Trust Built on Transparency

Raxis Trust Center

Raxis holds itself to the same security standards we help clients test. This Trust Center summarizes our SOC 2 examination, insurance coverage, secure delivery practices, data handling commitments, supported compliance frameworks, and team credentials.

Last update: June 16, 2026
Reviewed by: Mark Puckett

Compliance & Attestations

SOC 2 Type 2

Raxis has completed a SOC 2 Type 2 examination covering the Security Trust Services Criteria for the Raxis Pentesting Services System. The examination was performed by an independent CPA firm and evaluates the design and operating effectiveness of controls over the review period.

SOC 2 reports are available under NDA to current and prospective clients.

INSURANCE COVERAGE

Raxis maintains comprehensive insurance coverage including Commercial General Liability, Professional Liability (Errors & Omissions), Cyber Liability, Umbrella/Excess Liability, and Workers’ Compensation. Our policies are reviewed and renewed annually.

Certificates of insurance and coverage details are available upon request.

Data Handling & Client Privacy

DURING ENGAGEMENTS

  • All testing data is transmitted over encrypted channels using TLS 1.2+, VPN, or the Raxis Transporter
  • Findings are delivered exclusively through the Raxis One portal, secured with role-based access controls and full audit logging
  • Every engagement is scoped and bounded by signed Rules of Engagement before work begins
  • Raxis testers operate under strict policies against damaging or destroying customer property
  • Emergency escalation procedures are established for each engagement

AFTER ENGAGEMENTS

  • Client data is retained in accordance with contract requirements and applicable retention schedules
  • Data destruction is available upon request and is executed through a formal approval and tracking process
  • Raxis does not sell client data or repurpose it for unrelated use, and does not disclose client identities or engagement details without authorization except as required by law.

CONFIDENTIALITY

  • All engagements are covered by NDA, MSA confidentiality terms, or equivalent written confidentiality obligations before project kickoff.
  • Raxis employees and contractors with access to sensitive data are subject to background checks at hire and periodically as required by role, client requirements, or internal policy.
  • Client identities and engagement details are never disclosed without written consent

Operational Security

SECURE TESTING INFRASTRUCTURE

Raxis One Portal — Project communications, findings, evidence, and reports are delivered through Raxis One, which is included in the Raxis Pentesting Services System covered by our SOC 2 Type 2 examination. Raxis One supports role-based access controls, encrypted transmission, and audit logging.

Raxis Transporter — Our internally developed remote access solution provides secure, on-site-equivalent testing to any location in the world. No VPN credentials or persistent network access required.

INTERNAL SECURITY PRACTICES

  • Penetration testing on our own infrastructure at least annually; vulnerability scans performed quarterly
  • Endpoint protection deployed across all company devices
  • Multi-factor authentication required for all internal systems
  • Security awareness training completed by all employees and contractors upon hire and annually thereafter

RULES OF ENGAGEMENT

  • Every engagement begins with a formally signed scope document and rules of engagement
  • Testing windows and emergency contacts are confirmed before testing starts
  • Testing can be paused immediately upon client request at any time

Compliance Frameworks We Support

Raxis delivers penetration testing and security assessments aligned with the following compliance frameworks and regulations:

Framework

Description

PCI DSS v4.0.1

Payment card industry security testing, including Requirement 11.4 internal and external penetration testing and segmentation validation where applicable.

HIPAA

Security testing supporting risk analysis, risk management, and evaluation activities under the HIPAA Security Rule.

SOC 2

Penetration testing, vulnerability management, and remediation evidence supporting the Security Trust Services Criteria.

SOX

IT general controls and security testing evidence supporting financial reporting control environments.

GLBA / Safeguards Rule

Security testing and assessment support for financial institutions’ customer information protection programs.

NIST SP 800-171 / CMMC

Security assessment support for organizations protecting controlled unclassified information and defense contractor environments.

ISO 27001

Technical security testing and remediation evidence supporting an information security management system.

GDPR

Security testing supporting Article 32 expectations for regularly testing, assessing, and evaluating technical and organizational security measures.

FERPA

Security testing support for educational institutions protecting student data and related systems.

NYDFS Cybersecurity Regulation

Penetration testing, vulnerability management, and security assessment support for covered financial services entities.

MITRE ATT&CK

Adversary tactics, techniques, and procedures mapping for red team and detection validation engagements.

Team Certifications

Raxis penetration testers hold top industry certifications that validate deep technical skill and hands-on security expertise. Our certifications represent more than exams — they back the advanced techniques and adversary simulations we deliver every day. If you have a request for a particular certification, we will try to accommodate, however this list is intended to show our commitment to hiring the industry best.

Offensive Security

OSCP, OSCE, OSWE, OSWP, OSEP

SANS / GIAC

GPEN, GCIH, GFACT, GMON

ISC² / ISACA

CISSP, CISM, CISA, ISSAP

EC-Council

CEH, LPT Master, CSA

CompTIA

Security+, PenTest+, CySA+, SecurityX

Platform & Specialty

CRTO, eCPPTv2, eJPT, CBBH, CPTS, PJPT, PNPT, AWS Cloud Practitioner, Splunk Certified Admin, Rapid7 Network Assault, APISec Certified API Security Analyst, CCD, CloudNetX

Recognition

  • We’re recognized by major market research firms to be a key player in our space, including Markets and Markets PTaaS, Penetration Testing, and US Penetration Testing.
  • Raxis holds a perfect 5.0 rating on Clutch across verified client reviews. Each year, Raxis performs over 600 penetration tests and successfully retrieves protected data in over 85% of Red Team engagements.
  • Raxis engineers have discovered and disclosed 12 vulnerabilities assigned CVE identifiers through MITRE. See our security research.
  • Raxis is listed as a Sample Vendor for Penetration Testing as a Service (PTaaS) in two Gartner® Hype Cycle™ reports for both 2023 and 2024: Hype Cycle for Security Operations and Hype Cycle for Application Security.

Raxis Vulnerability Research

Our engineers find flaws in the products themselves, not just in how they are deployed. When we do, we report the issue to the vendor, coordinate a fix, and it is assigned a CVE identifier through MITRE. To date we have 12 CVEs across ManageEngine, PRTG Network Monitor, Nagios XI, and Rock RMS.

The full list, with links to each CVE record, its NVD entry, and our technical writeup, is on our Security Research page.

Questions About Our Security Posture?

We believe in transparency. If you need additional documentation — including our SOC 2 report, proof of insurance, or details about our security practices — we’re happy to provide it. Just let us know what you’d like to see via our Contact Form.