Your first pen test is coming. Either an enterprise customer is requiring it, or you are about to attempt SOC 2 with a serious auditor, or your CISO advisor told you it is time. The test itself takes a week. Your preparation determines whether it produces a useful report or an embarrassing one.
What a pen test actually is (and is not)
A penetration test is a time-boxed adversarial assessment of your application and infrastructure by a qualified third party. Typically 5 to 10 business days of testing, against a defined scope, producing a written report of findings ranked by severity.
It is not a substitute for: a security program, continuous vulnerability scanning, secure SDLC practices, employee security training, or SOC 2. Pen tests find specific exploitable weaknesses. They do not certify that you are "secure."
The kinds of pen tests, and which you need
Web application pen test. Tests your customer-facing application for OWASP Top 10 vulnerabilities, business logic flaws, authentication and authorization issues. This is what most enterprise customers actually want when they ask "have you had a pen test?"
External infrastructure pen test. Tests your internet-facing infrastructure: public IPs, exposed services, misconfigurations. Smaller in scope than a web app test for most SaaS startups.
Internal pen test. Tests what an attacker could do once inside your network. More relevant for traditional enterprises than for cloud-native SaaS.
Red team engagement. Open-ended adversarial simulation, including social engineering, attempting to achieve specific objectives. Much more expensive, much longer, much more revealing. Inappropriate for a first engagement.
For your first pen test, focus on the web application test. Add external infrastructure if your scope warrants it.
How to pick a vendor
The market splits into three tiers.
Boutique specialists ($15K-$40K per engagement). Small firms or solo consultants. Often more skilled than the big firms; the principal does the work. Best for first-time engagements where you want depth and good communication.
Mid-tier ($25K-$60K). Firms like NCC Group, Bishop Fox, Doyensec. Strong reputations, larger teams, more structured process. Good if you need a recognizable name on the report.
Large consulting firms ($60K+). Deloitte, EY, PwC. Expensive, variable quality, name-brand acceptance with the largest enterprise buyers. Often overkill for startups but sometimes required by a specific customer.
For most early-stage startups, a strong boutique is the right answer. Get three quotes. Ask each for sample reports (sanitized). Talk to past clients.
How to prepare
The four weeks before the test are when most value is created or lost.
Run your own scans first. ZAP, Burp Suite Community, Nuclei. Find and fix the easy stuff before the testers do. Their time is better spent on hard issues than re-reporting things a free scanner would have caught.
Provide good documentation. Architecture diagram, list of endpoints, authentication flows, user roles. Testers who do not have documentation spend half their time on discovery instead of on actual testing.
Provision test accounts at every role level. User, admin, super-admin, third-party API integration. Without these, the test can only cover unauthenticated paths.
Notify your team and your monitoring. Pen testing will trigger alerts. Make sure your team knows so they do not respond as if it is a real incident. Also tell your cloud provider (AWS, GCP) so they do not block the test traffic.
Define scope tightly. Specific environments, specific applications, specific accounts. Out-of-scope work is wasted hours.
What to expect from the report
A good report has:
- Executive summary suitable for showing customers.
- Detailed technical findings with reproduction steps, evidence, and severity.
- Recommended remediation for each finding.
- Methodology and scope documentation.
Findings are ranked: Critical, High, Medium, Low, Informational. A first pen test typically produces 0 to 2 Criticals, 3 to 8 Highs, 10 to 20 Mediums. If the report has zero findings, either the test was bad or your scope was wrong.
What to do after
Fix Critical and High findings immediately. Document Medium and Low findings, prioritize, and plan a fix. Some Informational findings will not be worth fixing; document the decision.
Retest the Critical and High findings. Either the same vendor (cheaper) or in-house verification. Get a "remediation verified" memo for your records and for customers.
Add the fixed issues to your secure coding standards and CI checks so they do not regress.
Plan the next pen test. Annual is the standard cadence. More often if you make major architecture changes or have a security incident.
Preparing for a pen test?
We help startups pick the right vendor, scope the engagement, prepare the application, and triage the findings afterwards. Typical engagement: 3 to 4 weeks total.
Get pen-test ready