The Honest Answer
Most security firms make you sit through a sales call before they tell you what a pentest costs. We think that is a waste of your time. Here are real numbers, explained clearly, so you can budget accurately and make an informed decision.
Penetration testing pricing depends on scope, complexity, depth and the expertise of the testing team. At Sherlock Forensics, we offer four pricing tiers with transparent pricing. No hidden fees, no surprise invoices, no "it depends" without follow-up.
Sherlock Forensics Pricing Tiers
| Tier | Price (CAD) | Timeline | Best For | Includes |
|---|---|---|---|---|
| Quick Audit | $1,500-$3,000 | 3-5 business days | Small web apps, vibe-coded projects, MVPs, side projects | Auth testing, injection testing, secrets scan, config review, full report, remediation steps |
| Standard External | $5,000-$10,000 | 1-2 weeks | Mid-size web applications, SaaS platforms, pre-funding assessments | Full OWASP Top 10, API testing, business logic, exploitation, detailed report, live debrief |
| Comprehensive | $12,000-$25,000 | 2-4 weeks | Internal + external infrastructure, cloud environments, compliance requirements | External + internal network, cloud config review, privilege escalation, lateral movement, executive report |
| Enterprise | $25,000+ | 4-8 weeks | Multi-application environments, large organizations, regulatory compliance programs | Multiple applications, full infrastructure, social engineering (optional), red team elements, board-ready report |
How These Compare to Industry Averages
Penetration testing pricing varies significantly across the industry. Here is how Sherlock Forensics compares to typical market rates in 2026:
| Engagement Type | Industry Low | Industry Average | Industry High | Sherlock Forensics |
|---|---|---|---|---|
| Basic web app assessment | $500 | $3,000 | $8,000 | $1,500-$3,000 |
| Standard external pentest | $3,000 | $10,000 | $25,000 | $5,000-$10,000 |
| Internal + external | $10,000 | $25,000 | $60,000 | $12,000-$25,000 |
| Enterprise / multi-app | $20,000 | $50,000 | $200,000+ | $25,000+ |
Sherlock Forensics pricing is competitive because we are a focused, senior-led team without the overhead of large consulting firms. You work directly with experienced consultants, not junior testers supervised remotely. This means higher quality findings at a lower price point.
What Affects the Cost
Every pentest is scoped individually because every application and infrastructure is different. Here are the primary factors that drive pricing up or down:
Scope and Number of Targets
A single web application with 20 endpoints costs less to test than a platform with 5 applications, 200 API endpoints, a mobile app and internal infrastructure. More targets means more testing time. We scope every engagement based on a detailed target inventory so you know exactly what you are paying for.
Application Complexity
A static marketing website is simpler to test than a multi-tenant SaaS platform with role-based access control, payment processing, file uploads, third-party integrations and real-time features. Complex applications have more attack surface and more potential for business-logic vulnerabilities that require careful manual testing.
Number of Endpoints and User Roles
Every API endpoint needs testing. Every user role needs authorization verification. An application with 10 API endpoints and 2 user roles takes less time than one with 200 endpoints and 6 role levels. Role-based testing is critical because the most dangerous vulnerabilities are privilege escalation flaws where a regular user accesses admin functions.
Internal vs. External Testing
External testing examines what an attacker can reach from the internet. Internal testing simulates an attacker who has already gained a foothold inside your network (a compromised employee account, a phishing victim, a rogue insider). Internal testing requires VPN access or on-site presence and significantly expands the scope.
Compliance Requirements
If the pentest is required for PCI DSS, SOC 2, ISO 27001, PIPEDA or other compliance frameworks, the report must meet specific documentation standards. Compliance-driven pentests follow prescribed methodologies and produce reports formatted for auditor review. This adds reporting overhead but ensures the deliverable meets your compliance needs.
Retesting
After your team remediates the findings, a retest verifies the fixes are effective. Sherlock Forensics offers retesting at a reduced rate (typically 20-30% of the original engagement cost). We recommend retesting within 30-60 days of remediation.
Why Cheap Pentests Are Expensive
If someone offers you a "penetration test" for $500, you are not getting a penetration test. You are getting an automated vulnerability scan with a cover page that says "Penetration Test Report." Here is what cheap pentests typically deliver:
- Automated scanning only: They run Nessus, Qualys or a similar scanner, export the results and format them into a report template. No manual testing. No business-logic review. No exploitation to prove impact.
- Junior testers unsupervised: To hit a low price point, some firms assign fresh graduates with minimal real-world experience. They follow a checklist but miss the creative, lateral-thinking exploitation that experienced testers perform.
- Template reports: Generic findings copied from previous engagements. The remediation advice says "patch your software" instead of explaining exactly which component needs updating, how to update it and how to verify the fix.
- No exploitation: They flag "potential SQL injection" without actually testing it. You cannot tell whether the finding is a real risk or a false positive. Your developers waste time investigating findings that may not be exploitable.
- No debrief: The report is emailed and the engagement is over. No walkthrough, no questions answered, no help prioritizing remediation.
