Frequently Asked Questions

Answers to the questions we hear most about compliance testing and penetration testing.

Most penetration testing engagements take one to three weeks of active testing, depending on the scope. A focused web application test for a single product can be completed in five to seven business days. A full network penetration test covering internal and external infrastructure typically takes two to three weeks. We define the timeline during scoping so there are no surprises.

CMMC Level 1 covers 17 basic safeguarding practices based on FAR 52.204-21 and requires annual self-assessment. Level 2 maps to all 110 controls in NIST 800-171 and requires either self-assessment or third-party assessment by a C3PAO, depending on the sensitivity of the CUI you handle. Most defense subcontractors handling CUI will need Level 2.

Total cost depends on your organization’s size, complexity, and current security maturity. Readiness preparation typically runs $15,000 to $50,000, and the audit itself (conducted by a licensed CPA firm) adds another $20,000 to $60,000. We scope our readiness engagements to fit your budget and existing controls — you don’t pay to build what you’ve already built.

Many frameworks either require or strongly recommend it. SOC 2 Trust Services Criteria expects regular vulnerability management and testing. CMMC Level 2 requires vulnerability scanning and can benefit from penetration testing during assessment preparation. HIPAA requires regular technical evaluation of security controls. NYDFS explicitly requires annual penetration testing. We help you determine what’s required for your specific compliance obligations.

A vulnerability scan is an automated tool that identifies known weaknesses in your systems. A penetration test is a hands-on, manual exercise where a security professional actively attempts to exploit vulnerabilities, chain findings together, and demonstrate real-world impact. Scans find known issues. Penetration testing finds what’s actually exploitable and how far an attacker could get.

Yes. We work with organizations from 10 to 500 people. The scope of a compliance testing engagement scales to your size — a 20-person startup doesn’t need the same controls documentation as a 300-person enterprise. We help you build a compliance program that’s right-sized for where you are today and designed to grow with you.

Certification is the starting line, not the finish. SOC 2 Type II requires ongoing evidence collection throughout the audit period. CMMC requires continuous compliance. We offer ongoing compliance management — quarterly reviews, evidence maintenance, policy updates, and reassessment preparation — so you stay compliant year over year.

We review the questionnaire with you, help you understand what the assessor is really looking for behind each question, prepare your responses with appropriate evidence, and identify any gaps that need to be addressed before submission. We’ve seen these from both sides of the table — as the vendor responding and as the team evaluating vendor responses.

Yes. Policy development is a core part of most compliance engagements. We write security policies, procedures, and plans — including System Security Plans for CMMC, information security policies for SOC 2 and ISO 27001, and incident response plans required across most frameworks. Every document is tailored to your actual operations, not boilerplate.

A 30-minute conversation. We learn about your business, your compliance requirements, and the specific challenge you’re facing. You’ll walk away with a clear understanding of what’s involved, a realistic timeline, and a sense of scope — whether or not you decide to work with us. No cost, no obligation.

Have a question that isn’t listed here?

Initial consultations are free. We’re happy to walk through your specific situation and compliance requirements.

info@wolfpacksecurity.org