Someone — an insurer, a big client, a compliance auditor — just asked if you've had a pen test. Here's what penetration testing actually is, how it differs from the scan you were sold last year, what it really costs, and when it's worth the money.
A penetration test is an authorized, simulated cyberattack on your business, carried out by security professionals. Their job is to think and act like a real attacker: probe your network, your applications, and sometimes your people, chain small weaknesses into a real compromise, and then — instead of stealing anything — hand you a report showing exactly how they got in and how to close the doors.
The value isn't the list of flaws. Automated tools produce those by the hundred. The value is proof of exploitability: which of those hundred flaws actually leads somewhere, what an attacker could reach from it, and which five fixes would have stopped the whole chain.
These get sold interchangeably, and they are not the same thing.
A vulnerability scan is automated software that inventories known weaknesses — missing patches, weak configurations, exposed services. It's cheap (hundreds of dollars, or bundled with managed security), takes hours, and should run on a schedule, not once a year.
A penetration test is skilled humans using those findings — plus creativity a scanner doesn't have — to actually break in. Scans find the unlocked windows; a pen tester climbs through one, moves through the house, and shows you a photo of themselves holding your payroll file.
The tell: if the "pen test" quote is a few hundred dollars and turns around in a day, you're buying a rebranded scan. Real testing is human labour — it prices like it.
The tester starts where every real attacker starts: outside. Your firewall, VPN, email, remote access, and anything else with a public IP address. The most common first engagement, and what most insurers mean by "pen test."
The tester starts from inside — a compromised laptop or a plugged-in device — and measures how far they can spread: to servers, finance shares, and admin credentials. This is where flat, unsegmented networks fail loudly.
If customers log into something you run — a portal, a store, an app — this tests it for injection flaws, broken authentication, and logic abuse. Essential before big client security reviews.
Phishing campaigns and pretext calls that measure whether staff hand over credentials. Sobering, valuable, and best paired with training rather than blame.
For a small or mid-size business, realistic pricing runs roughly $5,000–$30,000 CAD per engagement, driven by scope: how many systems and IP addresses, whether web applications are in play, internal as well as external testing, and the depth of reporting and retesting included.
You need one when: a compliance framework requires it (SOC 2, ISO 27001, PCI DSS all expect at least annual testing), your cyber insurance application asks for it, a major client's security review demands evidence, or you've just made a big change — new infrastructure, a major cloud migration, a new customer-facing app.
You don't need one yet when: the fundamentals aren't in place. If MFA isn't everywhere, patching isn't current, and backups aren't tested, a pen test will bill you thousands to confirm what you already know. Fix the basics first — that's the heart of our managed cybersecurity work — then use the pen test to prove they hold.
You and the tester agree on what's in bounds, what's off-limits, testing windows, and emergency contacts. Production systems are tested carefully, not recklessly — a professional engagement doesn't take your business down.
Typically one to three weeks. Good testers check in when they find something serious — a critical flaw gets a same-day heads-up, not a surprise on page 40 of the report.
Two audiences, one document: an executive summary in plain English (what an attacker could do to the business), and technical findings with reproduction steps and fixes, ranked by real-world risk — not just scanner severity scores.
The fixes are where the value lands. Your IT team — or your managed IT provider — closes the findings, and the tester verifies the critical ones are actually closed. Make sure retesting is in the quote.
Tell us where you stand and we'll give you an honest read: what to fix first, when a pen test makes sense, and what it should cost for your size. No pressure, no obligation.
{ Book Your Consult