Everything you need to know before your first security assessment. Don't see your question? Reach out — we're happy to talk through it.
The basics
A penetration test — or pentest — is a controlled, simulated cyberattack carried out by security professionals. We attempt to break into your systems the same way a real attacker would, then hand you a detailed report of everything we found and exactly how to fix it.
Think of it as hiring someone to try to rob your house before a criminal does — so you can find out which windows don't lock before it matters.
A vulnerability scan is automated — software checks your systems against a database of known weaknesses and flags what it finds. It's fast and affordable, and a solid starting point.
A penetration test goes further. A human tester actively tries to exploit those weaknesses to see how far an attacker could actually get. Manual testing finds things automated tools miss — logic flaws, chained vulnerabilities, misconfigurations that only matter in combination.
Analogy: a scan checks if your doors are locked. A pentest tries to actually get in.
External penetration test: We attack your business from the outside — the same position a hacker on the internet would be in. This covers your public-facing systems: websites, login portals, email servers, firewall configurations, and any services exposed to the internet.
Internal penetration test: We simulate what happens if an attacker is already inside your network — whether through a breach, phishing, or a malicious insider. This tests how far an attacker could move once they're in and what they could access.
Most businesses benefit from both. Our Pentest Bundle covers external and internal at a discounted combined rate.
Yes — and more than you might think. Small businesses are targeted specifically because attackers assume their defenses are weaker. 43% of cyberattacks target small businesses, and 60% of businesses that suffer a breach close within six months.
The vulnerabilities in your systems exist whether you know about them or not. The only question is whether you find them first — or someone else does.
Not being hacked yet isn't the same as being secure — it may just mean you haven't been targeted yet, or that an attacker is already in and hasn't made their move.
A penetration test gives you a real answer instead of an assumption. You'll know your actual exposure, not your best guess at it.
The process
Every engagement follows the same structured process:
1. Scoping call — We align on what systems are in scope, your goals, and the rules of engagement. Nothing starts without your sign-off. 2. Reconnaissance — We gather information about your environment the same way an attacker would. 3. Vulnerability identification — We combine automated scanning with manual analysis to map your attack surface. 4. Exploitation — We attempt to exploit findings to determine real-world impact. 5. Reporting — You receive a full report: an executive summary in plain English plus technical detail for whoever handles remediation. 6. Debrief — We walk you through the findings and answer questions.
No. Before any testing begins, we define explicit rules of engagement that govern what we test, when, and how. We work carefully to avoid disrupting business operations.
If anything unexpected comes up during testing, we stop and contact you immediately.
For most SMB engagements, active testing runs 3–5 business days. The full timeline from kickoff to final report delivery is typically 1–2 weeks depending on scope and scheduling.
A vulnerability scan can turn around much faster — usually within a few days.
Not much. You'll need to be able to define what systems you want tested and identify a point of contact on your end. For an internal test, we'll need network access (either on-site or via VPN).
We handle the rest. We'll walk you through everything you need during the scoping call.
Every report includes two sections:
Executive summary — Written for business owners and leadership. No jargon. This section tells you what we found, what it means for your business, and what to prioritize.
Technical findings — Written for whoever handles your IT or security. Each finding includes a description, severity rating, evidence, and specific remediation steps.
We also do a debrief call to walk through findings and answer questions.
Penetration testing and remediation are intentionally separate — having the same team do both creates a conflict of interest and is considered bad practice in the industry.
What we deliver is a clear, prioritized remediation roadmap. Your IT team or managed service provider implements the fixes. If you don't have IT support in place, we can help you understand your options.
Pricing & scope
Pricing depends on scope — the size of your environment, what systems are in scope, and the type of assessment. For SMBs, here's a general range to plan around:
We scope every engagement individually — contact us for a quote specific to your environment.
Yes — our Vulnerability Scan is designed for exactly this situation. It gives you a clear picture of your exposure at a fraction of the cost of a full pentest, and it's a smart first step if you've never had a security assessment.
Many of our clients start with a scan, use the results to prioritize remediation, and then move to a full pentest when they're ready.
Firewalls and antivirus tools are passive defenses — they catch known threats as they come in. A penetration test is active: it finds out what gets through, what was misconfigured, and what an attacker could do if they bypassed your defenses entirely.
Most businesses that get compromised had antivirus running. The tools were there — the gaps were just somewhere else.
At minimum, once a year. Additionally, you should consider a new assessment any time you make significant changes to your environment — launching a new application, adding a location, migrating to the cloud, or onboarding a major new vendor.
The threat landscape changes constantly. A test from two years ago reflects a two-year-old version of your environment.
It depends on your industry and what data you handle. Penetration testing is a formal requirement or strong recommendation under several common frameworks:
PCI-DSS — Required if you process credit card payments HIPAA — Required if you handle protected health information SOC 2 — Required or expected for SaaS companies and service providers Government contracts — Often required under CMMC and similar frameworks
Not sure what applies to you? We can help you figure that out during a scoping call.
Working with us
Every engagement begins with a signed non-disclosure agreement and clearly defined rules of engagement. Any data we encounter during testing is handled with strict confidentiality — it is never shared with third parties and is not retained beyond the engagement.
Your report is yours alone. We take the trust that comes with this work seriously.
All penetration testing is authorized in writing before we touch anything. The rules of engagement document defines exactly what systems are in scope, what actions are permitted, and the timeline — creating a clear legal authorization for the engagement.
This protects both you and us. Nothing happens without your explicit written approval.
We schedule a debrief call to walk through findings together and answer any questions. After that, the next step is yours — implementing the remediation steps outlined in the report.
If you'd like a follow-up assessment after remediation to verify the fixes held, we can scope that as a separate engagement.
Ready to get started?
Still have questions? Just ask.
A 30-minute call costs nothing. We'll tell you what we'd recommend for your situation — and whether you need us at all.