From $1,500 CAD
Since 2006. CISSP, ISSAP and ISSMP certified. Everything you need to know before commissioning your first or next penetration test.
Penetration testing is a controlled, authorized cyberattack against your systems designed to find exploitable vulnerabilities before criminals do. Testers simulate real-world threats across networks, web applications, APIs and cloud environments. Results are delivered in a prioritized report with remediation guidance. Canadian organizations pay $1,500 to $45,000+ CAD depending on scope and complexity.
Definition
A penetration test is an authorized security assessment in which a qualified professional actively attempts to exploit vulnerabilities in your infrastructure, applications or personnel. Unlike automated vulnerability scanning, penetration testing involves manual analysis, creative attack chaining and business logic testing that tools alone cannot replicate. The objective is to identify security weaknesses before an attacker does and to provide actionable remediation guidance ranked by severity.
Penetration testing follows a structured methodology aligned with frameworks such as the OWASP Testing Guide and the NIST Cybersecurity Framework. Every engagement begins with scoping and rules of engagement. It progresses through reconnaissance, enumeration, exploitation and post-exploitation. It concludes with a detailed report that documents each finding with evidence, risk rating and remediation steps.
Organizations commission penetration tests to satisfy compliance requirements, validate security controls after infrastructure changes, prepare for mergers and acquisitions or simply to understand their actual risk posture. A well-executed pentest is not a checkbox exercise. It is an adversarial simulation that reveals how far an attacker could get and what damage they could cause.
View our penetration testing servicesScope
Penetration testing is not a single service. It is a category of assessments that vary by target, methodology and depth. The type of test you need depends on your infrastructure, your threat model and the compliance frameworks that govern your industry. Most organizations require more than one type over the course of a year.
Each test type examines a different attack surface. Network testing targets your perimeter and internal infrastructure. Web application testing probes your customer-facing software. API testing evaluates the interfaces that power your mobile apps and third-party integrations. Cloud testing assesses your configuration and identity management in AWS, Azure or GCP. Red team engagements combine all of these with social engineering to simulate a real adversary operating without constraints.
External and internal network assessments targeting firewalls, routers, servers, workstations and network services. Tests for misconfigurations, unpatched software, weak credentials and lateral movement paths that attackers exploit after initial access.
Manual and automated testing of web applications against the OWASP Top 10 and beyond. Covers authentication, authorization, session management, input validation, business logic flaws and server-side vulnerabilities specific to your application stack.
Assessment of REST, GraphQL and SOAP APIs for broken authentication, excessive data exposure, injection flaws and rate limiting gaps. APIs are the fastest-growing attack surface in 2026 and require specialized testing methodology. Learn more
Security assessment of cloud-hosted infrastructure across AWS, Azure and GCP. Tests IAM policies, storage bucket permissions, network segmentation, serverless function security and container escape paths. SaaS testing details
Full-scope adversarial simulation with no predefined target list. Red team operators use any combination of technical exploitation, social engineering, physical access and supply chain compromise to achieve defined objectives. Learn more
Assessment of wireless networks for rogue access points, weak encryption and evil twin attacks. Physical penetration testing evaluates badge access, tailgating controls and secure area protections. Often combined with red team engagements.
Budget
Penetration testing pricing in Canada ranges from $1,500 CAD for a focused single-application assessment to $45,000 CAD or more for a multi-week red team engagement. The price is driven by scope, complexity, the number of targets and the depth of testing required. A small business with one web application and a handful of external IPs will pay significantly less than an enterprise with dozens of subnets and hundreds of endpoints.
The most common mistake organizations make is shopping for the cheapest pentest available. A $500 "pentest" is an automated vulnerability scan with a branded cover page. It will not find business logic flaws, chained exploits or misconfigured access controls. If your pentest report arrives within 24 hours of the engagement starting, you did not receive a penetration test.
| Test Type | Typical Range (CAD) | Duration |
|---|---|---|
| Web Application (small) | $1,500 - $5,000 | 3 - 5 days |
| External Network | $3,000 - $8,000 | 3 - 7 days |
| Internal Network | $5,000 - $15,000 | 5 - 10 days |
| API Security | $2,500 - $10,000 | 3 - 7 days |
| Cloud Configuration | $4,000 - $12,000 | 5 - 10 days |
| Red Team Engagement | $15,000 - $45,000+ | 2 - 6 weeks |
Pricing reflects Canadian market rates as of 2026. Your actual cost depends on the number of IPs, applications, user roles and compliance requirements involved.
Full pricing breakdown for Canadian organizationsProcess
A penetration test follows a predictable lifecycle: scoping, reconnaissance, testing, reporting and retesting. The scoping phase defines what is in and out of bounds, establishes rules of engagement, identifies emergency contacts and sets the testing window. This is the most important phase. A poorly scoped test either misses critical assets or wastes budget testing systems that do not matter.
During active testing, the penetration tester works through your environment methodically. They enumerate services, identify potential entry points, attempt exploitation and document every step with screenshots and technical evidence. Communication during this phase is critical. A good tester will notify you immediately if they discover a critical vulnerability that poses an active risk to your organization rather than waiting for the final report.
