Home  /  Blog  /  What Is Penetration Testing?
Blog · Security · July 14, 2026

{ Penetration testing, explained. }

Someone — an insurer, a big client, a compliance auditor — just asked if you've had a pen test. Here's what penetration testing actually is, how it differs from the scan you were sold last year, what it really costs, and when it's worth the money.

The short answer

A professional break-in, with permission and a report.

A penetration test is an authorized, simulated cyberattack on your business, carried out by security professionals. Their job is to think and act like a real attacker: probe your network, your applications, and sometimes your people, chain small weaknesses into a real compromise, and then — instead of stealing anything — hand you a report showing exactly how they got in and how to close the doors.

The value isn't the list of flaws. Automated tools produce those by the hundred. The value is proof of exploitability: which of those hundred flaws actually leads somewhere, what an attacker could reach from it, and which five fixes would have stopped the whole chain.

The confusion everyone has

Pen test vs vulnerability scan.

These get sold interchangeably, and they are not the same thing.

A vulnerability scan is automated software that inventories known weaknesses — missing patches, weak configurations, exposed services. It's cheap (hundreds of dollars, or bundled with managed security), takes hours, and should run on a schedule, not once a year.

A penetration test is skilled humans using those findings — plus creativity a scanner doesn't have — to actually break in. Scans find the unlocked windows; a pen tester climbs through one, moves through the house, and shows you a photo of themselves holding your payroll file.

The tell: if the "pen test" quote is a few hundred dollars and turns around in a day, you're buying a rebranded scan. Real testing is human labour — it prices like it.

Know what you're buying

The four main types.

External network

Attacking from the internet

The tester starts where every real attacker starts: outside. Your firewall, VPN, email, remote access, and anything else with a public IP address. The most common first engagement, and what most insurers mean by "pen test."

Internal network

Assuming they're already in

The tester starts from inside — a compromised laptop or a plugged-in device — and measures how far they can spread: to servers, finance shares, and admin credentials. This is where flat, unsegmented networks fail loudly.

Web application

Testing what you built

If customers log into something you run — a portal, a store, an app — this tests it for injection flaws, broken authentication, and logic abuse. Essential before big client security reviews.

Social engineering

Testing your people

Phishing campaigns and pretext calls that measure whether staff hand over credentials. Sobering, valuable, and best paired with training rather than blame.

Money

What a pen test costs — and when you need one.

For a small or mid-size business, realistic pricing runs roughly $5,000–$30,000 CAD per engagement, driven by scope: how many systems and IP addresses, whether web applications are in play, internal as well as external testing, and the depth of reporting and retesting included.

You need one when: a compliance framework requires it (SOC 2, ISO 27001, PCI DSS all expect at least annual testing), your cyber insurance application asks for it, a major client's security review demands evidence, or you've just made a big change — new infrastructure, a major cloud migration, a new customer-facing app.

You don't need one yet when: the fundamentals aren't in place. If MFA isn't everywhere, patching isn't current, and backups aren't tested, a pen test will bill you thousands to confirm what you already know. Fix the basics first — that's the heart of our managed cybersecurity work — then use the pen test to prove they hold.

The process

What to expect, start to finish.

01

Scoping & rules of engagement

You and the tester agree on what's in bounds, what's off-limits, testing windows, and emergency contacts. Production systems are tested carefully, not recklessly — a professional engagement doesn't take your business down.

02

Testing

Typically one to three weeks. Good testers check in when they find something serious — a critical flaw gets a same-day heads-up, not a surprise on page 40 of the report.

03

The report

Two audiences, one document: an executive summary in plain English (what an attacker could do to the business), and technical findings with reproduction steps and fixes, ranked by real-world risk — not just scanner severity scores.

04

Remediation & retest

The fixes are where the value lands. Your IT team — or your managed IT provider — closes the findings, and the tester verifies the critical ones are actually closed. Make sure retesting is in the quote.

Good to know

Pen testing questions, answered.

What is penetration testing in simple terms?+
An authorized, simulated cyberattack by security professionals to find weaknesses a real attacker could exploit — and prove which ones actually matter — before a criminal finds them first.
What's the difference between a pen test and a vulnerability scan?+
A scan is automated software listing known flaws — cheap, fast, run it continuously. A pen test is skilled humans actively breaking in, chaining weaknesses the way a real attacker would. The scan tells you what's open; the pen test proves what's exploitable.
How much does a penetration test cost?+
Roughly $5,000–$30,000 CAD for a typical SMB engagement, depending on scope. A few-hundred-dollar "pen test" with same-day turnaround is a rebranded vulnerability scan.
How often should we test?+
Annually, plus after significant changes — new infrastructure, a major cloud migration, or a new customer-facing application. SOC 2, ISO 27001, and PCI DSS all generally expect at least annual testing.
Will a pen test break our production systems?+
A professional engagement won't. Scoping defines rules of engagement, testing windows, and off-limits systems, and destructive techniques are simulated rather than executed. This is exactly what separates professionals from tools.
What qualifications should the testers have?+
Look for recognized certifications — OSCP is the common hands-on benchmark; CREST accreditation matters for larger engagements — plus sample reports and references from businesses your size.
Free security consult

Not sure if you're pen-test ready?

Tell us where you stand and we'll give you an honest read: what to fix first, when a pen test makes sense, and what it should cost for your size. No pressure, no obligation.

{ Book Your Consult