Forget Everything Hollywood Told You
When most people picture a penetration test, they imagine a hooded figure in a dark room, green text scrolling down a monitor, dramatic music building as "ACCESS GRANTED" flashes across the screen. The reality is nothing like that. A professional penetration test is a structured, methodical engagement with clear rules, defined objectives and detailed documentation. It looks a lot more like an audit than a heist.
If you are a founder, CTO or business owner considering your first pentest, this walkthrough will show you exactly what happens from the moment you reach out to the moment you receive your report. No jargon. No drama. Just the process.
Step 1: The Scoping Call
Every engagement at Sherlock Forensics begins with a scoping call. This is a 30-60 minute conversation where we figure out what needs to be tested and how deep the test should go. We ask questions like:
- What applications, networks or systems are in scope?
- What is the technology stack? (Languages, frameworks, cloud providers, databases)
- Are there any systems that should be excluded from testing?
- Do you have staging or production environments? Which should we test?
- Are there compliance requirements driving this test? (PCI DSS, SOC 2, PIPEDA)
- What is your biggest concern? What keeps you up at night?
The scoping call determines the engagement type, timeline and cost. A single web application with a handful of endpoints is a different engagement than a multi-application enterprise environment with internal networks and cloud infrastructure. We provide a written proposal within 48 hours of the scoping call.
Step 2: Rules of Engagement
Before any testing begins, both sides sign a rules of engagement document. This is the legal and operational framework for the entire test. It defines:
- Scope: Exactly which systems, IP addresses, domains and applications are targets
- Testing window: When testing will occur (business hours, after hours, weekends)
- Boundaries: What is explicitly off-limits (production databases, customer-facing systems during peak hours)
- Communication protocol: Who to contact if we find something critical mid-test, and how quickly
- Authorized techniques: Whether social engineering, physical access or denial-of-service testing is permitted
- Data handling: How we handle any sensitive data we encounter during testing
This document protects both parties. It ensures we have written authorization to test (which makes the difference between a pentest and a crime) and it ensures you know exactly what will and will not happen to your systems.
Step 3: Reconnaissance
Reconnaissance is the information-gathering phase. We map your attack surface the same way a real attacker would, but methodically and documented. This includes:
- Passive reconnaissance: DNS records, WHOIS data, SSL certificate details, publicly exposed code repositories, leaked credentials in breach databases, employee information on LinkedIn
- Active reconnaissance: Port scanning, service enumeration, technology fingerprinting, directory brute-forcing, API endpoint discovery
- Application mapping: Every page, form, API endpoint, authentication mechanism and file upload function is catalogued
Most clients are surprised by how much information is publicly available about their infrastructure. Exposed staging environments, forgotten subdomains, development servers with default credentials, and Git repositories with commit history containing API keys are all common findings at this stage.
Step 4: Vulnerability Discovery
With the attack surface mapped, we systematically test every component for vulnerabilities. This combines automated scanning with manual testing. Automated tools catch known vulnerability signatures quickly. Manual testing catches business-logic flaws, authentication bypasses and chained vulnerabilities that scanners miss entirely.
We test for the OWASP Top 10, CWE Top 25 and additional categories specific to your technology stack. For web applications, this means testing every input field for injection, every authentication flow for bypass, every authorization check for privilege escalation and every file handling function for path traversal and upload vulnerabilities.
This is the most time-intensive phase. A thorough vulnerability discovery on a mid-size application takes several days of focused manual testing.
Step 5: Exploitation
Finding a vulnerability is not the same as proving it is exploitable. In the exploitation phase, we attempt to leverage discovered vulnerabilities to demonstrate real-world impact. If we find a SQL injection, we do not just flag it as "potential SQL injection." We extract data from the database to prove the risk is real.
Exploitation is always controlled. We demonstrate impact without causing damage. If we gain access to a database, we extract a small sample of records to prove access, then document the technique. We do not dump entire databases, modify production data or leave backdoors.
Common exploitation chains we see in practice:
- SQL injection to database access to credential extraction to admin panel login
- Exposed .env file to API key extraction to third-party service access
- Broken access control to other users' data to account takeover
- Cross-site scripting to session hijacking to admin account compromise
Step 6: Lateral Movement
Once initial access is gained, we test whether an attacker could move deeper into your infrastructure. Can a compromised web application be used to reach internal services? Can database credentials be reused on other systems? Can a low-privilege user escalate to admin?
