Every organisation believes its security controls are working — right up until a breach proves otherwise. Penetration testing is how you verify that belief before an attacker does it for you. It is the single most reliable method for understanding whether your defences hold under real-world attack conditions. This guide covers everything decision-makers and security teams need to know: what penetration testing actually is, the different types, how it works, what it costs, and how to choose the right provider in Canada.
What Is Penetration Testing?
Penetration testing — commonly called a pentest — is a structured, authorised attempt to compromise a target environment using the same techniques, tools, and thought processes that real attackers use. The goal is to identify exploitable vulnerabilities before a malicious actor does, document the full attack path, and provide actionable guidance to fix what was found.
The key word is authorised. Everything a penetration tester does is performed with written permission, within defined scope, and with rules of engagement agreed upon before the work begins. This distinguishes it from actual attacks, where no such guardrails exist.
A penetration test is not a scan. Automated vulnerability scanners enumerate known weaknesses and rate them by severity — but they cannot chain vulnerabilities together, test business logic flaws, pivot through segmented networks, or assess how a real attacker would move laterally after initial access. That requires a skilled human operator. In our engagements, we routinely find high-severity attack paths that every scanner the client had deployed had completely missed. That is not a failure of the tools — it is simply the limit of what automated scanning can do.
Why Do Businesses Need Penetration Testing?
The case for penetration testing is not theoretical. It is built on what we observe in the field, engagement after engagement, year after year.
Most organisations have significant security investment: firewalls, endpoint detection, vulnerability management programmes, security awareness training. And most organisations still have critical attack paths that an adversary could exploit within hours of gaining a foothold. The gap between what your security team believes is protected and what is actually exploitable is where breaches happen.
Penetration testing closes that gap. Specifically, it delivers:
- Evidence of real-world exploitability — not theoretical risk scores, but demonstrated proof-of-concept exploitation
- Attack path visibility — understanding how an attacker would chain vulnerabilities from initial access to critical data
- Prioritised remediation — fixes ranked by actual business impact, not CVSS scores alone
- Compliance validation — documented evidence for PCI-DSS, SOC 2, ISO 27001, and PIPEDA audits
- Board-level assurance — a named, credentialed consultant confirming the security posture of the organisation
- Baseline measurement — a reference point against which future improvements can be measured
We have worked with organisations that spent years believing their segmented networks were airtight, only to find that a single misconfigured trust relationship gave us a path from a guest Wi-Fi network to their core financial systems. That finding had a direct, immediate impact on how those organisations managed risk. That is the value of penetration testing that no scanner or compliance checklist can replicate.
Types of Penetration Testing
Penetration testing is not a single service — it is a discipline encompassing several distinct engagement types, each targeting a different attack surface. Understanding the differences helps you make the right investment decisions for your specific risk profile.
Network Penetration Testing
Network penetration testing targets your external perimeter and internal infrastructure. External engagements simulate an unauthenticated attacker on the internet attempting to gain access to your network. Internal engagements simulate a threat actor who has already breached the perimeter — a scenario representing ransomware, insider threats, and supply chain compromises. We test firewall configurations, exposed services, patch levels, network segmentation, and credential security across the infrastructure.
Web Application Penetration Testing
Web application security assessments target the custom software your business runs — customer portals, SaaS platforms, APIs, mobile backends, and internal web tools. Web application vulnerabilities are among the most frequently exploited attack vectors in real breaches. We test for OWASP Top 10 vulnerabilities and well beyond: business logic flaws, authentication weaknesses, insecure direct object references, mass assignment vulnerabilities, GraphQL abuse, and API security gaps that scanners routinely miss.
Cloud Security Assessment
Cloud security assessments examine your AWS, Azure, or GCP environments for misconfigurations, over-permissive IAM policies, exposed storage, insecure serverless functions, and cross-account trust abuse. Cloud environments are fundamentally different from traditional infrastructure — the attack surface is managed through configuration, not network topology — and the misconfigurations we find most frequently are ones that were introduced through normal infrastructure-as-code deployments, not deliberate oversights.
Active Directory Security Assessment
Active Directory assessments target the identity infrastructure that underpins most enterprise Windows environments. AD is the single highest-value target in any internal network because domain compromise equals total compromise. We assess Kerberos attack paths (Kerberoasting, AS-REP roasting, unconstrained delegation), NTLM relay opportunities, ACL misconfigurations, Group Policy abuse, and lateral movement vectors. In the overwhelming majority of internal engagements we conduct, we achieve domain administrator access — the question is only how quickly.
Social Engineering
Social engineering assessments test the human element of your security programme. This includes phishing simulations, vishing (voice phishing), and physical security testing. Technical controls are only as strong as the people operating them. In one recent engagement, a targeted spear-phishing campaign against finance staff achieved a 34% credential submission rate, bypassing multi-factor authentication through adversary-in-the-middle proxy techniques — despite the client having completed security awareness training six weeks prior.
