Penetration Test Reports

Status: No reports on file. First report target: Q4 2026 (vendor RFQ July 2026 alongside SOC 2 vendor signing).

Cadence

Trigger	What
Annually	Full external pen test against the production-equivalent staging environment
On major architectural change	Targeted re-test of the changed surface (e.g., when Phase 5 agent platform launches; when CSFLE goes live; when Florence AI direct-Anthropic / Bedrock flow opens to prod)
On unresolved SEV-1 incident	Targeted re-test of the incident root-cause surface within 60 days of remediation

Vendor selection (July 2026 outreach)

Target tier — reputable firms with strong healthcare + cloud-native posture, FedRAMP-Moderate familiarity (for EDE Phase 3 inheritance argument), and the ability to deliver a defensible report on AskFlorence's specific stack (Next.js + Node + MongoDB + AWS).

Candidates to RFQ:

• Bishop Fox — strong on cloud-native + FedRAMP-relevant work; expensive but premium output
• Trail of Bits — strong on application + cryptographic review; deeper engineering focus
• NetSPI — wider scoping flexibility; reasonable cost
• HackerOne / Synack managed bug-bounty tier — supplementary to (not replacement for) traditional pen test; later consideration

Budget target: $15-40K one-time per Compliance Automation Vendor Evaluation.

Evidence file expectations

When a report lands here:

File	Purpose
<vendor>-<date>-executive-summary.pdf	The exec-summary the SOC 2 / EDE auditor sees first
<vendor>-<date>-full-report.pdf	The full technical report (encrypted at rest in S3 evidence bucket; this directory holds the redacted-for-docs version)
<vendor>-<date>-remediation-tracker.md	One row per finding: severity, status, owner, due date, evidence-of-fix link
<vendor>-<date>-attestation.pdf	Vendor letter confirming scope, dates, and pass/fail posture

Pre-test checklist (before sending vendor in)

When the vendor is contracted, run through this list:

• [ ] Scope agreed in writing — what's in (production-equivalent staging cluster + apex CloudFront + agent flows + member flows once Phase 5 lands); what's out (mgmt account, log-archive account, founder devices)
• [ ] Rules of engagement signed — black-box vs grey-box, DoS testing posture, social engineering posture
• [ ] Schedule communicated — test dates, on-call rotation, escalation path during test
• [ ] Vendor BAA signed (test involves PHI-adjacent code paths even if no real PHI is in scope yet)
• [ ] Audit-log retention extended for the test window (no aging-out test-generated audit rows mid-test)
• [ ] Compliance Liaison briefed on findings-classification (so HIPAA breach implications are pre-categorized at finding time)

Post-test workflow

When findings land:

1. Compliance Liaison + IC classify each finding by severity (does it imply a HIPAA breach? Is the 60-day clock running?)
2. Engineering Responder triages remediation per finding, working with the IC on prioritization
3. Each finding gets an entry in the remediation-tracker.md; status updates at every standup until closed
4. Re-test of remediated findings within 30 days of last fix to confirm closure
5. Findings tracker reviewed at the next quarterly access review

Reference

• Risk Assessment R-004 — Pen test pending
• Compliance Automation Vendor Evaluation — pen test pricing context
• Incident Response Plan — for findings that imply or constitute an incident
• HIPAA Control Mapping §164.308(a)(8) — periodic technical + non-technical evaluation
• CMS EDE Appendix A Mapping — pen-test relevant rows