Penetration Testing

Pen testing

Penetration testing and vulnerability assessment for Canadian small and medium businesses — scope, methodology, black/grey/white box options, CA$ pricing, and compliance with SOC 2, PIPEDA, Quebec Law 25, and cyber insurance requirements.

Updated June 2026 · Vendor-neutral guide for Canadian businesses · Implementation by IT Cares

Get a free scoping call → Security Assessment Guide
Canadian cybersecurity professional conducting a penetration test on a network in a Vancouver office, reviewing terminal output on a dual-monitor workstation
Penetration testing proves which vulnerabilities in your environment are actually exploitable — and what an attacker could reach once inside.
QUICK ANSWER

A penetration test is a controlled, authorized attack on your network, web applications, or employees to find and prove exploitable vulnerabilities before a real attacker does. For a Canadian SMB, a focused external network pen test starts at CA$3,500; a comprehensive engagement covering network, web app, and social engineering runs CA$8,000–$25,000. Grey box testing is the most common and cost-effective starting point. Most businesses need a security assessment first — a pen test adds the most value once your baseline controls are in place.

A vulnerability assessment tells you what could be exploited. A penetration test proves what actually is. This guide covers every stage: scope selection, methodology, test types, Canadian pricing, compliance drivers (SOC 2, PIPEDA, Law 25, cyber insurance), and how to choose a qualified tester. See the full Small Business Cybersecurity hub or jump directly to Quebec Law 25 & PIPEDA compliance. Ready to scope your test? Request a free call below.

What penetration testing is — and what it is not

Penetration testing is the practice of simulating a real-world attack on your IT environment under a controlled, legally authorized agreement. A qualified tester — or a small team — attempts to breach your defences using the same tools, techniques, and procedures a malicious actor would use, within a defined scope and time window. The goal is not to cause harm but to generate evidence: proof that specific vulnerabilities are reachable and exploitable, documentation of what an attacker could access once inside, and a clear risk-ranked list of findings with actionable remediation steps.

What penetration testing is not: it is not a vulnerability scan alone (a scanner identifies and classifies known CVEs automatically; a pen tester validates whether they are exploitable and what the chain of access looks like), not a security assessment (which evaluates your security program against a framework through interviews and documentation review — a separate but complementary exercise), and not a compliance certification. Passing a pen test does not grant a certificate. It generates evidence that supports compliance with SOC 2, PCI-DSS, PIPEDA, and cyber insurance requirements — but the compliance conclusion is made by your auditor or insurer, not your tester.

The critical distinction from a security assessment: an assessment evaluates your program at a program level. A pen test actively attacks specific technical targets. The CIRA Cybersecurity Survey 2024 found that while 46% of Canadian organizations experienced an incident in the prior twelve months, fewer than one-in-three could confirm they had run a professional penetration test in the preceding two years. That gap matters because many organizations have invested in controls that are misconfigured, partially deployed, or vulnerable to specific attack chains that only active testing reveals.

The value a pen test provides that no automated tool replicates is chaining: an unpatched VPN gateway provides initial access; flat network segmentation allows a pivot from one workstation directly to the domain controller; a forgotten service account with Domain Admin rights — created for a vendor integration two years ago and never decommissioned — is the final escalation. Each finding is medium severity in a scanner report. Together, they yield full active directory access from a single phishing email. Only manual testing reveals the chain.

Vulnerability assessment vs penetration test: choosing the right engagement

The terms vulnerability assessment and penetration test are used interchangeably in many vendor proposals — a confusion that costs Canadian businesses money spent on the wrong engagement or a false sense of assurance from an incomplete one.

A vulnerability assessment uses automated scanning tools — Nessus Professional, Qualys, Tenable.io, Rapid7 InsightVM — to inventory your systems, match software versions against known CVE databases, and output a severity-ranked list. Scan time for a typical SMB environment is measured in hours; report turnaround is 1–3 days. The output is a CVE list with CVSS scores and vendor patch references.

What a vulnerability assessment does not do: it does not verify whether a finding is exploitable in your specific configuration; it does not chain multiple findings into an attack path; and it does not test your people or your application logic (IDOR, authentication bypass, SSRF — vulnerabilities not catalogued in a CVE database). A CA$1,500 scan may surface 200 findings; a pen test on the same environment may find that 4 of them chained together provide full domain administrator access.

