How much does a penetration test cost?
A penetration test costs between $1,500 and $50,000 CAD depending on scope and complexity. A basic external scan of a single domain starts at $1,500. A standard web application pentest with OWASP Top 10 coverage costs $3,000 to $10,000. Comprehensive assessments including internal network testing range from $10,000 to $50,000.
The wide price range reflects the enormous variation in what "a penetration test" actually means. A quick audit of a single-page marketing site is a fundamentally different engagement than a multi-week red team assessment of a financial institution's entire infrastructure. Understanding the tiers helps you budget accurately and avoid overpaying or underbuying.
Penetration Test Pricing Table
| Tier | Scope | Price (CAD) | Timeline |
|---|---|---|---|
| Quick Audit | Single domain or application, focused testing | $1,500 - $3,000 | 3 - 5 business days |
| Standard Web App | Full OWASP Top 10, API endpoints, authentication | $3,000 - $10,000 | 8 - 12 business days |
| Comprehensive | Multiple apps, internal network, compliance docs | $10,000 - $25,000 | 2 - 4 weeks |
| Enterprise / Red Team | Full infrastructure, social engineering, physical | $25,000 - $50,000+ | 4 - 8 weeks |
What Drives the Cost Up
Several factors determine where your engagement falls on the pricing spectrum:
Number of targets. Each additional application, API or network segment adds testing time. A single web application is straightforward. Five applications with different technology stacks require five separate testing methodologies.
Application complexity. A static marketing site with a contact form takes hours to test. A SaaS platform with role-based access control, payment processing, file uploads, third-party integrations and real-time messaging takes days. The more features your application has, the more attack surface exists.
Testing depth. A surface-level assessment checks for common vulnerabilities. A deep-dive assessment includes source code review, business logic testing, privilege escalation chains and post-exploitation analysis. Deeper testing finds more, but takes longer.
Compliance requirements. If you need the report to satisfy SOC 2, PCI DSS, HIPAA or ISO 27001 requirements, the tester must follow specific methodologies and produce documentation in prescribed formats. This adds time and cost.
Internal network testing. External-only testing examines what an outsider can reach. Internal network testing simulates an attacker who has already gained initial access, perhaps through a phished employee or compromised VPN credential. This requires additional setup, often including a secure VPN connection or on-site hardware.
What You Get for the Money
Every penetration test from Sherlock Forensics includes:
- Executive summary: A plain-language overview of risk level, key findings and recommended priorities. Written for business leaders, not engineers.
- Technical findings: Each vulnerability documented with severity rating, description, proof-of-concept evidence and step-by-step remediation instructions.
- Risk matrix: Findings plotted by severity and exploitability so you can see which issues to fix first.
- Debrief call: A walkthrough with the testing team to discuss findings, answer questions and align on remediation priorities.
- Retest window: After you fix the critical findings, a verification test to confirm the issues are resolved.
The Real Cost of Not Testing
A penetration test at $1,500 to $10,000 CAD is a fraction of what a breach costs. The IBM 2024 Cost of a Data Breach Report puts the global average at $4.88 million USD. Canadian businesses face an average of $5.13 million CAD per breach. Even small businesses face costs in the hundreds of thousands when you factor in incident response, legal fees, customer notification, regulatory fines and lost revenue.
Beyond direct costs, there is reputational damage. Customers leave. Partners reconsider. Prospects choose competitors. The cost of a breach is not just financial. It is existential for smaller organizations.
How to Choose the Right Tier
Selecting the right level of testing depends on your risk profile:
Quick Audit ($1,500 - $3,000 CAD) is right for startups, side projects, MVPs and applications with a small attack surface. It answers the question: "Are there any obvious vulnerabilities an attacker would find quickly?"
Standard Web App ($3,000 - $10,000 CAD) is appropriate for production SaaS applications, e-commerce platforms and any application handling customer data. It provides thorough OWASP Top 10 coverage with manual testing of business logic and authentication.
Comprehensive ($10,000 - $25,000 CAD) is necessary when you have multiple applications, need compliance documentation or require internal network testing. This is the tier most mid-market companies need.
Enterprise / Red Team ($25,000 - $50,000+ CAD) simulates a sophisticated attacker over weeks. This includes social engineering, physical security testing and full infrastructure analysis. It is designed for organizations with mature security programs that want to test their detection and response capabilities.
Getting an Accurate Quote
To get a precise quote, prepare the following information before contacting a penetration testing firm:
- Number of applications, domains and IP addresses in scope
- Technology stack (languages, frameworks, cloud provider)
- Number of user roles and authentication methods
- Whether API testing is needed
- Whether internal network testing is required
- Any compliance requirements (SOC 2, PCI DSS, etc.)
- Preferred testing window and deadline
Request a quote from Sherlock Forensics and receive a detailed scope and pricing breakdown within one business day.
People Also Ask
What is the cheapest pentest?
The most affordable professional penetration test is a quick audit starting at $1,500 CAD. This covers a single application or domain with focused testing against critical vulnerability categories like injection flaws, broken authentication and sensitive data exposure. Sherlock Forensics quick audits deliver a full report with remediation guidance in 3 to 5 business days.
Why do pentests cost so much?
Penetration tests require highly skilled security professionals who spend days manually testing your application. The cost reflects years of training, industry certifications like CISSP and OSCP, specialized tooling and the time needed to produce detailed reports with evidence and remediation steps. Automated scans are cheaper but miss the business logic flaws that human testers find.
How often should I get a pentest?
At minimum, annually. Compliance frameworks like SOC 2 and PCI DSS require annual penetration testing. Beyond compliance, schedule a pentest after major code changes, infrastructure migrations, new feature launches or security incidents. Applications with frequent deployments benefit from quarterly or semi-annual testing to catch new vulnerabilities early.