Penetration Testing · · 8 min read

What Is Penetration Testing? Explained for Non-Technical Founders

penetration testing security basics founders explained simply

Penetration testing is a controlled, authorized simulation of a real cyberattack against your application or infrastructure. A security professional tries to break in the same way a criminal would, then gives you a report showing every weakness they found and how to fix it. At Sherlock Forensics, penetration tests start at $1,500 CAD for quick audits and $5,000 CAD for standard external assessments.

The Simplest Explanation

Imagine you just built a new house. Before you move in, you hire a locksmith to try to break in. They check every door, every window, the garage, the basement, the skylights. They try picking locks, climbing through gaps and testing the alarm system. When they are done, they hand you a list: "Here is every way someone could get into your house, ranked by how easy it is. Here is how to fix each one."

That is penetration testing. Except instead of a house, it is your website, application or network. And instead of a locksmith, it is a certified security professional who thinks like an attacker.

Why It Matters for Your Business

You do not need to understand the technical details to understand the business case. Here are the numbers that matter:

  • $4.88 million USD is the average cost of a data breach in 2024 (IBM Cost of a Data Breach Report)
  • 60% of small businesses that suffer a significant cyberattack close within six months
  • 287 days is the average time to identify and contain a breach without proactive testing
  • $1,500 CAD is what a quick security audit from Sherlock Forensics costs

The math is straightforward. Spending $1,500 to $5,000 to find vulnerabilities before attackers do is dramatically cheaper than dealing with the aftermath of a breach. Customers leave. Regulators investigate. Lawyers send letters. Insurance premiums spike. Recovery takes months or years.

What Penetration Testing Is Not

Before going further, some common misconceptions:

It is not a vulnerability scan. A vulnerability scan is automated software that checks for known issues. It is useful but shallow. A penetration test involves a human tester who thinks creatively, chains vulnerabilities together and finds issues that automated tools miss. Learn more in our pentest vs. vulnerability scan comparison.

It is not hacking without permission. Every penetration test starts with a signed authorization document that defines exactly what will be tested, when and how. Nothing happens without your explicit consent.

It is not a one-time checkbox. Your application changes constantly. New features, new code, new integrations, new employees. Security testing should happen at least annually and ideally after any significant change.

How the Process Works, Step by Step

Step 1: Scoping and Planning

Before any testing begins, you have a scoping call with the testing team. This is where you define what gets tested. Your main website? Your API? Your mobile app? Your internal network? Everything? The scope determines the cost and timeline. At Sherlock Forensics, we walk you through what to expect during a penetration test so there are no surprises.

Step 2: Reconnaissance

The tester begins gathering information about your systems. This includes identifying technologies you use, finding subdomains and endpoints, mapping your application's features and understanding how data flows. Think of this as the attacker doing homework before attempting a break-in.

Step 3: Vulnerability Discovery

This is the core of the engagement. The tester systematically probes every input field, API endpoint, authentication mechanism and access control in scope. They are looking for weaknesses: places where your application does something it should not, accepts input it should reject or reveals information it should protect.

Step 4: Exploitation

When the tester finds a vulnerability, they exploit it to demonstrate real impact. Finding an SQL injection vulnerability is one thing. Showing that it allows an attacker to download your entire customer database makes the risk concrete and undeniable. This is the step that separates a penetration test from a vulnerability scan.

Step 5: Reporting

The tester produces a detailed report covering every finding. Each vulnerability includes a description in plain language, a severity rating, screenshots or evidence of exploitation and step-by-step instructions for fixing it. Good reports also include an executive summary for non-technical stakeholders. We cover what to look for in a pentest report in a separate guide.

Step 6: Debrief

You get a call with the testing team to walk through findings, ask questions, clarify priorities and discuss remediation timelines. This is where you turn the report into an action plan.

