Trust Built on Transparency

Trust Center

We hold ourselves to the same standards we test our clients against. This page details our organizational compliance, data handling practices, and team credentials.

Compliance & Attestations

SOC 2 Type II

Raxis has completed a SOC 2 Type II examination covering the Security Trust Services Criteria. Our examination was conducted by an independent auditing firm and covers our Raxis Pentesting Services System.

SOC 2 reports are available under NDA to current and prospective clients.

INSURANCE COVERAGE

Raxis maintains comprehensive insurance coverage including Commercial General Liability, Professional Liability (Errors & Omissions), Cyber Liability, Umbrella/Excess Liability, and Workers’ Compensation. Our policies are reviewed and renewed annually.

Certificates of insurance and coverage details are available upon request.

Data Handling & Client Privacy

DURING ENGAGEMENTS

  • All testing data is transmitted over encrypted channels using TLS 1.2+, VPN, or the Raxis Transporter
  • Findings are delivered exclusively through the Raxis One portal, secured with role-based access controls and full audit logging
  • Every engagement is scoped and bounded by signed Rules of Engagement before work begins
  • Raxis testers operate under strict policies against damaging or destroying customer property
  • Emergency escalation procedures are established for each engagement

AFTER ENGAGEMENTS

  • Client data is retained in accordance with contract requirements and applicable retention schedules
  • Data destruction is available upon request and is executed through a formal approval and tracking process
  • Raxis does not share, sell, or repurpose client data under any circumstances

CONFIDENTIALITY

  • All engagements are covered by mutual NDAs executed before project kickoff
  • Raxis employees and contractors with access to sensitive data are subject to criminal background checks at hire and on a recurring basis
  • Client identities and engagement details are never disclosed without written consent

Operational Security

SECURE TESTING INFRASTRUCTURE

Raxis Transporter — Our internally developed remote access solution provides secure, on-site-equivalent testing to any location in the world. No VPN credentials or persistent network access required.

Raxis One Portal — All project communications, findings, and reports are delivered through our secure, SOC 2-compliant platform with role-based access controls and full audit logging.

INTERNAL SECURITY PRACTICES

  • Penetration testing on our own infrastructure at least annually; vulnerability scans performed quarterly
  • Endpoint protection deployed across all company devices
  • Multi-factor authentication required for all internal systems
  • Security awareness training completed by all employees and contractors upon hire and annually thereafter

RULES OF ENGAGEMENT

  • Every engagement begins with a formally signed scope document and rules of engagement
  • Testing windows and emergency contacts are confirmed before testing starts
  • Testing can be paused immediately upon client request at any time

Compliance Frameworks We Support

Raxis delivers penetration testing and security assessments aligned with the following frameworks and regulations:

FrameworkDescription
PCI DSS v4.0Payment card industry data security, including Requirement 11.3 and 11.4 segmentation testing
HIPAAHealthcare data protection and security rule compliance
SOC 2Service organization trust services criteria validation
SOXFinancial controls and IT general controls testing
GLBA / Safeguards RuleFinancial institution customer information security
NIST SP 800-171 / CMMCControlled unclassified information and defense contractor requirements
ISO 27001Information security management system validation
GDPREuropean data protection regulation compliance support
FERPAStudent data privacy in educational institutions
NYDFS Cybersecurity RegulationNew York financial services cybersecurity requirements
MITRE ATT&CKAdversary tactics and techniques framework alignment

Team Certifications

Raxis penetration testers hold top industry certifications that validate deep technical skill and hands-on security expertise. Our certifications represent more than exams — they back the advanced techniques and adversary simulations we deliver every day. If you have a request for a particular certification, we will try to accommodate, however this list is intended to show our commitment to hiring the industry best.

Offensive Security

OSCP, OSCE, OSWE, OSWP, OSEP

SANS / GIAC

GPEN, GCIH, GFACT, GMON

ISC² / ISACA

CISSP, CISM, CISA, ISSAP

EC-Council

CEH, LPT Master, CSA

CompTIA

Security+, PenTest+, CySA+, SecurityX

Platform & Specialty

CRTO, eCPPTv2, eJPT, CBBH, CPTS, PJPT, PNPT, AWS Cloud Practitioner, Splunk Certified Admin, Rapid7 Network Assault, APISec Certified API Security Analyst, CCD, CloudNetX

Recognition

  • Raxis is listed as a Sample Vendor for Penetration Testing as a Service (PTaaS) in two Gartner® Hype Cycle™ reports for both 2023 and 2024: Hype Cycle for Security Operations and Hype Cycle for Application Security.
  • Raxis holds a perfect 5.0 rating on Clutch across verified client reviews. Each year, Raxis performs over 600 penetration tests and successfully retrieves protected data in over 85% of Red Team engagements.
  • We’re recognized by major market research firms to be a top quality and highly mature player in our space.
  • Raxis engineers frequently uncover new vulnerabilities and have numerous published CVEs.

Questions About Our Security Posture?

We believe in transparency. If you need additional documentation — including our SOC 2 report, proof of insurance, or details about our security practices — we’re happy to provide it.

Request Documentation    |    Contact Raxis