Pen Test: 10 Questions to Ask Before Ordering Your First Penetration Test
Introduction
“We’re going to run a penetration test. That way, we’ll know if we’re secure.”
We hear this often at Sécurité Info Services. It’s a great intention—but be careful: a poorly prepared or poorly scoped penetration test can give you a false sense of security, which is worse than no test at all.
A pentest (penetration test) is a realistic attack simulation carried out by professionals to identify exploitable vulnerabilities. But contrary to popular belief, it is not a comprehensive security audit, and it does not guarantee you are fully protected.
Before signing a quote, ask yourself the following 10 questions. :contentReference[oaicite:0]{index=0}
Question #1: Why do I really want a pentest?
The answer “to see if I’m secure” is not enough.
Valid reasons to run a pentest
| Reason | Relevance | Comment |
|---|---|---|
| Client requirement | ✅ | Often required by large clients |
| Cyber insurance | ✅ | Increasingly requested proof |
| Compliance (Law 25, PIPEDA) | ✅ | Often recommended during PIAs |
| Critical launch | ✅ | Identify issues before go-live |
| After an incident | ✅ | Understand entry point |
| Curiosity | ❌ | Very limited value |
👉 A pentest is a snapshot, not a strategy.
Question #2: What scope should be tested?
Scope defines what the tester is allowed to attack.
Possible scopes
| Scope | Example | SME |
|---|---|---|
| Web application | Website, client portal | ✅ |
| External infrastructure | VPN, firewall | ✅ |
| Internal infrastructure | Servers, endpoints | ✅ |
| Wi-Fi | Wireless network | ⚠️ |
| Mobile app | iOS / Android | ⚠️ |
| Social engineering | Targeted phishing | ⚠️ separate |
| Vendors | Third parties | ❌ |
❌ Never say “test everything”
✅ Be precise
Question #3: Black box, gray box, or white box?
| Approach | Info given | Result | Cost | Recommendation |
|---|---|---|---|---|
| Black box | None | External attacker view | High | ❌ |
| Gray box | Limited access | Realistic | Medium | ✅ Ideal |
| White box | Full access | Exhaustive | High | ⚠️ targeted |
👉 For SMEs: go with gray box
Question #4: What type of tester should I choose?
| Type | Pros | Cons | Recommendation |
|---|---|---|---|
| Amateur freelancer | Cheap | No legal framework | ❌ |
| Specialized firm | Quality, insured | Cost | ✅ |
| Big4 | Reputation | Very expensive | ⚠️ |
Useful certifications
- OSCP
- CREST
- CISSP
Question #5: What should I do BEFORE the test?
Essential checklist
| Action | Why |
|---|---|
| Asset inventory | Prioritization |
| Fix obvious issues | Avoid wasting time |
| Verified backups | Safety |
| Rollback plan | Risk mitigation |
| Inform the team | Reduce false alerts |
👉 Run a pre-audit before the pentest
Question #6: What happens DURING the test?
Typical process
| Phase | Activity |
|---|---|
| Scoping | Authorizations |
| Reconnaissance | Information gathering |
| Scanning | Service detection |
| Exploitation | Real attacks |
| Post-exploitation | Lateral movement |
| Reporting | Documentation |
⚠️ Instability may occur → plan a testing window
Question #7: What are the legal constraints?
| Item | Requirement |
|---|---|
| Written authorization | Mandatory |
| Defined scope | Contractual |
| Personal data | Law 25 & PIPEDA |
| Tester insurance | Essential |
Recommended clause:
The provider agrees not to access exposed personal data.
Question #8: What should a good report include?
Required sections
- Executive summary
- Methodology
- Vulnerabilities with proof
- Concrete recommendations
- Uncovered risks
- Technical appendices
🚩 No proof = reject the report
Question #9: What should I do AFTER the test?
30-60-90 day plan
| Timeline | Action |
|---|---|
| 48h | Review + prioritize |
| 7 days | Fix critical issues |
| 30 days | Fix high-risk issues |
| 90 days | Retest |
❌ Filing the report away = critical mistake
✅ Follow-up is mandatory
Question #10: How much does it cost?
Typical pricing (CAD – 2026)
| Type | Cost |
|---|---|
| Simple web app | $3,000 – $6,000 |
| Complex app | $6,000 – $15,000 |
| External infra | $4,000 – $8,000 |
| Internal infra | $5,000 – $12,000 |
| Full pentest | $12,000 – $25,000 |
👉 First test: $8,000 – $12,000 max
Conclusion
✅ A well-prepared pentest is an investment
❌ A pentest without follow-up is useless
Immediate next steps
- Answer the 10 questions
- Write a simple scope document
- Compare 2–3 providers
Need help?
Sécurité Info Services supports you with:
- Free pre-audit
- Ready-to-use scope document
- SME-focused certified pentesters
- Post-pentest follow-up
📞 Free 30-minute assessment