TRUST BUILT ON TRANSPARENCY
We hold ourselves to the same standards we test our clients against. This page details our organizational compliance, data handling practices, and team credentials.
Compliance & Attestations
SOC 2 TYPE II
Raxis has completed a SOC 2 Type II examination covering the Security, Availability, and Confidentiality Trust Services Criteria. Our examination was conducted by an independent auditing firm and covers our Raxis Pentesting Services System.
SOC 2 reports are available under NDA to current and prospective clients.
INSURANCE COVERAGE
Raxis maintains comprehensive insurance coverage including Commercial General Liability, Professional Liability (Errors & Omissions), Cyber Liability, Umbrella/Excess Liability, and Workers’ Compensation. Our policies are reviewed and renewed annually.
Certificates of insurance and coverage details are available upon request.
Data Handling & Client Privacy
DURING ENGAGEMENTS
- All testing data is transmitted over encrypted channels using TLS 1.2+, VPN, or the Raxis Transporter
- Findings are delivered exclusively through the Raxis One portal, secured with role-based access controls and full audit logging
- Every engagement is scoped and bounded by signed Rules of Engagement before work begins
- Raxis testers operate under strict policies against damaging or destroying customer property
- Emergency escalation procedures are established for each engagement
AFTER ENGAGEMENTS
- Client data is retained in accordance with contract requirements and applicable retention schedules
- Data destruction is available upon request and is executed through a formal approval and tracking process
- Raxis does not share, sell, or repurpose client data under any circumstances
CONFIDENTIALITY
- All engagements are covered by mutual NDAs executed before project kickoff
- Raxis employees and contractors with access to sensitive data are subject to criminal background checks at hire and on a recurring basis
- Client identities and engagement details are never disclosed without written consent
Operational Security
SECURE TESTING INFRASTRUCTURE
Raxis Transporter — Our internally developed remote access solution provides secure, on-site-equivalent testing to any location in the world. No VPN credentials or persistent network access required.
Raxis One Portal — All project communications, findings, and reports are delivered through our secure, SOC 2-compliant platform with role-based access controls and full audit logging.
INTERNAL SECURITY PRACTICES
- Penetration testing on our own infrastructure at least annually; vulnerability scans performed quarterly
- Endpoint protection deployed across all company devices
- Multi-factor authentication required for all internal systems
- Security awareness training completed by all employees and contractors upon hire and annually thereafter
RULES OF ENGAGEMENT
- Every engagement begins with a formally signed scope document and rules of engagement
- Testing windows and emergency contacts are confirmed before testing starts
- Testing can be paused immediately upon client request at any time
Compliance Frameworks We Support
Raxis delivers penetration testing and security assessments aligned with the following frameworks and regulations:
| Framework | Description |
| PCI DSS v4.0 | Payment card industry data security, including Requirement 11.3 and 11.4 segmentation testing |
| HIPAA | Healthcare data protection and security rule compliance |
| SOC 2 | Service organization trust services criteria validation |
| SOX | Financial controls and IT general controls testing |
| GLBA / Safeguards Rule | Financial institution customer information security |
| NIST SP 800-171 / CMMC | Controlled unclassified information and defense contractor requirements |
| ISO 27001 | Information security management system validation |
| GDPR | European data protection regulation compliance support |
| FERPA | Student data privacy in educational institutions |
| NYDFS Cybersecurity Regulation | New York financial services cybersecurity requirements |
| MITRE ATT&CK | Adversary tactics and techniques framework alignment |
Team Certifications
Raxis penetration testers hold top industry certifications that validate deep technical skill and hands-on security expertise. Our certifications represent more than exams — they back the advanced techniques and adversary simulations we deliver every day.
Offensive Security
OSCP, OSCE, OSWE, OSWP, OSEP
SANS / GIAC
GPEN, GCIH, GFACT, GMON
ISC² / ISACA
CISSP, CISM, CISA, ISSAP
EC-Council
CEH, LPT Master, CSA
CompTIA
Security+, PenTest+, CySA+, SecurityX
Platform & Specialty
CRTO, eCPPTv2, eJPT, CBBH, CPTS, PJPT, PNPT, AWS Cloud Practitioner, Splunk Certified Admin, Rapid7 Network Assault, APISec Certified API Security Analyst, CCD, CloudNetX
Recognition
Raxis is listed as a Sample Vendor for Penetration Testing as a Service (PTaaS) in two Gartner® Hype Cycle™ reports for both 2023 and 2024: Hype Cycle for Security Operations and Hype Cycle for Application Security.
Raxis holds a perfect 5.0 rating on Clutch across verified client reviews. Each year, Raxis performs over 600 penetration tests and successfully retrieves protected data in over 85% of Red Team engagements.
Questions About Our Security Posture?
We believe in transparency. If you need additional documentation — including our SOC 2 report, proof of insurance, or details about our security practices — we’re happy to provide it.