Lateral movement testing reveals the blast radius of a single vulnerability. A SQL injection in one application might seem like a contained problem until you discover the database credentials also work on your production server, your admin panel uses the same password and your cloud provider account has no MFA enabled.
This phase often produces the most alarming findings because it shows how one weakness cascades into full infrastructure compromise.
Step 7: The Report
The report is the most important deliverable of any penetration test. At Sherlock Forensics, every report includes:
- Executive summary: A one-page, plain-language overview of findings and risk level. Written for business leaders, not security engineers. Includes overall risk rating and the three most critical actions to take immediately.
- Methodology: What we tested, how we tested it and which standards we followed (OWASP, PTES, NIST)
- Findings detail: Each vulnerability gets its own section with severity rating (Critical, High, Medium, Low, Informational), description, proof-of-concept screenshots and request/response data, business impact explanation and step-by-step remediation guidance
- Risk matrix: A visual summary showing all findings by severity and likelihood of exploitation
- Remediation roadmap: Prioritized action plan so your team knows what to fix first
We write reports for two audiences. The executive summary is for the people who make budget decisions. The technical findings are for the developers who will fix the issues. Both sections are written in clear language without unnecessary jargon.
Step 8: The Debrief
Every Sherlock Forensics engagement includes a live debrief call. We walk through the report with your technical and business stakeholders, answer questions, clarify findings and help prioritize remediation. This is not a one-way presentation. It is a working session where we help your team understand the risk and plan the fix.
Many clients tell us the debrief is the most valuable part of the engagement. Reading a report is one thing. Having the tester who found the vulnerability explain exactly how they exploited it and what would happen if an attacker did the same is another experience entirely.
Common Fears (Addressed Honestly)
"Will you break my app?"
No. We use controlled techniques designed to demonstrate risk without causing damage. Destructive tests like denial-of-service are only performed if you specifically request them and only against environments you designate. In thousands of engagements, we have never caused unplanned downtime.
"Will customers notice?"
They will not. Penetration testing generates traffic patterns similar to normal usage. We do not flood your servers, crash your pages or deface your site. If we test during business hours (which is the default), your application continues serving customers normally throughout the engagement.
"What if you find nothing?"
In over 20 years of testing, we have never completed a pentest with zero findings. Every application has room for improvement. But if your application is genuinely well-secured, a clean report is valuable documentation for compliance audits, investor due diligence and cyber insurance applications. You are paying for certainty either way.
"What if you find something terrible?"
If we discover a critical vulnerability during testing, we do not wait for the final report. Our rules of engagement include a communication protocol for urgent findings. We contact your designated point of contact immediately so you can begin remediation before the engagement is complete.
How Long Does It Take and What Does It Cost?
At Sherlock Forensics, timelines and pricing depend on scope:
- Quick audit (small web apps, vibe-coded projects): 3-5 business days, starting at $1,500 CAD
- Standard external pentest (mid-size web applications): 1-2 weeks, $5,000-$10,000 CAD
- Comprehensive internal + external: 2-4 weeks, $12,000-$25,000 CAD
- Enterprise multi-application: Custom scope, $25,000+ CAD
Every engagement includes the full report and live debrief. No surprises, no hidden fees. Order a standard pentest online or call 604.229.1994 to scope a custom engagement.
Frequently Asked Questions
What happens during a penetration test?
A penetration test follows a structured process: scoping call, rules of engagement, reconnaissance, vulnerability discovery, exploitation, lateral movement testing, detailed reporting and live debrief. At Sherlock Forensics, standard external pentests start at $5,000 CAD and include a comprehensive report with severity ratings, proof-of-concept evidence and remediation guidance.
Will a pentest break my website?
No. Professional penetration testers use controlled techniques that demonstrate risk without causing damage. Destructive tests are only performed with explicit written approval. Your customers will not notice the test is happening. In over 20 years of testing at Sherlock Forensics, we have never caused unplanned downtime.
How long does a pentest take?
Timeline depends on scope. Quick audits for small applications take 3-5 business days ($1,500 CAD). Standard external pentests take 1-2 weeks ($5,000-$10,000 CAD). Comprehensive assessments covering internal and external infrastructure take 2-4 weeks ($12,000-$25,000 CAD). Order online or call to discuss your timeline.
What do I get at the end of a pentest?
You receive a detailed report with an executive summary in plain language, technical findings with severity ratings, proof-of-concept screenshots and evidence, step-by-step remediation instructions and a prioritized action plan. Every Sherlock Forensics engagement also includes a live debrief call to walk your team through the findings and answer questions.