The practical sequencing for most Canadian SMBs: start with a cybersecurity risk assessment to establish your baseline and address Critical and High gaps, add quarterly automated vulnerability scans for ongoing patch visibility, then commission a pen test once core controls are in place. This avoids commissioning a CA$12,000 pen test on an environment so poorly controlled that the tester achieves full access in 90 minutes — a result any CA$2,500 assessment would have predicted.

Why Canadian SMBs cannot defer penetration testing

Four distinct pressures are converging to make penetration testing a near-requirement for Canadian businesses of all sizes in 2026, even those below the traditional enterprise threshold where pen tests were historically common.

Cyber insurance underwriter requirements: The Canadian market — Intact Financial, Aviva Canada, Northbridge, Zurich Canada — has shifted from questionnaire-based underwriting to technical validation since 2021. Several insurers now require evidence of annual penetration testing as a condition for issuing or renewing policies at competitive rates. A business that cannot demonstrate active testing may face excluded attack vectors, higher self-insured retentions, or premium increases of 15–40% versus an equivalent business with testing evidence.

SOC 2 demand from enterprise clients: Canadian SaaS providers, technology companies, and MSPs increasingly face SOC 2 Type II requests from US-based enterprise clients. Auditors mapping to the Common Criteria for logical access consistently expect annual testing evidence or a formally documented compensating control. Missing it creates pipeline friction with enterprise prospects regardless of your actual security posture.

PIPEDA and Quebec Law 25 due diligence: Both require safeguards appropriate to the sensitivity of personal information. The OPC at priv.gc.ca and Quebec's CAI have established through breach investigations that "appropriate safeguards" for organizations handling SINs, financial records, or health information includes active technical control testing. Organizations without recent testing history face harder scrutiny when a breach triggers regulatory inquiry.

Supply-chain and contractual pressure: The Canadian Centre for Cyber Security (CCCS/CSE) guidance at cyber.gc.ca recommends penetration testing as part of a mature security program, referenced in federal procurement language. Private-sector supply chains are following: deferring testing creates eligibility risk with enterprise clients who make vendor security evidence a contract condition.

Test types: black box, grey box, and white box explained

Every penetration test begins with a decision about how much information the tester starts with. This determines both the simulation fidelity and the cost efficiency of the engagement. Each model has legitimate use cases; the right choice depends on what threat scenario you are testing against and how mature your security program is.

Black box testing simulates an external attacker with no prior knowledge of your environment. The tester begins with only your organization name or IP range and must conduct full reconnaissance — identifying systems, discovering the technology stack, enumerating attack surface — before attempting exploitation. Black box most accurately simulates an opportunistic, unknown external attacker. The limitation: testers spend a significant portion of the engagement on reconnaissance that an internal team could shortcut, which makes black box the most expensive approach per unit of vulnerability coverage. For most Canadian SMBs, black box is appropriate for annual external network tests where simulating a real external adversary is the primary goal.

Grey box testing is the most common and cost-effective model for Canadian SMBs. The tester receives limited prior knowledge — typically valid user credentials (representing a compromised employee account, a contractor, or a phishing victim who clicked a link), basic network documentation, and possibly application login access. This eliminates the reconnaissance overhead while still requiring the tester to discover and exploit internal vulnerabilities without privileged access. Grey box most accurately simulates the threat that drives the majority of Canadian SMB breaches: a credential-harvesting phishing attack that compromises one employee account, from which an attacker moves laterally. It delivers more findings per testing day than black box, making it more cost-efficient for organizations with limited budgets.

White box testing provides the tester with complete environment access: network diagrams, system documentation, source code (for web application tests), full administrative credentials, and a map of all systems in scope. The goal is maximum coverage — finding as many exploitable vulnerabilities as possible — rather than simulation of a specific threat scenario. White box is most appropriate for software companies testing a new application before launch, for organizations that have already completed multiple black and grey box tests and want the highest-coverage technical deep dive, and for compliance-driven tests requiring proof that a specific code base has been reviewed at source level.

Red team operations combine physical access, social engineering, network exploitation, and persistence into multi-week adversary simulations — testing detection and response, not just preventive controls. Engagements start at CA$25,000 and are appropriate only for organizations with a mature security operations function. Most Canadian SMBs should begin with a grey box network test.

