From $12,000 CAD
Since 2006. CISSP-ISSAP certified. Multi-tenant isolation testing, API security and SOC 2 aligned reporting for cloud-hosted platforms.
SaaS penetration testing evaluates multi-tenant isolation, API security, authentication mechanisms, authorization controls and data handling in cloud-hosted platforms. Sherlock Forensics provides SaaS-specific penetration testing from $12,000 CAD with SOC 2 alignment and CISSP-ISSAP certified examiners based in Vancouver.
The Risk
SOC 2 Type II auditors expect evidence of security testing. Not a vulnerability scan report. Not a checkbox from an automated tool. They want a penetration test report that maps findings to specific control objectives. Without one, your audit timeline extends and your customers start asking harder questions.
Customer security questionnaires now arrive before the sales contract. Enterprise buyers send 200+ question assessments asking for your last pentest date, scope and remediation timelines. If you cannot provide a current report, the deal stalls. In 2025, Verizon's DBIR reported that web application attacks accounted for 26% of all breaches. SaaS platforms are web applications with amplified blast radius.
Multi-tenant architecture creates risks that do not exist in traditional applications. A single authorization flaw exposes every customer's data simultaneously. When Tenant A can access Tenant B's records through a broken object-level authorization check, the breach affects your entire customer base. Not one account. All of them.
Your API surface is larger than a traditional web application. A typical SaaS platform exposes 50-300 API endpoints. Each endpoint accepts parameters, processes authentication tokens and returns data. Each one is a potential entry point. Automated scanners test for known CVEs. They do not test whether your /api/v2/invoices/{id} endpoint properly validates that the requesting user owns that invoice.
The cost equation is simple. A pentest costs $12,000-$30,000 CAD. A multi-tenant data breach costs $4.45 million USD on average according to IBM's 2024 Cost of a Data Breach Report. Factor in customer churn, regulatory fines under PIPEDA and the SOC 2 report you will never receive, and the pentest pays for itself before your next board meeting.
Scope
SSO integration testing across SAML and OIDC providers. MFA bypass attempts including token replay, backup code brute-forcing and session fixation. Session management review covering token expiry, rotation and secure flag enforcement. OAuth flow validation for implicit grant and authorization code vulnerabilities.
RBAC testing across every user role in your application. Horizontal and vertical privilege escalation attempts. IDOR (Insecure Direct Object Reference) testing on all resource endpoints. Permission boundary validation between admin, member and viewer roles. API-level authorization checks that bypass front-end restrictions.
Cross-tenant data access testing through parameter manipulation, header injection and API enumeration. Shared resource abuse including storage buckets, queues and cache layers. Database isolation validation for row-level security implementations. Subdomain-based tenant separation boundary testing.
Full endpoint enumeration from documentation and traffic analysis. Rate limiting validation on authentication and data export endpoints. Input validation testing for injection, XXE and deserialization flaws. Authentication bypass through token manipulation, key confusion and algorithm switching attacks.
Stripe and payment integration testing for price manipulation, coupon abuse and plan downgrade exploitation. Subscription tier boundary testing to verify feature gating at the API level. Free trial abuse scenarios including account cycling and trial extension through API manipulation.
Bulk data extraction testing through pagination abuse and export functionality. CSV injection in downloadable reports. File upload abuse including unrestricted file types, oversized uploads and path traversal. Import functionality testing for XML injection and formula injection in spreadsheet imports.
Attack Scenarios
These are real attack patterns we test for in every SaaS engagement. Each one has been exploited in production SaaS platforms within the past 18 months. Automated scanners miss all of them because they require understanding of application logic and multi-tenant data boundaries.
org_id or tenant_id parameter in API requests to retrieve another organization's records. This is the most common SaaS vulnerability we find and the most damaging./api/invoices/10432 allow enumeration. An attacker iterates through IDs to access invoices, reports or files belonging to other users within the same tenant or across tenants.For methodology details, refer to the OWASP Web Security Testing Guide and the OWASP API Security Top 10. Our testing methodology incorporates both frameworks with SaaS-specific extensions for multi-tenancy and B2B authorization models.
Compliance
Our reports do not just list vulnerabilities. They map every finding to the specific compliance control it violates. Your compliance team and auditors get a direct connection between the technical issue and the regulatory requirement.
Need a compliance-specific penetration test? We offer dedicated engagements scoped to individual frameworks. For broader security assessments, see our penetration testing services.
Pricing
Fixed-price quote after scoping call. No hourly billing surprises.
Final pricing depends on the number of API endpoints, user roles, third-party integrations and whether payment processing is in scope. Most SaaS engagements fall between $12,000 and $30,000 CAD. For a breakdown of penetration testing costs in Canada, see our pricing guide.
Human vs Machine
Yes. This is a direct answer because the distinction matters.
Automated scanners (Burp Suite Pro, OWASP ZAP, Nessus, Qualys) test for known CVEs in your technology stack. They check whether your framework version has a published vulnerability. They test for reflected XSS with standard payloads. They flag missing security headers. This is useful work and we run these tools as part of our engagement.
But a scanner will never discover that Tenant A can read Tenant B's invoices by changing an ID parameter from 10432 to 10433. It will never find that a viewer-role account can call the /api/admin/users endpoint because the authorization check only exists in the front-end React component. It will never test whether your Stripe webhook endpoint validates the signature before processing the event.
These are business logic vulnerabilities. They are unique to your application. No CVE number exists for them. No signature-based scanner can detect them. They require a human tester who reads your API documentation, understands your data model, creates accounts at different permission levels and methodically tests every boundary between what a user should access and what the application actually allows.
In our SaaS engagements over the past 12 months, 73% of critical findings were business logic flaws that no automated tool detected. The scanner found the missing HSTS header. The human tester found the tenant isolation bypass that would have exposed 40,000 customer records.
Run automated scans weekly. They are cheap and catch regressions. But do not mistake a green scan report for security. Get a human penetration test at least annually and after every major feature release. For API-specific testing, the gap between automated and manual testing is even wider.
Questions
Protect Your Platform
One tenant isolation bypass exposes every customer on your platform. One broken authorization check gives attackers admin access. Get a SaaS-specific penetration test from a team that has tested multi-tenant applications since 2006. See also: penetration testing services, API security testing and compliance penetration testing.
Call us or fill out the contact form. We will review your application architecture, provide a fixed-price quote and give you a timeline within one business day.
Call 604.229.1994