What is the difference between a penetration test and a vulnerability scan?

A vulnerability scan is an automated tool that checks for known CVEs and misconfigurations. A penetration test is a manual engagement where a tester actively exploits weaknesses, tests business logic and chains vulnerabilities to demonstrate real-world impact. Scanners find known issues. Pentesters find how attackers actually get in.

Do I need a pentest for SOC 2 compliance?

SOC 2 does not explicitly require a penetration test but auditors expect evidence of security testing. A penetration test satisfies the CC7.1 control for vulnerability management and is considered best practice by every major audit firm. Most SOC 2 auditors will flag the absence of a pentest.

How much does a penetration test cost in Canada?

In Canada, penetration testing costs range from $1,500 for a quick audit to $30,000 or more for comprehensive multi-target engagements. Sherlock Forensics publishes transparent pricing: Quick Audit at $1,500, Standard Pentest at $5,000 and Comprehensive at $12,000.

How often should I get a penetration test?

At minimum, once per year. PCI DSS requires annual testing plus testing after significant changes. SOC 2 expects annual evidence. If you deploy code frequently or operate in a high-risk industry, quarterly or continuous testing is appropriate.

What is the difference between a pentest and a red team exercise?

A penetration test methodically evaluates a defined scope to find as many vulnerabilities as possible. A red team exercise simulates a real adversary with specific objectives like data exfiltration or domain compromise. Red teams test your detection and response capabilities. Pentests test your technical defenses.

Can a vulnerability scan replace a penetration test?

A vulnerability scan cannot replace a penetration test. Scans identify known issues from a database but cannot test business logic, chain vulnerabilities, bypass authentication or demonstrate actual exploitation paths. Compliance frameworks that require penetration testing will not accept a vulnerability scan as a substitute.

What should I look for in a penetration testing company?

Look for published methodology, named testers with OSCP or equivalent certifications, transparent pricing, sample reports and a clear scope of work before engagement. Avoid firms that outsource testing, refuse to name their testers or cannot explain their methodology.

How long does a penetration test take?

A quick audit takes 1 to 3 days. A standard penetration test takes 5 to 10 business days. Comprehensive engagements take 2 to 4 weeks. Timeline depends on scope, number of targets and application complexity. Reports are typically delivered within 5 business days after testing concludes.

Decision Guide

Not Sure Which Security Assessment You Need? Start Here.

20 years of testing has taught us that 60% of companies buy the wrong security service. This guide fixes that.

Security assessments fall into six categories: vulnerability scans, external pentests, internal pentests, red team exercises, security audits and compliance assessments. The right choice depends on your compliance requirements, environment type, threat model and budget. This guide maps each assessment to specific industries and frameworks.

Penetration test. Vulnerability scan. Security audit. Red team. These terms get used interchangeably by vendors who want to sell you whatever they have on the shelf. They are not the same thing. Choosing the wrong assessment wastes money and leaves gaps in your security posture. Use the interactive tool below or read the full comparison to find exactly what your organization needs.

Use the Decision Tool View Comparison Table

Interactive Tool

Find Your Assessment in 60 Seconds

What triggered this search?

Comparison

Security Assessment Comparison Matrix

Six assessment types compared across scope, timeline, cost and compliance coverage. Use this table to understand what each service delivers before making a decision.

