← Back to case studies
Penfield logo
SOC 2 Type II

Penfield: SOC 2 and AI agent security testing

How an AI process intelligence company tested agent guardrails, RAG ingestion, and traditional app/API surfaces in one engagement.

Generic pentesters do not understand AI agent tool abuse or process verification pipelines. DeepScan tested our agent guardrails, RAG ingestion paths, and traditional web/API surfaces in one engagement, exactly what our financial services buyers asked for.
VP Engineering · Penfield.ai
Penfield DeepScan case study
3

agent surfaces tested

SOC 2

buyer evidence

RAG

ingestion paths covered

1

combined report

Challenge

What needed to be proven

Penfield needed security proof for financial services buyers who asked about SOC 2, app security, and AI agent controls together.

The attack surface included customer workflows, API authorization, RAG ingestion, and agent tool boundaries.

Approach

How DeepScan tested it

DeepScan combined web/API pentesting with AI-specific scenarios including indirect prompt injection, retrieval leakage, and unsafe tool calls.

Human operators reviewed evidence quality and translated technical issues into buyer-readable risk language.

Results

What changed

Penfield received one report covering traditional and AI-native risks, reducing the need for separate vendor engagements.

The evidence helped answer financial services procurement questions with concrete proof rather than policy-only responses.

Services used

  • Ai Agent Pentest
  • Api Pentest
  • Soc2 Iso Hipaa Pentest

Need evidence like this for your audit or deal?

Start self-serve with a target today, or book a DeepScan-led pentest if you need the report delivered for you.

DeepScan delivers agentic pentesting with CyberImmune and CREST Certified partner delivery where required.