Scope: network, web application, and social engineering

The three primary penetration test scopes address different attack surfaces. Most Canadian SMBs begin with one or two; a comprehensive test covering all three is typical for organizations with higher risk profiles (SaaS providers, healthcare practices, law firms, financial advisory firms).

External network penetration test: The most common starting point. The tester attacks your internet-facing systems from outside — firewalls, VPN gateways, remote desktop services, email infrastructure, DNS, and cloud assets. Common findings in Canadian SMB external tests include: exposed RDP without MFA or IP whitelisting (a persistent top finding since the COVID remote-work expansion), VPN concentrators running unpatched firmware, and cloud storage (Azure, AWS, GCP) with overly permissive access rules. External tests for a 10–50 user SMB take 3–5 days of active testing.

Internal network penetration test: Simulates an attacker who has already gained initial access — a phishing victim, a compromised contractor, or a threat actor who purchased stolen credentials on a dark web market. The tester is placed on your internal network (physically on-site or via VPN connection) with low-privilege or no credentials and attempts to escalate privileges, move laterally, and access sensitive data or critical systems. Internal tests consistently surface the highest-impact findings in Canadian SMB environments: Active Directory misconfigurations (Kerberoasting, AS-REP roasting, unconstrained delegation), lateral movement via over-provisioned service accounts, clear-text credentials in network shares or management systems, and flat network architecture that allows direct workstation-to-server communication with no micro-segmentation.

Web application penetration test: A manual test of a specific web application — your client portal, SaaS product, internal business application, e-commerce platform, or customer-facing API — against the OWASP Top 10 and beyond. Unlike automated web application scanners, a manual tester validates authentication bypass opportunities, tests for insecure direct object references (IDOR — the ability to access another user's data by manipulating URL parameters), business logic flaws, API authorization failures, and injection vulnerabilities that context-dependent automated scanning misses. Canadian software companies seeking SOC 2 Type II or approaching enterprise prospects typically begin their pen testing program with a web application test on their primary product.

Social engineering / phishing simulation: Tests your employees' ability to recognize and resist phishing, vishing (voice phishing), and physical social engineering attempts. A typical engagement includes a targeted spear-phishing campaign (custom-crafted emails impersonating a vendor, internal sender, or delivery service, with a credential-harvesting landing page or malware payload link), plus optionally a vishing call campaign and a physical access attempt (tailgating into a secured area, connecting a USB device). Social engineering tests are particularly valuable for organizations whose training programs have not been validated in practice. Findings are presented as click rates, credential submission rates, and a narrative of the most successful techniques used — valuable data for targeting your security awareness training investment.

For most Canadian SMBs, start with an external plus internal grey box network test — this covers the two most common attack paths and gives the broadest risk picture per dollar. Add a web application test if you run a customer-facing application, and social engineering if your phishing training has never been validated in practice.

The penetration testing methodology: from kick-off to report

A professional penetration test follows a structured, reproducible methodology. Here is the sequence for a standard grey box external plus internal network engagement:

  1. Scoping and rules of engagement (1–2 hours, typically free): The tester confirms the in-scope systems (IP ranges, domain names, specific applications), explicitly excluded systems (production databases that cannot tolerate disruption, third-party systems outside your control), and rules of engagement (hours during which active testing is permitted, who to contact if a critical vulnerability is discovered, what to do if the tester achieves domain administrator access mid-engagement). You receive a written Statement of Work with a fixed price and signed authorization before any testing begins. Never allow testing without a signed authorization document — it is the legal instrument that distinguishes an authorized pen test from a criminal offence under Canada's Criminal Code s.342.1 (unauthorized use of a computer).
  2. Passive reconnaissance (1–2 days for external tests): The tester gathers publicly available information about your organization using open-source intelligence (OSINT) techniques — LinkedIn profiles for technology stack clues, Shodan and Censys for exposed services, WHOIS and DNS records for infrastructure mapping, certificate transparency logs for subdomain enumeration, GitHub for leaked credentials or internal documentation, and breach databases for previously exposed employee credentials. Passive reconnaissance is non-intrusive and leaves no footprint on your systems.
  3. Active scanning (0.5–1 day): Port scanning, service enumeration, and vulnerability scanning with tools such as Nessus, Burp Suite Pro, and Metasploit Framework. Coordinate with your IT team or MSP to prevent false-positive incident responses from your security monitoring.
  4. Exploitation (1–3 days): The tester actively exploits discovered vulnerabilities — going beyond flagging that CVE-5678 exists to proving it is exploitable on your specific system version and configuration. Each attempt is documented with screenshots, command output, and timestamps. The tester records what data was accessible at each stage — not to extract it but to prove what a real attacker could reach.
  5. Post-exploitation and lateral movement (1–2 days, internal tests): From initial access — exploited externally or via grey box credentials — the tester escalates privileges, moves laterally, and demonstrates reach to domain controllers, file servers, and accounting systems. This phase frequently reveals that the highest risk in a Canadian SMB environment is not the initial vulnerability but flat network architecture and over-privileged accounts that allow unrestricted movement once any single system is compromised.
  6. Report writing (3–5 days): The tester consolidates all findings into a structured report reviewed by a second assessor before delivery. Each finding includes a title, CVSS severity rating, technical description, proof-of-concept evidence, business impact statement, and specific remediation guidance.
  7. Debrief and retest offer: A 60–90 minute debrief walks your team through findings and remediation priorities. A credible firm includes a partial retest — typically at no additional charge — to validate that Critical and High findings are genuinely closed within 60–90 days of delivery.