	Vuln Scan	Pentest (External)	Pentest (Internal)	Red Team	Security Audit	Compliance Assessment
What it tests	Known CVEs, missing patches, common misconfigurations	Internet-facing apps, APIs, servers. Business logic and authentication	Internal network, Active Directory, lateral movement, privilege escalation	Full kill chain: social engineering, physical access, network, application, data exfiltration	Policies, configurations, architecture, code review, process gaps	Controls mapped to a specific framework (PCI, SOC 2, HIPAA, ISO 27001)
Time required	1-2 days	5-10 days	5-10 days	2-4 weeks	1-3 weeks	2-6 weeks
Cost range (CAD)	$1,500 - $3,000	$5,000 - $15,000	$5,000 - $15,000	$15,000 - $50,000+	$5,000 - $20,000	$8,000 - $30,000
Compliance it satisfies	PCI ASV (quarterly), basic due diligence	PCI DSS 11.3, SOC 2 CC7.1, HIPAA technical safeguards	PCI DSS 11.3, SOC 2 CC7.1, ISO 27001 A.12.6	Advanced compliance validation, cyber insurance requirements	ISO 27001, SOC 2 readiness, PIPEDA accountability	Direct framework attestation and gap analysis
When you need it	Quarterly baseline, pre-pentest reconnaissance, continuous monitoring	Annual compliance, pre-launch validation, post-breach hardening	Insider threat assessment, Active Directory security, post-acquisition	Mature security programs, board-level risk reporting, insurance validation	Before compliance certification, after architecture changes, M&A due diligence	Certification preparation, annual recertification, regulatory response
What you get	Automated findings report with CVE references and severity ratings	Manual findings report with PoC exploits, risk ratings and remediation guidance	Attack path documentation, AD security assessment, privilege escalation map	Executive narrative, full attack chain documentation, detection gap analysis	Control assessment report, gap analysis, remediation roadmap	Framework-mapped report, evidence matrix, attestation letter

All prices in Canadian dollars. Actual cost depends on scope, number of targets and engagement complexity. View our published pricing.

By Compliance Framework

Which Assessment Does Your Framework Require?

Compliance frameworks specify different testing requirements. This mapping tells you exactly which assessments satisfy each standard. Do not rely on a vendor's interpretation. Read the standard yourself and confirm with your auditor.

Framework	Required Assessment	Frequency	Notes
PCI DSS	Penetration test	Annual + after significant changes	Requirement 11.3. Must include network and application layer testing. ASV scans required quarterly.
SOC 2	Penetration test + security audit	Annual	CC7.1 requires vulnerability management evidence. Pentest is best practice for Type II reports.
HIPAA	Risk assessment + penetration test	Annual	Security Rule requires technical safeguard evaluation. Pentest validates ePHI access controls.
PIPEDA	Security audit	Ongoing	Principle 4.7 requires appropriate safeguards. Audit demonstrates accountability and due diligence.
ISO 27001	Penetration test + security audit	Annual	Annex A.12.6 requires technical vulnerability management. Pentest validates control effectiveness.

Need compliance-specific testing? View our compliance penetration testing services.

By Industry

What Your Industry Actually Needs

Every industry has different risk profiles and compliance obligations. These recommendations are based on 20 years of engagements across Canadian businesses. Start here, then refine based on your specific environment.

SaaS Startups: Start with an external application pentest focused on your web app and API. If you are pursuing SOC 2 for enterprise sales, add a security audit. Most SaaS companies at Series A need a pentest every 6 to 12 months as their codebase evolves rapidly.
Law Firms: Law firms handle privileged client data and are high-value targets for threat actors. Start with an external pentest and a security audit of your document management systems. Firms handling M&A or IP cases should consider internal network testing annually.
Healthcare: HIPAA requires risk assessments and technical safeguard validation. You need a penetration test of systems that store or transmit ePHI, plus a formal risk assessment. Healthcare organizations in Canada must also satisfy PIPEDA obligations for patient data.
Financial Services: Financial institutions face the broadest testing requirements. PCI DSS mandates annual pentesting for card data environments. Regulators expect comprehensive testing including internal network assessments and red team exercises for larger organizations. Start with compliance-driven testing and layer in adversary simulation as your program matures.
E-commerce: If you process credit cards, PCI DSS applies. You need quarterly ASV scans and an annual penetration test that covers your payment flow, checkout process and customer account management. Platforms with custom integrations should test API security separately. See our e-commerce security page.
Manufacturing: Manufacturing environments with OT and ICS systems require specialized testing that does not disrupt production. Start with a security audit of your IT/OT boundary, then scope a pentest of internet-facing systems. Never pentest production OT systems without a detailed safety assessment and maintenance window.

Deep Dive

Understanding Each Assessment Type

Vulnerability Scan

An automated tool runs against your systems and compares findings to a database of known vulnerabilities. It identifies missing patches, default configurations and known CVEs. Scanners cannot test business logic, authentication flows or complex attack chains. Think of it as a health screening, not a diagnosis. A scan tells you what might be wrong. A pentest tells you what an attacker can actually do. For more detail, read our pentest vs vulnerability scan comparison.