The result: you spend $500, get a report full of noise and false positives, your developers spend a week chasing non-issues, real vulnerabilities remain undiscovered and you have a false sense of security. When you eventually get breached, the $500 "pentest" provides no protection, no compliance documentation and no legal defensibility.
A proper penetration test costs more because it requires human expertise applied over multiple days. A senior pentester with OSCP, CISSP or similar certifications commands $150-$300+ per hour. A standard engagement involves 40-80 hours of skilled labor. The math does not support a quality pentest at $500.
What You Get at Each Price Point
$1,500-$3,000: Quick Audit
Ideal for small web applications, vibe-coded projects, MVPs and side projects with real users. Covers authentication and session management, authorization and access controls, injection testing (SQL, XSS, command injection), secrets and credential exposure, server configuration and security headers. Delivered in 3-5 business days with a full report and remediation guidance. Order online.
$5,000-$10,000: Standard External Pentest
The most common engagement for mid-size web applications and SaaS platforms. Everything in the Quick Audit plus full OWASP Top 10 coverage, comprehensive API testing, business logic analysis, file upload and input handling, third-party integration security, lateral movement from external foothold and a live debrief call with your technical and business stakeholders. Order online.
$12,000-$25,000: Comprehensive Assessment
Full internal and external assessment for organizations with on-premise infrastructure, cloud environments or compliance requirements. Everything in the Standard Pentest plus internal network penetration testing, Active Directory and identity provider assessment, cloud configuration review (AWS, GCP, Azure), privilege escalation and lateral movement across internal systems, wireless network testing (if applicable) and compliance-formatted reporting for PCI DSS, SOC 2 or ISO 27001.
$25,000+: Enterprise Multi-Application
Custom-scoped engagements for organizations with multiple applications, complex infrastructure and advanced security requirements. Includes testing across multiple applications and environments, social engineering assessment (optional), physical security testing (optional), red team elements simulating advanced persistent threats and board-ready reporting with risk quantification. Contact us for custom scoping.
How to Budget for Security Testing
Security testing should be a recurring budget line item, not a one-time expense. Here is a practical budgeting framework:
- Startups and small businesses: Budget $3,000-$6,000 CAD per year. One Quick Audit before launch ($1,500), one follow-up audit after major feature additions ($1,500) and automated scanning tools ($0-$500).
- Mid-market companies: Budget $10,000-$25,000 CAD per year. Annual standard pentest ($5,000-$10,000), quarterly automated scans and retesting after remediation ($2,000-$5,000).
- Enterprise: Budget $25,000-$100,000+ CAD per year. Annual comprehensive assessment, additional pentests for new applications, continuous automated scanning and periodic red team exercises.
Compare these numbers to the average cost of a data breach in Canada: $5.13 million CAD (IBM Cost of a Data Breach Report, 2025). A $10,000 annual pentest is 0.2% of the average breach cost. That is insurance, not expense.
The ROI of a Penetration Test
A pentest is one of the few security investments with measurable, direct return. Consider:
- Breach prevention: Average breach cost in Canada is $5.13M CAD. Preventing even one breach pays for decades of annual pentesting.
- Compliance: PCI DSS, SOC 2 and many cyber insurance policies require annual penetration testing. Failing to test can mean failed audits, policy cancellation or regulatory fines.
- Investor confidence: Investors increasingly ask about security posture during due diligence. A recent pentest report demonstrates proactive risk management.
- Cyber insurance: Many insurers offer premium discounts for organizations with recent penetration test reports. The discount alone can offset a significant portion of the pentest cost.
- Customer trust: Enterprise customers increasingly require vendor security assessments. A clean pentest report accelerates sales cycles and removes procurement blockers.
Getting Started
Sherlock Forensics makes it simple to get started. Order a Quick Audit online starting at $1,500 CAD. For standard pentests and custom scoping, call 604.229.1994 or fill out the contact form. We respond to every inquiry within one business day and provide written proposals within 48 hours of a scoping call.
Frequently Asked Questions
How much should I budget for a pentest?
For a small web application, budget $1,500-$3,000 CAD for a quick audit at Sherlock Forensics. For a standard external pentest of a mid-size app, budget $5,000-$10,000 CAD. Comprehensive assessments run $12,000-$25,000 CAD. Plan for annual testing as a recurring budget item. View pricing and order online.
Why are pentests so expensive?
Penetration tests require certified security professionals who manually test your application for vulnerabilities automated tools cannot find. A senior pentester commands $150-$300+ per hour. A standard engagement involves 40-80 hours of skilled labor. The cost reflects genuine expertise, not just tool output with a cover page.
Is there a cheap pentest option?
Sherlock Forensics Quick Audits start at $1,500 CAD for small web applications. This includes manual testing, a detailed report and remediation guidance, delivered in 3-5 business days. Be cautious of pentests priced below $1,000 as they are typically automated scans disguised as manual assessments.
What is included in a $5,000 pentest?
A $5,000 standard external pentest at Sherlock Forensics includes full OWASP Top 10 testing, API security assessment, business logic analysis, manual and automated vulnerability discovery, controlled exploitation with proof-of-concept evidence, a detailed report with severity ratings and remediation steps, and a live debrief call. Order online or call 604.229.1994.