Red Team Operations
Red team operations are the most comprehensive form of adversary simulation available. Unlike a standard penetration test that targets a specific scope, a red team engagement simulates a full advanced persistent threat (APT) attack campaign against your organisation — using all available attack vectors simultaneously, with no pre-disclosed scope, over an extended period. The goal is to test your people, processes, and technology together under realistic attack conditions. Red team engagements answer the question: "Could a sophisticated adversary achieve their objective inside our environment without being detected?"
The Penetration Testing Methodology
Professional penetration testing follows a structured methodology that ensures consistency, thoroughness, and reproducibility. Our engagement process follows five phases that align with industry frameworks including PTES (Penetration Testing Execution Standard) and OWASP.
Phase 1 — Scoping and Planning
Before any technical work begins, we establish the rules of engagement. This defines what systems are in scope, what testing techniques are permitted, acceptable testing windows, escalation contacts, and the format for deliverables. Scoping is not bureaucratic overhead — it protects both parties and ensures the engagement produces results that are meaningful to your specific risk profile.
Phase 2 — Reconnaissance and Information Gathering
We map the attack surface before touching anything in scope. For external engagements, this includes OSINT collection: DNS enumeration, certificate transparency log analysis, employee profiling via LinkedIn, code repository review, breach data correlation, and passive infrastructure mapping. The amount of information available about most organisations from public sources alone is consistently surprising to clients. What we learn in reconnaissance shapes the entire attack strategy that follows.
Phase 3 — Vulnerability Identification and Exploitation
This is the core technical phase. We identify vulnerabilities through a combination of automated scanning, manual analysis, and active exploitation attempts. Critically, we do not simply catalogue vulnerabilities — we attempt to chain them together the way a real attacker would. A medium-severity misconfiguration that sits alongside a low-severity information disclosure and a weak credential policy may individually score as acceptable risk. Combined, they may represent a direct path to your most sensitive data. That is the insight only human-led testing provides.
Phase 4 — Post-Exploitation and Lateral Movement
After gaining initial access, we assess what an attacker could realistically achieve from that foothold. This includes privilege escalation, lateral movement through the network, credential harvesting, data identification, and persistence mechanism analysis. The post-exploitation phase is where the business impact of a breach becomes concrete — not as a theoretical scenario, but as a demonstrated capability.
Phase 5 — Reporting and Remediation Guidance
Every finding is documented with a technical description, proof-of-concept evidence (screenshots, tool output, or video recordings), business impact assessment, and specific remediation steps. Our reports are written for two audiences: technical staff who will implement fixes, and executives who need to understand risk in business terms. We also offer remediation review calls and post-fix validation testing to confirm that findings have been correctly addressed.
Penetration Testing vs Vulnerability Assessment
These terms are frequently confused and sometimes deliberately conflated by providers who sell vulnerability assessments at penetration testing prices. Understanding the difference protects your budget and your security programme.
A vulnerability assessment uses automated tools to scan systems and identify known vulnerabilities. It produces a list of findings with severity ratings based on the CVE database. It requires no manual analysis, no exploitation attempts, and no assessment of whether vulnerabilities are actually exploitable in your specific environment. A competent analyst can run a vulnerability assessment in hours.
A penetration test uses human expertise to identify, confirm, and actively exploit vulnerabilities — including those that scanners cannot detect — and chains them together to demonstrate realistic attack paths. It requires skilled operators, significant time investment, and produces findings that are specific to your environment, your architecture, and your actual risk exposure.
The distinction matters enormously for compliance purposes too. PCI-DSS Requirement 11.4 and SOC 2 criteria explicitly require penetration testing — not just vulnerability scanning. An auditor who understands these standards will know the difference. A report from a scan tool will not satisfy the requirement.
How Often Should You Conduct Penetration Testing?
The honest answer is: more often than most organisations currently do. The standard recommendation of annual testing made sense when environments were relatively static. Modern infrastructure changes continuously — new cloud services deployed weekly, applications updated monthly, staff turnover introducing new credential risk, third-party integrations added without security review.
Our general guidance by organisation type:
- High-risk environments (financial services, healthcare, critical infrastructure): Annual external and internal network testing minimum, with web application testing aligned to major release cycles. Red team every 18–24 months.
- Mid-market organisations with public-facing applications: Annual external penetration test. Web application testing for each major application at significant releases. Internal network testing every 18 months.
- Organisations under compliance requirements (PCI-DSS, SOC 2): Annual minimum as required by the framework, with segmentation testing after significant infrastructure changes.
- Startups and SMBs handling sensitive data: At minimum, a web application test before going live with any customer-facing application, and an external network test annually.
Trigger-based testing is equally important: after a significant breach or security incident, after major infrastructure changes (cloud migration, network redesign, M&A activity), and after deploying new security controls you want to validate.
How to Choose a Penetration Testing Consultant
The penetration testing market has a significant quality problem. Automated scan reports re-labelled as penetration tests are common. Junior analysts with no real-world attack experience are billed as senior consultants. The deliverable quality varies enormously. Here is what to look for.