What the Report Looks Like

A good penetration test report contains several key sections:

  • Executive summary: A one-page overview written for business leaders. No jargon. Overall risk level, number of findings by severity and the top three things to fix immediately.
  • Methodology: What was tested, how it was tested and what tools were used.
  • Findings: Each vulnerability with a title, severity rating (Critical, High, Medium, Low, Informational), description, evidence (screenshots, request/response data) and remediation steps.
  • Risk matrix: A visual summary showing findings plotted by severity and exploitability.
  • Remediation roadmap: Prioritized list of fixes, typically organized as "fix immediately," "fix within 30 days" and "fix within 90 days."

If you receive a report that is just a list of automated scan output with no context, no evidence and no remediation guidance, that is a red flag. You paid for a vulnerability scan, not a penetration test.

How Much Does It Cost?

Penetration test pricing varies widely. At Sherlock Forensics, our pricing is transparent:

  • Quick Audit: Starting at $1,500 CAD. Covers a single application or a focused scope. Results in 3-5 business days.
  • Standard External Pentest: Starting at $5,000 CAD. Full external assessment of your web application, API endpoints and infrastructure. 8-12 business days.
  • Comprehensive Assessment: $12,000 to $25,000+ CAD. Multiple applications, internal and external testing, social engineering and detailed compliance documentation.

The biggest factors that affect cost are the number of applications in scope, the complexity of each application, whether you need internal network testing and whether compliance documentation (SOC 2, PCI DSS, HIPAA) is required. Read our full 2026 pentest pricing breakdown for detailed comparisons.

Do You Need One?

Answer these questions:

  • Does your application have user accounts with login functionality?
  • Do you store customer data (names, emails, addresses, payment information)?
  • Do you process payments?
  • Are you pursuing SOC 2, PCI DSS or other compliance certifications?
  • Have investors, partners or enterprise customers asked about your security posture?
  • Has your codebase changed significantly in the last 12 months?

If you answered yes to even one of those questions, you need a penetration test. If you answered yes to three or more, you need one soon.

Common Concerns

"Will it break my website?" No. Professional penetration testers are careful. Testing is conducted in a controlled manner and any potentially disruptive tests are discussed with you in advance. At Sherlock Forensics, we have never caused an outage during an engagement.

"My app is too small to be targeted." Attackers use automated tools that scan the entire internet. They do not care about your company size. They care about whether your login page has default credentials, whether your API leaks data and whether your .env file is publicly accessible. Small applications are often easier targets because they have less security.

"We already use a firewall/antivirus/WAF." Those are important layers of defense. A penetration test checks whether those layers actually work and identifies the gaps between them. Security tools protect against known attack patterns. Penetration testers find the unknown ones.

Getting Started

If you are ready to find out what an attacker would find in your application, order a penetration test from Sherlock Forensics. Quick audits start at $1,500 CAD with results in 3-5 business days. You can also read what to expect during a penetration test to understand exactly how the process works from your side.

Frequently Asked Questions

What is penetration testing?

Penetration testing is a controlled, authorized simulation of a real cyberattack. A security professional attempts to find and exploit vulnerabilities in your application, network or infrastructure the same way a criminal hacker would. The result is a detailed report showing every weakness found, how it was exploited and exactly how to fix it. At Sherlock Forensics, penetration tests start at $1,500 CAD.

How much does a penetration test cost?

Costs depend on scope and complexity. Quick audits at Sherlock Forensics start at $1,500 CAD for a focused single-application test. Standard external penetration tests start at $5,000 CAD. Comprehensive multi-application assessments range from $12,000 to $25,000+ CAD. See our full pricing breakdown for details.

How long does a pentest take?

Quick audits take 3-5 business days. Standard engagements run 8-12 business days from kickoff to final report. Complex assessments covering multiple applications and networks can take 3-4 weeks. The timeline depends on scope, application complexity and testing depth.

Do I need a pentest for my small business?

If your business has a website with user accounts, handles customer data, processes payments or stores any sensitive information, yes. Small businesses are frequent targets because attackers know they have weaker defenses. A $1,500 CAD quick audit identifies the vulnerabilities attackers exploit most often and is dramatically cheaper than recovering from a breach.