Penetration testing pricing in Canada (2026)

Canadian penetration testing pricing varies substantially by scope, methodology, tester experience, and firm type. The table below covers market rates for professional, evidence-based penetration tests from qualified security firms in Canada. All figures are in Canadian dollars, before HST/GST, and exclude post-test remediation work.

Table 1 — Penetration Testing Pricing, Canada 2026 (CAD, excl. tax)
Engagement type Scope Price range (CAD) Test duration
External network (grey box) Internet-facing systems only, 10–50 users CA$3,500 – CA$6,500 3–5 days active
External + internal network (grey box) Full network scope, 10–50 users, standard SMB CA$6,000 – CA$12,000 5–8 days active
Web application (manual, grey box) Single web app or API, OWASP Top 10 + manual logic CA$4,500 – CA$10,000 4–7 days active
Phishing / social engineering Spear-phish campaign + optional vishing, 50–500 targets CA$2,500 – CA$6,000 1–2 weeks campaign
Comprehensive (network + web app + phishing) Full-scope SMB engagement, grey or white box CA$8,000 – CA$20,000 10–15 days active
Red team operation Multi-week adversary simulation, mature security programs CA$25,000 – CA$80,000+ 3–8 weeks

Price drivers in the Canadian market: tester seniority (OSCP/OSCE3-certified senior testers command higher day rates than junior analysts), firm overhead (boutique Canadian security firms are generally cheaper than multinational consultancies for equivalent quality), scope complexity (multi-cloud environments, legacy systems, and custom applications add time), and report quality (a CA$4,000 engagement that produces a 6-page scan export is not equivalent to one that produces a 60-page evidence-based report with a business-impact-mapped remediation roadmap). Always ask to see a redacted sample report before signing a statement of work.

Many managed IT providers in Canada bundle an annual vulnerability assessment into their managed services agreement. Professional penetration testing is typically quoted separately — it requires specialized expertise and a different authorization and liability framework than ongoing managed services. If your MSP claims to include a full penetration test in your monthly agreement at no additional cost, clarify exactly what methodology, scope, and deliverables are included. See our Managed IT Services guide for what a well-structured MSP agreement actually covers.

Penetration test vs vulnerability assessment vs security assessment: full comparison

Table 2 — Security Assessment vs Vulnerability Assessment vs Pen Test vs Red Team, Canada 2026
Dimension Security Assessment Vulnerability Assessment Penetration Test Red Team
Method Interviews, docs, light scanning Automated scanner (Nessus, Qualys) Manual exploitation by human tester Full adversary simulation (multi-vector)
What it tests Full security program (people, process, tech) Known CVEs on scanned hosts Defined attack surface (network, app, social) Detection and response capability
Exploits vulnerabilities? No No Yes — controlled, documented Yes — covert, persistent
Primary output Risk-scored report + remediation roadmap CVE list with CVSS scores Exploitation report with proof-of-concept Attack narrative + detection gap analysis
Disruption risk Minimal Low Moderate — scoped and agreed in advance Moderate to high — by design
Typical CAD cost CA$1,500 – CA$5,000 CA$500 – CA$2,000 CA$3,500 – CA$25,000 CA$25,000 – CA$80,000+
Best starting point for Most SMBs with no prior testing Ongoing patch-gap monitoring SMBs with baseline controls in place Mature organizations with SOC/IR team

Penetration test deliverables: what a credible report contains

A professional penetration test report is the primary artifact you will use to drive remediation, satisfy compliance requirements, and demonstrate due diligence to your insurer or enterprise prospects. A report that fails to include specific sections is either incomplete or was generated by automated tooling and relabelled as a pen test. Use this checklist to evaluate what you receive.