Credentials and Certifications
Industry-recognised certifications provide a baseline assurance of technical competency. Look for OSCP (Offensive Security Certified Professional), OSEP (Offensive Security Experienced Penetration Tester), CREST CRPT (Certified Registered Penetration Tester), and CREST CPSA. CREST certification in particular requires demonstrated hands-on exploitation skills and is widely recognised in enterprise procurement. CREST-certified providers are the standard requirement for regulated industry engagements in the UK, Australia, and increasingly in Canada.
Principal-Led vs Staff Augmentation Models
Many large consultancies assign junior staff to engagements under a senior name. The person who scoped the engagement and will present the report is not the person who ran the tests. At Cyber Security Pentesting Inc., every engagement is conducted directly by the principal consultant — the person you speak with during scoping is the person with hands on keyboard for the entire assessment. This matters for quality and for accountability.
Sample Report Quality
Any reputable provider should share a redacted sample report on request. Look for: specific proof-of-concept evidence (not generic CVE descriptions), clear attack path narration, business impact statements that go beyond severity scores, and actionable remediation steps — not just links to vendor advisories. If the report reads like a Nessus export, it probably is.
Communication and Escalation Protocols
A penetration tester who discovers a critical, actively exploitable vulnerability mid-engagement needs to know how to reach you immediately. Ask prospective providers how they handle critical finding escalation. If they do not have a clear answer, walk away.
Penetration Testing in Toronto and Canada
We are a Toronto-based penetration testing consultancy serving organisations across Ontario, the Greater Toronto Area, and throughout Canada. Penetration testing in Toronto carries specific considerations that matter for Canadian organisations.
Canadian data sovereignty requirements mean many organisations need assurance that their testing engagements, findings, and sensitive data remain within Canada. We operate from Canada, store all engagement data on Canadian infrastructure, and are subject to Canadian privacy law — not the data sharing frameworks of foreign jurisdictions.
Engagement findings are treated with the same confidentiality as legal or financial records. All work is conducted under signed NDAs and specific engagement contracts that define exactly how findings will be handled, retained, and destroyed after the engagement period.
We have extensive experience with the regulatory environment Canadian organisations operate in: PIPEDA, PHIPA, OSFI B-13, and provincial privacy frameworks. This matters when translating technical findings into compliance-relevant risk language that your legal team, board, and auditors will recognise.
Compliance Frameworks That Require Penetration Testing
Penetration testing is not only a security best practice — it is a documented requirement under several major compliance frameworks. Our compliance assessment services are designed to produce evidence that satisfies auditor requirements directly.
PCI-DSS (Payment Card Industry Data Security Standard)
PCI-DSS v4.0 Requirement 11.4 mandates penetration testing at least annually and after any significant infrastructure or application upgrade. The testing must cover the entire cardholder data environment and supporting network segmentation. Critically, PCI-DSS explicitly requires both external and internal penetration testing, and requires that segmentation controls be tested to confirm that out-of-scope systems are genuinely isolated. Vulnerability scanning does not satisfy this requirement.
SOC 2 (Service Organization Control 2)
SOC 2 Type II audits assess the design and operating effectiveness of security controls over a defined period. While the framework does not mandate penetration testing by name, the Trust Services Criteria around risk assessment, monitoring, and logical access controls are consistently addressed through penetration testing evidence by auditors. Organisations that present penetration test reports consistently receive more straightforward SOC 2 audits than those relying on vulnerability scan data alone.
ISO 27001
ISO 27001 Annex A control A.8.8 (Management of Technical Vulnerabilities) and A.8.29 (Security Testing in Development and Acceptance) together create the framework expectation for regular penetration testing. Achieving and maintaining ISO 27001 certification without a penetration testing programme is possible but leaves significant control gaps that auditors will note.
PIPEDA (Personal Information Protection and Electronic Documents Act)
PIPEDA's security safeguard requirements under Principle 7 require organisations to protect personal information using security safeguards appropriate to the sensitivity of the information. The Office of the Privacy Commissioner has made clear in breach investigation findings that organisations handling sensitive personal data are expected to have conducted regular security assessments — including penetration testing — as part of their reasonable safeguard obligations. We address this in detail in our PIPEDA penetration testing guide.
Getting Started with Penetration Testing
The first step is a scoping conversation — no obligation, no sales pressure. We discuss your environment, your compliance requirements, what you are most concerned about, and what a realistic engagement looks like in terms of scope, timeline, and investment.
After 20+ years conducting assessments across financial services, healthcare, technology, government, and critical infrastructure in Canada and internationally, we have scoped engagements for organisations of every size and complexity. Whether you are a 50-person fintech running a single web application or a mid-market enterprise with distributed infrastructure across multiple cloud environments and office locations, the scoping conversation takes the same amount of time and costs nothing.
What you will get from that conversation: a clear scope recommendation, a realistic timeline, transparent pricing, and a sense of whether we are the right fit for your engagement. If we are not, we will tell you that too.