External Penetration Test

A qualified tester manually attacks your internet-facing systems from an external perspective. This includes web applications, APIs, mail servers, VPN endpoints and cloud infrastructure. The tester identifies vulnerabilities, exploits them to demonstrate real impact and documents the full attack path. This is the most commonly required assessment for compliance and the best starting point for most organizations. View our penetration testing services.

Internal Penetration Test

Simulates an attacker who already has network access, whether through a compromised employee credential, physical access or a breached VPN. The tester attempts lateral movement, privilege escalation and domain compromise from inside your network. Critical for organizations concerned about insider threats, ransomware propagation or Active Directory security. Read our internal pentest methodology.

Red Team Exercise

A red team simulates a real adversary with defined objectives. Unlike a pentest that finds as many vulnerabilities as possible, a red team focuses on achieving specific goals: stealing data, compromising domain admin or bypassing security controls. Red teams test your detection capabilities, incident response processes and security team effectiveness. Appropriate for organizations with mature security programs.

Security Audit

A comprehensive review of your security posture including policies, configurations, architecture and processes. Audits do not involve active exploitation but provide a holistic view of security gaps. They are essential for organizations preparing for compliance certification, evaluating M&A targets or building a remediation roadmap. View our risk management and audit services.

Compliance Assessment

A targeted evaluation mapped to a specific regulatory framework. The assessor reviews your controls against framework requirements, identifies gaps and provides a roadmap to certification. Compliance assessments often combine elements of audits and pentests. The output is a framework-mapped report that auditors can use directly. View our compliance testing services.

Frequently Asked Questions

Security Assessment FAQs

What is the difference between a penetration test and a vulnerability scan?: A vulnerability scan is automated and checks for known issues. A penetration test is manual and demonstrates how an attacker actually exploits your systems. Scanners find CVEs. Pentesters find business logic flaws, authentication bypasses and chained attack paths that scanners cannot detect. Full comparison here.
Do I need a pentest for SOC 2 compliance?: SOC 2 does not explicitly mandate a pentest but auditors expect it. The CC7.1 control requires evidence of vulnerability management and a penetration test is the strongest evidence you can provide. Most auditors will flag its absence in a Type II report.
How much does a penetration test cost in Canada?: Canadian pentest pricing ranges from $1,500 for a quick audit to $30,000+ for comprehensive engagements. Sherlock Forensics publishes transparent pricing starting at $1,500. Cost depends on targets, complexity and compliance requirements. View full pricing breakdown.
How often should I get a penetration test?: At minimum, annually. PCI DSS requires annual testing plus retesting after significant changes. Organizations that deploy code frequently or handle sensitive data should test quarterly. Continuous penetration testing programs are emerging as the standard for high-risk environments.
What is the difference between a pentest and a red team exercise?: A pentest methodically tests a defined scope to find as many vulnerabilities as possible. A red team simulates a real adversary with specific objectives like data theft or domain compromise. Pentests measure your technical defenses. Red teams measure your detection and response capabilities.
Can a vulnerability scan replace a penetration test?: No. Vulnerability scans cannot test business logic, bypass authentication or demonstrate exploitation impact. Compliance frameworks that require penetration testing will not accept a scan as a substitute. Use scans for continuous monitoring between pentests, not as a replacement.
What should I look for in a penetration testing company?: Look for published methodology, named testers with recognized certifications (OSCP, OSCE, GPEN), transparent pricing and sample reports. Avoid firms that outsource testing, refuse to name their testers or pressure you into unnecessary scope. What to expect from a pentest engagement.
How long does a penetration test take?: A quick audit takes 1 to 3 days. A standard pentest takes 5 to 10 business days. Comprehensive engagements take 2 to 4 weeks. Reports are delivered within 5 business days after testing. Timeline depends on scope, target count and application complexity.

Free Consultation

Still not sure? We will tell you exactly what you need.

15-minute call. No obligation. No sales pitch. Just a straight answer from a team that has been doing this for 20 years.

Get Started Online

Talk to a Security Expert

Call 604.229.1994 or use the contact form. We will tell you exactly what you need in a 15-minute call. No obligation.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Experience: 20 years, thousands of engagements