained for priv-esc paths.
03
CC4.1Monitoring of controls
Pen test as a service cadence: every release triggers an engagement. Continuous, not annual. Receipts at every cycle.
04
CC7.1System monitoring
Vulnerability identification on the production attack surface. The full audit trail is the evidence artifact, not a verbal summary.
05
CC7.2Detect & respond
Validated proof-of-concept on every Critical and High. Reproducible exploit steps, not a finding description.
06
CC7.5Re-assessment after change
Free 30-day retest re-runs the validated PoCs against the patched surface. Diff report shows what closed and what remains open.
07
CC1.4Auditor access
Read-only Auditor Clerk role. External reviewer reaches the dashboard, audit trail, and report without engineering credentials.
SourceAICPA SOC 2 Trust Services Criteria

02  /  Annex A · Information Security Controls (2022 revision)

ISO 27001 / 27002. Receipts, not assurance.

01
27002 · 8.8Technical vulnerability management
Specialists consult the daily-updated CISA Known Exploited Vulnerabilities catalog. Every CVE in scope, the day it lands.
02
27002 · 5.7Threat intelligence
Frontier-model commitment: free retest with each new frontier model onboarded. Threat surface updates as the threat does.
03
A.8.29 / 27002 · 8.29Secure system testing
Black, grey, and white-box engagement modes. Source code review available where ISO 27001 auditors expect deeper analysis.
04
A.5.35 / 27002 · 5.35Independent review of security
External, independent assessment. Every action receipted; the auditor verifies methodology end-to-end, not by interview.
05
ISMS · 7.5Documented evidence
Markdown report, PDF render, structured findings, and the full audit trail. Retained for the lifetime of the account.
06
A.8.15 / 27002 · 8.15Logging
Every HTTP request, every grep, every finding submission, every chain composition logged. Filterable by specialist or step.
SourceISO/IEC 27001:2022

03  /  Requirement 11 · External and internal penetration testing

PCI DSS v4.0. Receipts, not assurance.

01
11.4.3External penetration testing
Engagement runs against the cardholder-data environment with explicit scope authorization. Out-of-scope hosts rejected at the tool layer.
02
11.4.2Internal penetration testing
Grey-box mode with credentialed access where the CDE crosses authentication boundaries. Specialists exercise the trusted side.
03
11.4.1Methodology documentation
Full audit trail plus structured report document the methodology end-to-end. PCI assessor reads the actions, not a narrative.
04
11.4.4Exploitable vulnerabilities corrected
Findings ship CVSS scores, reproduction steps, validated PoC, and remediation guidance per finding. No verbal hand-off.
05
11.4.5Re-test after remediation
Free 30-day retest re-runs validated PoCs and produces a diff report. Closed findings carry a retest timestamp, not an assurance.
06
11.4.6Segmentation testing
Tenant-isolation specialists probe horizontal access boundaries. Where CDE segmentation lives in the application layer, the swarm tests it.
SourcePCI DSS v4.0 · PCI Security Standards Council

04  /  Administrative & technical safeguards · 45 CFR 164

HIPAA Security Rule. Receipts, not assurance.

01
164.308(a)(8)Periodic technical evaluation
Engagement is the annual technical evaluation of record, with the audit trail attached as evidence. Customers can re-run on remediation cycles.
02
164.308(a)(1)(ii)(A)Risk analysis
Specialists chain findings across the PHI surface. Severity calibrated against a worked-example rubric, not consultant intuition.
03
164.312(b)Audit controls
Activity recording on systems handling ePHI. The full audit trail is the assessor artifact for technical control review.
04
164.308(a)(4)Access management
Broken-access-control specialists test authorization boundaries on every PHI endpoint. IDOR, BFLA, BOLA covered.
05
164.504(e)Business Associate Agreement
Email compliance@swarmsec.ai before running an engagement against any PHI surface. BAA covers data Swarm processes during the engagement.
SourceHHS HIPAA Security Rule

Operating model

What every auditor receives.

