Attestation
A signed, independent penetration test report that supports your SOC 2 or ISO 27001 audit. Our security team reviews the findings, independently verifies each fix, and signs off, typically in one week.
Your Keygraph pentest already proves every finding with a working exploit. Some auditors also want evidence of human review. On top of the exploit-verified findings, the attestation adds a defined scope, a documented methodology, and a reviewer sign-off.
What it is
A penetration test report covering a defined scope under a documented methodology, issued and signed by the Keygraph security team, independent of the engineers who build the platform.
You hand it to your auditor as third-party evidence that your application was tested, the findings were reviewed, and the fixes were verified. It layers onto the pentest you already run with Keygraph; nothing about your workflow changes.
Why it matters
SOC 2 and ISO 27001 audits expect penetration test evidence. The traditional way to produce it is a multi-week engagement with a pentest firm, once a year.
Your Keygraph pentest already produces severity-ranked findings with a working exploit behind each one. The attestation turns that into a signed third-party report your auditor can work with, typically in one week, for a flat fee.
What auditors ask for
A SOC 2 audit firm confirmed to us in writing that an AI-generated pentest is acceptable evidence when the report meets two criteria.
Identifies vulnerabilities
The report must identify the vulnerabilities in the application under test. Keygraph goes further: every finding ships with an executed proof-of-concept exploit. No Exploit, No Report.
Ranks them by severity
Each finding must carry a severity ranking, so the auditor can see how issues were prioritized. Every Keygraph finding is severity-ranked, with the exploit evidence to back the rating.
More conservative auditors also want evidence of human review. The attestation is built for exactly that: a defined scope, a documented methodology, and a reviewer sign-off from the Keygraph security team. If you are unsure what your auditor expects, we will scope it with you before you start.
How verification works
The sign-off is earned, not stamped. Our security team reviews the findings and independently verifies each fix against the running application before anyone signs.
1. Run your pentest
Point Keygraph at your application. It reports only findings with a working proof-of-concept exploit, each with a severity ranking.
2. Fix what you choose
Keygraph remediation delivers fixes as pull requests your team reviews and merges. Nothing is auto-applied.
3. We review and verify
Our security team reviews the findings and independently re-tests each fix against the running application.
4. You get the signed report
A signed third-party report reflecting your post-remediation state, ready for your auditor.
How long it takes: typically one week from kickoff to sign-off. Pricing is a flat, one-time fee. Your remediation timeline is whatever you need it to be. Findings you choose not to fix appear in the report with their status, so nothing is hidden from your auditor.
What’s in the report
One signed document, structured the way auditors expect to read it.
Scope and methodology
The systems under test, the testing window, and the documented methodology the engagement followed.
Findings, ranked by severity
Every vulnerability identified, its severity ranking, and the executed proof-of-concept exploit behind it.
Remediation and verification status
What was fixed, how each fix was independently verified, and the status of anything left open.
Reviewer sign-off
The attestation itself: signed by a Keygraph security team that works separately from the engineers who build the platform.
FAQ
What is the Keygraph attestation?
A penetration test report issued and signed by the Keygraph security team, independent of the engineers who build the platform. You hand it to your auditor as third-party evidence that your application was tested and the fixes were verified.
Does the attestation include remediation and retest?
Yes. You fix the findings you choose, and we independently verify each one against the running application before signing. Findings you decide not to fix are represented honestly in the report with their status, so nothing is hidden from your auditor.
Can I see a sample report before starting?
Yes. Request one and we will send a sample so you, and your auditor, can review the format before you start.
Will my auditor accept an AI-generated pentest?
It depends on the auditor. Some accept an AI-generated pentest in support of a SOC 2 audit when the report ranks findings by severity and proves each one, which Keygraph does. More conservative auditors want evidence of human review, and the attestation is built for that. If you are unsure what your auditor expects, we will scope it with you before you start.
How long does the attestation take?
About one week from kickoff for our review and sign-off; your own remediation timeline is separate. When your next audit cycle comes around, re-attestation runs the same way against a fresh pentest.
Hand your auditor proof, not promises.
Run your pentest, remediate with reviewable pull requests, and get a signed third-party report that supports your audit.