SOC 2, ISO 27001, penetration tests, and cyber insurance each serve a purpose. None was designed to answer the question external stakeholders are actually asking — whether a company's security posture is strong relative to its peers, right now, based on what's observable from the outside.
If you evaluate cybersecurity risk as part of your investment analysis, insurance underwriting, or risk management workflow, you've likely relied on familiar signals: SOC 2 certification, ISO 27001, penetration testing reports, and cyber insurance. Each serves a purpose. None was designed to answer the question external stakeholders are actually asking — whether a company's security posture is strong relative to its peers, right now, based on what's observable from the outside.
This page examines what each of these instruments actually certifies, what they structurally cannot tell you, and where independent external observation fills the gap.
SOC 2 Type 2 confirms that a company's self-defined controls operated effectively during a specific review period. The structural limitations matter for anyone relying on it as a security signal.
Only the Security criterion is mandatory; the other four (Availability, Processing Integrity, Confidentiality, Privacy) are optional. A company can certify a single product while leaving its corporate email, public websites, and network perimeter outside the audit boundary.
SOC 2 evaluates adherence to the organization's own criteria — not a standardized baseline. Two companies can both hold SOC 2 certifications with dramatically different levels of actual security rigor, and there's no way to tell from the outside.
There's no ongoing monitoring between audit cycles. Configurations drift, new services get deployed, and certificates expire — all between reviews.
SOC 2 was designed as an assurance report, not a benchmarking tool. It tells you a company met its own bar. It doesn't tell you where that bar sits relative to anyone else's.
ISO 27001 is the world's most widely adopted information security standard, with roughly 97,000 active certificates globally.
Clause 4.3 permits certifying a subset of operations: one product, one data center, one business unit. The certificate's scope statement doesn't always make clear what's excluded.
The Statement of Applicability lists all 93 Annex A controls and which were implemented or excluded — but the SoA isn't public. External stakeholders see only the certificate, not the control decisions behind it.
After the initial certification, annual audits review approximately half of requirements each year. Controls can degrade between sampling cycles without being detected.
Pass or fail. No scoring, no maturity levels, no peer comparability. Two companies with the same certification can have fundamentally different security realities.
A pen test feels like the real thing. Someone actually tries to break in, and you get a report with findings. That should tell you something meaningful, right?
It would — if the company didn't get to decide what the tester is allowed to touch.
And it's a snapshot measured in days. The tester comes in, spends a week or two (that's what a $10,000–$30,000 budget buys), writes a report, and leaves. Verizon's 2025 DBIR showed vulnerability exploitation up 34% year-over-year — and public exploit kits now appear within hours of disclosure. The pen test from January tells you nothing about the vulnerability introduced in February's deployment.
You can't compare pen tests across companies. There's no standard methodology, no standard severity scale, no standard reporting format. PTES, OWASP, NIST — they're all voluntary. Different vendors, different scopes, different rigor. Some “pen tests” are just automated scans with a fancy cover page.
The reports are confidential. Necessarily — they contain exploit paths. So what investors, insurers, and acquirers actually get is “we conducted a penetration test.” That's the signal. That's the whole signal. CoreSecurity found that 75% of organizations conduct pen tests primarily for compliance, not to actually find problems.
Cyber insurance pays after the breach. It doesn't prevent the breach. It doesn't reduce the probability of a breach. It doesn't even guarantee it will pay — coverage exclusions are the norm, not the exception.
Consider: In 2024, claims volumes on US cyber insurance policies surged nearly 60%, but only 26% were closed with an indemnity payment, down from 35% the year prior (Fitch Ratings). In one notable federal case, an insurer voided a cyber policy from inception after discovering that multi-factor authentication — attested to on the application — had not been fully deployed at the time of the breach (Insurance Journal).
And here's the part that should concern you: cyber insurers themselves increasingly use external scanning to evaluate applicants. The same kind of outside-in observation that SDP provides. BitSight claims its customers underwrite half of global cyber insurance premiums. Coalition actively scans applicants' external attack surfaces before writing policies.
“We have cyber insurance” tells you the company transferred some financial risk to a carrier. It doesn't tell you whether their actual security posture would withstand scrutiny from the outside.
You need to see what the internet sees. Not what the company chose to show an auditor. Not what a pen tester was allowed to touch. Not whether a policy exists somewhere. The actual observable state of the perimeter, the email infrastructure, the governance signals, the workforce investment.
That's what SDP provides. Independent posture scores built from 150+ externally observable signals. Company against company. Company against industry. Updated regularly. Designed for the professionals who have to make decisions with incomplete information — and who've been relying on instruments that were never built to answer their question.
Request a Sample Report — a full SDP assessment of an anonymized publicly traded company.
Request a Sample ReportSecurity DataPoint posture scores constitute an independent editorial assessment based on externally observable signals. Scores are provided for informational purposes only and do not constitute investment advice, a security certification, or a guarantee of any company's cybersecurity posture. The absence of observed signals does not imply the absence of risk. The presence of observed signals does not imply confirmed compromise. Security DataPoint LLC is not a registered investment adviser, broker-dealer, or Nationally Recognized Statistical Rating Organization (NRSRO).