How much does a penetration test cost?

Pricing depends on scope (external, internal, web app, AD, cloud) and asset count. SMB external pentests typically start at the low five figures; mid-market environments scale from there. We provide fixed-fee quotes after a free 30-minute scoping call.

How is your penetration testing different from automated scanning?

Automated scanners produce a list of potential vulnerabilities. Our operators chain findings, exploit live systems with permission, and demonstrate real business impact — including data exfiltration and privilege escalation paths a scanner will never find.

How long does a penetration test take?

Most SMB engagements run two to four weeks end-to-end: kickoff and scoping, active testing, validation, and a debrief with executive and technical reports.

Do you provide a written report?

Yes. Every engagement delivers an executive summary, a technical findings report with reproduction steps, evidence, CVSS scores, prioritized remediation guidance, and a 30-minute readout call.

Can you retest after we remediate?

Yes. Retesting of remediated findings is included for 30 days after the final report and available on request afterward.

Penetration Testing — Operator-Led Validation

Pen Test vs. Security Reality Check

Both are valuable, but they answer different questions. Most clients should sequence them, not skip the first.

Security Reality Check

Question answered: "What weaknesses exist, and what should we fix first?"

Coverage-oriented
Validated findings + prioritized roadmap
~2 weeks
Lower cost, higher first-engagement value

See Reality Check →

Penetration Testing

Question answered: "Could an attacker actually get in and reach our crown jewels?"

Adversarial validation
Real exploit chains, not theoretical findings
2–4 weeks
Best after Critical/High items have been remediated

Scope Options

Pick one. Combine. Or run a full-spectrum engagement.

External

Internet-facing services, web apps, edge devices, OSINT and credential leak validation.

Internal

Assumed-breach simulation: lateral movement, AD attacks, privilege escalation, data access.

Web App / API

OWASP-aligned manual testing: authn/authz, business logic, IDOR, injection, session, API abuse.

Identity / M365

Entra ID, conditional access, OAuth abuse, token theft, hybrid AD trust paths.

What You Get

Engagement Report
Executive summary, full technical narrative, attack-path diagrams, MITRE ATT&CK mapping.
Evidence Pack
Annotated screenshots, command logs, IoCs, and chain-of-custody for every finding.
Ranked Remediation Plan
Each finding ranked by exploitability + business impact, with explicit remediation steps.
Live Debrief
CEO-led working session — your team can ask the operator anything.
Retest
We re-validate every Critical/High finding within the agreed remediation window.

Sample Findings Section

FINDING PT-2024-007 Severity: Critical Title: Domain Admin via PtH from stale account ATT&CK: T1078.002, T1550.002 Reproduction 1. Authenticate as low-priv user (assumed breach) 2. Enumerate AD via SharpHound 3. Identify dormant DA: svc_legacyadmin 4. Coerce auth via PetitPotam → DC02 5. Pass-the-Hash with cached NTLM 6. Result: Domain Admin Business impact Full domain compromise; access to all PHI shares; ability to disable AV, deploy ransomware, or exfil. Remediation - Disable svc_legacyadmin (validate use first) - Enable AD tiering + protected-users group - Block NTLM relay on DC SMB - Enforce LDAPS + SMB signing

Engagement Flow

Week 0

Scoping & Authorization

Rules of engagement, written authorization, contacts, escalation paths.

Week 1–3

Active Testing

Recon, foothold, lateral movement, privilege escalation, controlled impact.

Week 3–4

Reporting & Debrief

Full report, evidence pack, CEO-led live debrief.

+30–60 days

Retest

Critical/High validation. Optional purple-team session.

Penetration Testing

Pen Test vs. Security Reality Check

Security Reality Check

Penetration Testing

Scope Options

External

Internal

Web App / API

Identity / M365

What You Get

Engagement Report

Evidence Pack

Ranked Remediation Plan

Live Debrief

Retest

Sample Findings Section

Engagement Flow

Scoping & Authorization

Active Testing

Reporting & Debrief

Retest

Ready for Real Validation?