Compliance drivers: SOC 2, PIPEDA, cyber insurance, and Law 25

What each framework actually requires determines how your test should be scoped and what the report must include.

SOC 2 (AICPA Trust Services Criteria): SOC 2 does not list penetration testing as a named requirement, but the Common Criteria for Logical and Physical Access (CC6.x) require evidence that vulnerabilities are identified and addressed. In practice, SOC 2 Type II auditors expect to see annual pen test results or a documented compensating control. Enterprise clients reviewing your SOC 2 report will look for testing evidence — its absence weakens your report even if no single criterion mandates it by name.

PIPEDA (federal): Principle 7 requires safeguards appropriate to data sensitivity. The OPC at priv.gc.ca interprets this to require technical control testing for organizations handling sensitive personal data. Under the Breach of Security Safeguards Regulations, an organization that suffered a breach and cannot demonstrate regular control testing faces a difficult position in any OPC investigation. A pen test report with remediation evidence is the most credible technical safeguard documentation available.

Quebec Law 25: Fully operative since September 2024, Law 25 requires safeguards proportionate to data sensitivity and a Privacy Impact Assessment for projects involving personal information. The CAI can levy penalties up to CA$10 million or 2% of global turnover. See our Law 25 compliance guide for the full obligation set. Penetration test evidence directly supports both the security safeguard requirement and any CAI inquiry defence.

Cyber insurance underwriting: Canadian insurers increasingly require evidence of active testing at renewal. The controls most commonly asked about — MFA on privileged accounts, EDR on all workstations, tested offline backups, DMARC — overlap directly with pen test finding categories. A signed report from a qualified firm is the evidence insurers accept, and some provide a 5–15% premium discount for clients who produce current (within 12 months) results with remediation evidence.

PCI-DSS 4.0: Requirement 11.4 explicitly mandates annual penetration testing of the cardholder data environment (CDE) covering external and internal networks, application layer, and segmentation controls. If PCI-DSS applies to your environment, confirm your tester's PCI-DSS experience and whether they hold Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) credentials.

Case study: 35-person law firm in Toronto

The following composite is anonymized from real Canadian SMB penetration test engagements.

A 35-employee litigation firm with offices in Toronto and Ottawa had completed a cybersecurity risk assessment 14 months prior and addressed its Critical findings (MFA rollout, RDP lockdown, backup validation). The partners elected to commission a grey box external plus internal network penetration test at CA$8,500 to validate whether their remediation program had actually closed the previously identified risks and to satisfy a new cyber insurance renewal requirement from their underwriter.

The tester began with external reconnaissance and identified three internet-facing assets — the firm's email gateway (Microsoft 365 managed), a legacy case management system with a web interface accessible via HTTPS, and a client file-exchange portal. The legacy case management system was running an outdated TLS configuration (TLS 1.0 still permitted alongside TLS 1.2), which was flagged as a Medium finding — insufficient for exploitation alone but noted for remediation.

Internal grey box testing, starting from a standard user account, produced the following findings:

The remediation sprint took 18 business days: svc_backup_legacy was disabled within four hours of the debrief; the IDOR flaw was patched within two weeks; SMB signing and printer firmware were addressed within one week; and the macOS laptop was encrypted within 24 hours. Total MSP remediation effort: approximately CA$3,200. The insurance underwriter renewed the policy at a 9% premium reduction upon receiving the test report and remediation evidence — partially offsetting the CA$8,500 engagement cost. For organizations that want testing and remediation under one engagement, IT Cares pairs penetration test findings with hands-on technical remediation across Canada, eliminating the gap between report delivery and vulnerabilities being closed.

Checklist: what to verify before signing a pen test scope of work

Use this checklist before committing to any penetration testing engagement to ensure you are getting what you need.