The four artifacts that satisfy the cross-framework asks: who has access, what they can download, when retests run, and how long the record is kept.

01
org:auditorAuditor Clerk role
Read-only dashboard access. Engagement view, audit-trail download, report export. No engineering credentials, no shared logins.
02
audit_trailFull audit trail
Every specialist action exported. Filterable by specialist or step, traceable from any finding back to the request that surfaced it.
03
30 days · post-remediationFree retest window
Re-runs validated PoCs against the patched surface. Diff report shows closed vs open. Satisfies SOC 2 CC7.5 and PCI DSS 11.4.5.
04
lifetime · deletion-on-requestDeliverable retention
Useful for multi-year SOC 2 Type 2 periods where auditors compare year-over-year. Delete any engagement on request.

Questions

What buyers ask. Receipts attached.

The questions every engineering and security lead asks before they fund an engagement. Read the answers here, before the kickoff call.

01Does a Swarm engagement satisfy SOC 2 CC4 and CC7?

Yes. The full audit trail satisfies the evidentiary requirement for system monitoring (CC7.1) and detect-and-respond (CC7.2). The 30-day free retest satisfies the re-assessment intent in CC7.5. CC4 monitoring is satisfied by running the engagement on a release cadence rather than annually.

02Does Swarm satisfy PCI DSS 11.4 evidentiary requirements?

Yes. PCI DSS 11.4 requires external (11.4.3) and internal (11.4.2) penetration testing with documented methodology (11.4.1), correction of exploitable findings (11.4.4), and re-testing after remediation (11.4.5). The full audit trail documents methodology, structured findings carry CVSS plus validated PoC, and the 30-day retest closes the loop. Run the engagement against the cardholder-data environment with explicit scope authorization.

03Does Swarm map to ISO 27001 Annex A.8.29?

Yes. ISO 27001:2022 Annex A.8.29 (Security testing in development and acceptance) and ISO 27002 8.29 require documented security testing with traceable methodology. A Swarm engagement produces the structured report and full audit trail your ISO 27001 auditor needs, plus the activity logs aligned with A.8.15.

04Does Swarm sign BAAs for HIPAA?

Yes. Email compliance@swarmsec.ai before running an engagement against any surface that processes protected health information. The BAA covers the data Swarm processes during the engagement. HIPAA Security Rule 45 CFR 164.308(a)(8) requires a periodic technical evaluation; a Swarm engagement satisfies it.

05What does the auditor receive?

A structured engagement report with executive summary, CVSS-scored findings, remediation guidance, and exploit chain analysis; the full audit trail covering every specialist action; validated proof-of-concept on every Critical and High; and dashboard access via the read-only Auditor Clerk role. See /sample-report for the deliverable.

06How does the free retest interact with my compliance period?

The 30-day free retest re-runs the validated proof-of-concept exploits against your patched environment and produces a diff report. Closed findings ship with a retest timestamp; remaining findings stay open. This satisfies the re-assessment intent in SOC 2 CC7.5 and the retest requirement in PCI DSS 11.4.5 within the compliance period that contains the original engagement.

07Is Swarm itself SOC 2 and ISO 27001 compliant?

Yes. Swarm operates SOC 2 Type 2 compliant and ISO 27001 compliant against the controls. The more relevant question for buyers is whether a Swarm engagement satisfies your own SOC 2 Type 2 pen test requirement. It does, mapped to the controls listed above.

08How long are engagement deliverables retained?

Deliverables (report, findings, full audit trail) are retained for the lifetime of your account, with deletion-on-request. Long retention is useful for multi-year SOC 2 Type 2 periods where auditors compare year-over-year findings.

Read the receipts.
ENTER YOUR DOMAIN. SWARM MAPS YOUR ATTACK SURFACE IN JUST A FEW MINUTES.No card. Free preview.