What is a penetration test?
A penetration test is an authorized simulated cyberattack on a computer system, network or web application performed by security professionals to identify vulnerabilities that a real attacker could exploit. The test evaluates security controls under real-world conditions and produces a report with findings rated by severity and remediation steps.
Think of it as hiring a professional burglar to try to break into your building before a real criminal does. The tester uses the same tools, techniques and thought processes that malicious hackers use, but with your written permission and within an agreed scope. When they finish, you receive a detailed report explaining every weakness they found and exactly how to fix each one.
Penetration testing is sometimes called "pentesting" or "ethical hacking." It is a critical component of any mature security program because it reveals vulnerabilities that automated scanning tools miss. A human tester can chain together minor issues to demonstrate significant real-world impact that no scanner would flag.
Types of Penetration Tests
Penetration tests vary based on the target environment and the tester's level of prior knowledge. The main types include:
- Black Box Testing
- The tester receives no prior knowledge of the system. This simulates an external attacker who knows nothing about your infrastructure. It tests your public-facing defenses and is the most realistic simulation of an opportunistic attack.
- White Box Testing
- The tester receives full access to source code, architecture diagrams and credentials. This allows deeper analysis and finds more vulnerabilities in less time. It is ideal for applications in active development.
- Grey Box Testing
- The tester receives partial knowledge, typically user-level credentials and basic documentation. This simulates an attacker who has gained some initial access, perhaps through a phished employee account.
The right approach depends on your goals. If you want to know what an outsider could find, choose black box. If you want a thorough code-level review, choose white box. Most engagements at Sherlock Forensics use grey box testing because it provides the best balance of coverage and realism.
How Much Does a Penetration Test Cost?
Penetration test pricing depends on scope, complexity and the type of testing required. At Sherlock Forensics, pricing is transparent and in Canadian dollars:
- Quick Audit ($1,500 CAD): Single application or focused scope. Results in 3 to 5 business days. Best for startups and side projects.
- Standard External Pentest ($3,000 to $10,000 CAD): Full OWASP Top 10 coverage for web applications and API endpoints. 8 to 12 business days.
- Comprehensive Assessment ($10,000 to $12,000 CAD): Multiple applications, internal network testing and detailed compliance documentation. 2 to 4 weeks.
The biggest cost factors are the number of applications in scope, the complexity of each application and whether you need compliance documentation for standards like SOC 2 or PCI DSS. Read our full penetration test cost breakdown for a detailed pricing table.
How Long Does a Penetration Test Take?
A typical engagement follows this timeline:
- Scoping: 1 to 2 business days to define targets, rules of engagement and testing windows.
- Active testing: 3 to 10 business days depending on scope. Quick audits take 2 to 3 days of active testing. Standard engagements take 5 to 8 days.
- Report writing: 2 to 3 business days for a detailed report with findings, evidence and remediation steps.
- Debrief: A 30 to 60 minute call to walk through findings and answer questions.
From initial contact to final report delivery, expect 5 to 15 business days for most engagements. Complex multi-application assessments can take 3 to 4 weeks.
What to Expect During a Penetration Test
The process begins with a scoping call where the testing team works with you to define what will be tested. You will sign a rules of engagement document that authorizes the testing and sets boundaries. This document protects both parties and ensures the tester stays within agreed limits.
During active testing, you may not notice anything happening. Professional testers are careful and methodical. They probe your application's inputs, authentication mechanisms, access controls and business logic looking for weaknesses. If they find something critical, most firms will notify you immediately rather than waiting for the final report.
After testing concludes, you receive a report containing an executive summary for non-technical stakeholders, detailed findings with severity ratings and step-by-step remediation instructions. Good reports include screenshots and proof-of-concept evidence demonstrating each vulnerability.
The final step is a debrief call where the testing team walks through findings, answers questions and helps you prioritize remediation. This is where the report becomes an action plan.
Why Automated Scans Are Not Enough
Automated vulnerability scanners like Nessus, Qualys and OWASP ZAP are valuable tools. They check for known issues quickly and cheaply. But they have significant blind spots.
Scanners cannot test business logic. They will not find that your e-commerce application allows negative quantities, that your password reset flow is exploitable or that your API returns other users' data when you change an ID in the URL. These are the vulnerabilities that lead to real breaches, and they require a human tester to identify.
A penetration test includes automated scanning as one component of the methodology. The tester uses scanners for reconnaissance, then applies manual testing, creative thinking and experience to find what the tools miss. This is why a pentest costs more than a vulnerability scan but delivers dramatically more value.
When Should You Get a Penetration Test?
You should schedule a penetration test in the following situations:
- Before launching a new application or major feature
- At least annually as part of your security program
- After significant codebase changes or infrastructure migrations
- When pursuing compliance certifications like SOC 2, PCI DSS or ISO 27001
- After a security incident to identify remaining vulnerabilities
- When investors, partners or enterprise customers request security validation
If your application handles user data, processes payments or stores sensitive information and has never been professionally tested, you should get a penetration test now. Sherlock Forensics quick audits start at $1,500 CAD with results in 3 to 5 business days.
People Also Ask
How long does a pentest take?
A penetration test typically takes 5 to 15 business days from kickoff to final report delivery. Quick audits from Sherlock Forensics are completed in 3 to 5 business days. Standard engagements run 8 to 12 business days including scoping, active testing, report writing and a debrief call. Complex multi-application assessments may take 3 to 4 weeks.
Is a pentest the same as a vulnerability scan?
No. A vulnerability scan is an automated tool that checks for known issues against a database of signatures. A penetration test involves a skilled human tester who thinks creatively, chains vulnerabilities together and demonstrates real-world exploitation. Vulnerability scans find surface-level issues. Penetration tests find the weaknesses that actually lead to breaches and data exposure.
Do small businesses need pentests?
Yes. Small businesses are targeted by attackers specifically because they tend to have weaker security controls. If your business handles customer data, processes payments or has user accounts, a penetration test identifies the vulnerabilities attackers exploit most often. Sherlock Forensics offers quick audits starting at $1,500 CAD with results in under a week.