What to look for when hiring a Canadian penetration tester

The Canadian cybersecurity consulting market includes certified ethical hackers with deep methodology and a track record, boutique red teams with specialized industry expertise, and generalist IT firms that offer "pen testing" as an add-on service with limited specialized tooling or methodology. The distinction matters enormously for the value of the report you receive. Here is how to evaluate proposals:

Technical certifications: OSCP (Offensive Security Certified Professional) is the hands-on industry baseline for network testing — ask for the tester's certificate number and verify it directly with Offensive Security. OSWE or GWAPT indicate web application expertise. CEH is the most widely advertised credential in Canada but is knowledge-based, not practical — it does not prove exploitation skill the way OSCP does.

Canadian regulatory knowledge: The tester should know PIPEDA's Breach of Security Safeguards Regulations, the Law 25 CAI penalty structure, and how engagement deliverables support compliance documentation. If they cannot explain how a pen test report supports a PIPEDA Principle 7 defence, your report will lack the context needed for regulatory or insurance use.

Industry experience: Law firms, healthcare practices, and technology companies have distinct attack profiles and regulatory overlays. Ask for two or three Canadian client references at comparable size and industry — and call them.

Evidence-based methodology: Ask whether the firm uses manual exploitation or primarily automated tooling. Request a redacted sample report from a prior SMB engagement. A genuine manual pen test report contains screenshots of interactive terminal sessions, HTTP intercepts, and numbered exploitation narratives. A formatted Nessus export with a custom cover page is a vulnerability assessment at pen test pricing.

Five mistakes that undermine a penetration test's value

  1. Testing before fixing known critical gaps. A pen test on a network where the security assessment found RDP exposed without MFA, default credentials on network devices, and no patch management will produce a report that confirms those gaps — at ten times the cost of the assessment. Fix Critical and High assessment findings first. Test when you want to validate your remediation, not diagnose your starting point.
  2. Scoping too narrowly to reduce cost. Excluding the internal network from a network pen test because "we trust our employees" produces a report that validates only your external posture — and misses the lateral movement risk that is the primary threat in most Canadian SMB breaches. A grey box internal test covering the most common post-compromise attack paths (lateral movement, privilege escalation, domain controller access) is where most businesses get the highest-value findings per dollar. Do not exclude it to save CA$1,500 on the scope.
  3. No retest of Critical findings. A pen test report without a confirmed retest is an incomplete engagement. Without retesting, you have no verification that the patch, configuration change, or compensating control you applied actually closed the vulnerability. Some remediation steps close the specific CVE but leave the system vulnerable to a related exploit variant. A retest — typically 4–8 hours for Critical and High findings — provides that confirmation.
  4. Filing the report without acting on it. A pen test report filed in a shared drive and never referenced again is worse than no test. It creates a documented record that you knew about specific exploitable vulnerabilities and chose not to remediate them — a damaging exhibit in any OPC investigation, CAI audit, or litigation following a breach. Build the remediation roadmap directly into your quarterly IT review or MSP QBR agenda. Track completion with evidence.
  5. Treating annual testing as a checkbox, not a program. Your environment changes: new applications are deployed, staff change, cloud services are added, vendors are onboarded. A pen test reflects your security posture as of the test date. Schedule a repeat engagement annually — or sooner after a significant infrastructure change — and track progress against the prior-year baseline. The second engagement is always faster and cheaper because most prior-year findings are resolved and the tester already understands your environment architecture.

Related guides

Build a complete security program with these TechCare Canada resources:

Frequently asked questions

What is penetration testing in Canada?

Penetration testing is an authorized, controlled attack on your IT environment conducted by a security professional to discover and prove exploitable vulnerabilities before a real attacker does. A Canadian pen tester follows a defined scope, exploits weaknesses across your network, web applications, or employees, documents what they accessed, and delivers a report with evidence and a prioritized remediation plan.

How much does a penetration test cost in Canada?

For a Canadian SMB, a professional penetration test typically costs CA$3,500–$15,000 for a focused scope (external network or single web application). A comprehensive assessment covering external network, internal network, web application, and phishing simulation runs CA$8,000–$25,000. All figures are before HST/GST and exclude post-test remediation work.

What is the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment uses automated scanners to identify and classify known vulnerabilities without exploiting them. A penetration test goes further: a human tester manually exploits vulnerabilities to prove they are reachable, chains multiple weaknesses into attack paths, and demonstrates real business impact. Most Canadian SMBs benefit from a vulnerability assessment first, then a pen test once core controls are in place.