The engagement concludes with a written report and a walkthrough call where the testing team explains each finding, answers questions and discusses remediation priorities. After your team addresses the findings, a retest validates that fixes were implemented correctly. The retest is not optional. Without it, you have no verification that your remediation actually closed the gaps.
Read the full guide to your first pentestDeliverable
The penetration test report is the primary deliverable and the document your security team, developers and executives will reference for months after the engagement. A professional report contains an executive summary for leadership, a technical findings section for engineers and a risk-rated vulnerability list that drives remediation prioritization.
Findings are typically rated using the Common Vulnerability Scoring System (CVSS) or a qualitative scale of Critical, High, Medium, Low and Informational. Critical and High findings represent vulnerabilities that an attacker could exploit to gain unauthorized access, exfiltrate data or disrupt operations. These demand immediate remediation. Medium findings should be addressed within your next development cycle. Low and Informational items represent hardening opportunities that reduce your overall attack surface.
When reviewing the report, focus on attack chains rather than individual findings. A Medium-severity misconfiguration combined with a Low-severity information disclosure can create a High-severity attack path. Good pentest reports highlight these chains explicitly. If your report reads like an automated scanner output with no narrative, your testers did not do their job.
Learn how to read and act on your pentest reportROI
The average cost of a data breach in Canada reached $6.32 million CAD in 2025 according to the IBM Cost of a Data Breach Report. A penetration test that costs $5,000 to $15,000 and identifies a single exploitable vulnerability that would have led to a breach represents a return on investment that no other security expenditure can match. The math is not complicated. The hard part is getting organizational buy-in before an incident forces the conversation.
Beyond direct breach costs, consider the downstream impact: regulatory fines under PIPEDA and provincial privacy legislation, class action exposure, customer churn, reputational damage and increased cyber insurance premiums. Organizations that can demonstrate regular penetration testing as part of a mature security program negotiate better insurance rates and face less scrutiny from regulators after an incident.
The question is not whether you can afford a penetration test. It is whether you can afford to skip one. Every month without testing is a month where an attacker may have already found what your pentest would have revealed.
See the real cost of skipping a pentestRegulatory
Multiple compliance frameworks mandate penetration testing as a condition of certification or continued compliance. If your organization processes payment cards, stores personal health information, handles financial data or pursues enterprise clients, penetration testing is not optional. It is a documented requirement that auditors will verify.
The specific requirements vary by framework. Some mandate annual testing. Others require testing after significant changes. All of them expect the test to be performed by a qualified third party with documented methodology. Using your internal IT team to run Nessus does not satisfy any of these requirements.
SOC 2 Type II audits evaluate the operating effectiveness of security controls over a review period. While SOC 2 does not explicitly mandate penetration testing, auditors consistently expect it as evidence that the organization tests its controls against real-world attack scenarios. Annual penetration testing has become a de facto requirement for SOC 2 compliance.
PCI DSS Requirement 11.4 mandates external and internal penetration testing at least annually and after any significant infrastructure or application change. Tests must follow an industry-accepted methodology such as NIST SP 800-115. Segmentation testing is required every six months for organizations using network segmentation to reduce their cardholder data environment scope.
ISO 27001 Annex A control A.12.6.1 requires organizations to manage technical vulnerabilities. Penetration testing is the primary method for validating that vulnerability management controls are effective. Certification auditors expect to see pentest reports as evidence of ongoing security assurance. Annual testing is the standard cadence for ISO 27001 certified organizations.
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to protect personal information with security safeguards appropriate to the sensitivity of the data. The Office of the Privacy Commissioner has cited the absence of penetration testing as a contributing factor in breach investigations. Provincial legislation in BC, Alberta and Quebec imposes similar requirements.
Start Here
Not sure where you stand? Start with our free external security scorecard. It provides a baseline assessment of your organization's external attack surface including DNS configuration, SSL/TLS posture, email authentication (SPF, DKIM, DMARC), exposed services and known vulnerability exposure. The scorecard takes five minutes to generate and requires no access to your internal systems.
The scorecard is not a penetration test. It is a non-intrusive external scan that identifies the most obvious issues an attacker would see when targeting your organization. Many clients use it to build the internal case for a full penetration test. When your CISO or board sees a D-grade scorecard, the budget conversation becomes significantly easier.
If the scorecard reveals issues, we provide a complimentary 15-minute call to walk through the results and recommend next steps. No sales pitch. No pressure. Just a technical professional explaining what the findings mean and what you should prioritize.
Get your free security scorecardQuestions
Get Started
Sherlock Forensics has delivered penetration testing engagements for Canadian organizations since 2006. CISSP, ISSAP and ISSMP certified. OWASP methodology. Every engagement includes a detailed report, executive summary, remediation guidance and a retest to verify your fixes. From $1,500 CAD.
Call us. We will assess your environment in a 15-minute scoping call and recommend the right test type, scope and budget. No obligation. No sales pitch. Just a technical professional helping you make an informed decision.
Call 604.229.1994