Insights · Penetration testing

How much does a penetration test cost in Canada? (2026)

The real CAD ranges, what moves the price up or down — and how to spot a quote that only buys you an automated scan.

The short answer

In Canada, published ranges put most SMB penetration tests between $5,000 and $25,000 CAD. A focused external network test typically runs $5,000 to $12,000; a web-application test, $8,000 to $20,000; a vulnerability assessment — a lighter exercise that is not a penetration test — sits around $2,500 to $5,000. The rest of this article explains where those spreads come from and how to compare quotes that never look alike on paper.

  • Scope and depth move the price more than anything else.
  • A quote far below the published ranges usually buys an automated scan, not a penetration test.
  • A retest of your fixes isn’t included everywhere — check before you sign.
  • An honest price is set after scoping, never before.

What you’re actually paying for

The label on the quote — pentest, pen test, penetration test — matters less than the method behind it. A real engagement is an authorized, simulated attack in which a specialist manually exploits weaknesses, chains them together, and shows what an actual attacker could reach in your environment. That’s what separates it from a scan: manual exploitation aligned to recognized methodologies (OWASP, NIST, PTES), a prioritized report your leadership and insurer can act on, and a retest once your team has fixed what was found.

Cost by type of test

Engagement typePublished range (CAD)
External network / perimeter test$5,000 – $12,000
Web-application test$8,000 – $20,000
Wider engagement (internal, cloud, applications)upper end of $5,000 – $25,000
Vulnerability assessment (not a pentest)$2,500 – $5,000

These ranges line up with what Canadian providers who publish their prices quote for SMB-sized work. They exclude large enterprise environments, where scope — and the bill — changes by an order of magnitude.

What moves the price

Four factors explain most of the spread. Scope first: how many IP addresses, applications, networks and cloud environments are in play. Depth second: black-box (no prior information), grey-box (test accounts provided) and white-box (code and credentials in hand) engagements demand different amounts of effort. Third, compliance and insurance requirements — a report destined for a SOC 2 audit, an insurer or a client questionnaire can dictate methodology and format. Fourth, timelines: a test needed urgently before an insurance renewal compresses the same work into less time.

A fifth item deserves its own line: the retest. Once your fixes are in, someone has to confirm they hold. Some firms include that; others bill it as an add-on — which is how two quotes that look comparable end up covering different things. Ours is included in every engagement.

The trap in quotes that look too cheap

When an offer lands far below these ranges, ask one simple question: who, specifically, will be trying to exploit the findings by hand? Across the industry, a floor-level price usually signals an automated scan dressed up in a report template. That exercise has value — it’s a vulnerability assessment, and we sell those too — but it doesn’t demonstrate real-world impact, and it tends to be rejected by insurers and clients who asked for a penetration test. Paying $2,000 for a document nobody accepts is more expensive than it looks.

How to compare quotes, practically

Put every offer through the same questions. What exactly is in scope — addresses, applications, environments? Is the testing manual, and against which methodologies (OWASP, NIST, PTES)? Who does the work: the person you met during the sales conversation, or a bench you’ve never seen? Is the report readable by your leadership and your insurer, not just your technicians? Is the retest included? And where does your test data live — a detail that matters when Quebec’s Law 25 applies. Two quotes at the same price can answer those six questions very differently.

For the full scope of our engagements — what we test, the methodology, and the included retest — see our penetration testing service. And if you’re local, our page on penetration testing in the Outaouais covers the on-the-ground side, on both sides of the river.

FAQ

Frequently asked questions

How much does a penetration test cost for a small business?

In Canada, published ranges put most SMB engagements between $5,000 and $25,000, in Canadian dollars. A focused external network test typically runs $5,000 to $12,000; a web-application test, $8,000 to $20,000; a wider engagement — internal network, cloud and applications — sits at the top of the range. The exact number depends on scope, and a serious provider sets it after a scoping conversation, not before.

Is a pentest the same thing as a penetration test?

Yes — “pentest,” “penetration test” and “pen test” all name the same service: an authorized, simulated attack carried out manually by a specialist to show what a real attacker could accomplish. What matters isn’t the label on the quote; it’s the method behind it — manual exploitation, a prioritized report, and a retest of your fixes.

Why are some quotes under $3,000?

Across the industry, a price far below the published ranges usually signals an automated scan with a report template rather than real manual testing. Scanning has its place — that’s a vulnerability assessment, a useful exercise at roughly $2,500 to $5,000 — but it doesn’t demonstrate what an attacker could actually reach, and many insurers and clients won’t accept it as a substitute for a penetration test.

Does Law 25 or my cyber insurer require a penetration test?

Quebec’s Law 25 doesn’t name a penetration test outright, but it does require reasonable security measures to protect personal information — and a documented test is one of the clearest ways to show that diligence. On the insurance side, more insurers now expect specific controls, and sometimes a test, before they’ll issue or renew a policy. The report becomes evidence you can hand to an insurer, an auditor or a client.

Is a retest of the fixes included in the price?

Not everywhere, and it’s a genuine comparison point: some firms include it, others bill it as an add-on. In our engagements the retest is part of every mandate — once your team has remediated, we confirm the fixes hold and give you the documented proof. Before you sign anywhere, ask whether the retest is included, what it covers and on what timeline.

Continue reading

Want a number for your environment?

We scope it with you, then give you a clear fixed fee — retest included.