What is black box, grey box, and white box penetration testing?

Black box: the tester starts with no internal knowledge, simulating an external attacker. Grey box: the tester receives limited credentials and documentation, simulating a compromised user — the most cost-effective model for Canadian SMBs. White box: the tester has full access to diagrams, source code, and credentials — the most thorough approach, appropriate for software companies testing a new application.

Is penetration testing required for SOC 2 compliance?

SOC 2 does not mandate penetration testing by name, but the Common Criteria for logical access controls require evidence of risk assessment activities. Most SOC 2 auditors expect to see annual pen test results or a documented compensating control. Enterprise clients reviewing your SOC 2 report will look for testing evidence. Many Canadian technology companies treat annual pen testing as a practical SOC 2 prerequisite.

How long does a penetration test take?

A focused external network pen test for a 10–50 user Canadian SMB takes 3–5 business days of active testing plus 2–3 days for report writing. A full-scope engagement covering external network, internal network, web application, and phishing simulation takes 8–15 active days plus report. Total elapsed time from kick-off to final report delivery is typically 2–4 weeks.

What deliverables should I expect from a penetration test?

A credible penetration test delivers: an executive summary with overall risk rating, a finding-by-finding technical report with CVE references and proof-of-concept evidence, an attack path narrative, a prioritized remediation roadmap with effort and cost estimates in CAD, a retest offer for Critical and High findings, and a technical appendix. The report must be specific to your environment — not a reformatted scanner export.

How often should a Canadian business run a penetration test?

The Canadian Centre for Cyber Security (cyber.gc.ca) and most cyber insurance underwriters recommend annual penetration testing at minimum. SOC 2 Type II and PCI-DSS both require annual tests. A retest is also warranted after a significant infrastructure change (cloud migration, new application, merger) or a security incident. Annual cadence with a partial retest of Critical findings within 90 days of the initial report is the standard practice.

Free scoping call · no obligation

Scope your penetration test

Tell us your environment — number of users, primary systems, city, and what compliance you are targeting. We will scope the right engagement and send a fixed-price quote within one business day. No spam, no pressure.

No spam, no payment. Reply within 1 business day.

✅ Thanks — your request is in. We will email a plan within 1 business day.

Backup & DR

The 3-2-1 Backup Rule for Business (2026)Business Continuity Plan Template: Quebec Law 25 + PIPEDA (2026)Cloud Backup vs Local Backup: Which for Business? (2026)Disaster Recovery Plan Template for Small Business (2026)How to Back Up Business Data (Simple 2026 Routine)Recovering Data After Ransomware (First-Hour Guide, 2026)

Law 25

Privacy Officer Under Quebec Law 25: When & How to Delegate (SMB Guide)Data Residency in Canada: When Your Data Must Stay Home (2026)Law 25 Compliance Checklist for Quebec Small Business: 8 Steps (2026)Quebec Law 25 Penalties & Fines: What Small Businesses Risk (2026)Law 25 for Small Business: What You Actually Have to Do (2026)PIPEDA Compliance Checklist for Small Business (2026)

Managed IT

Break-Fix vs Managed IT Services: The True Cost (2026)How to Choose an IT Support Provider (2026 Checklist)Managed IT Cost Calculator (Canada, 2026)What Managed IT Services Cost in Canada (2026, Per User)MSP vs In-House IT: Which Is Cheaper for an SMB? (2026)Outsourced IT Support for Small Business (2026 Guide)

Microsoft 365

Cloud Migration for Small Business (2026 Step-by-Step)Microsoft 365 Plans & Pricing in Canada (2026)Microsoft 365 vs Google Workspace for Canadian SMBs (2026)Microsoft 365 Security Setup for Canadian SMBs: 12-Point Checklist (2026)How to Migrate Email to Microsoft 365 (No Downtime, 2026)SharePoint vs OneDrive for Business: Where Files Go (2026)

Cybersecurity

Free Small Business Cybersecurity Self-Assessment (2026)Endpoint Protection vs Antivirus: What SMBs Need in 2026Small Business Cybersecurity Incident Response Checklist (Canada, 2026)MFA Setup Guide for Small Business (Step by Step, 2026)Phishing Prevention & Staff Training That Actually Works (2026)Ransomware Protection for Small Business: A 2026 Playbook

More

BlogHomeIT Cares — managed IT support across Canada