A Practical Guide to Your First Penetration Test
You need a pen test. You've never done one. Here's what actually happens, what it costs, what questions to ask a pen test firm, and what to do with the findings.
The first pen test is a rite of passage. If you approach it right, you close a real security gap and get an auditor-ready report. If you approach it wrong, you waste money on a compliance artifact that doesn't make your product more secure.
Scope: what actually gets tested
A standard first-time pen test usually covers three surfaces:
- External perimeter: your public-facing IPs, domains, ports. Mostly automated, quick to run.
- Web application: your product itself. Authenticated and unauthenticated testing against OWASP Top 10 plus business-logic flaws. This is where most findings come from.
- APIs: increasingly the biggest attack surface for B2B SaaS. Auth, authorization, data exposure.
Cloud configuration review (checking your AWS/Azure for misconfigurations) is often bundled separately. Worth doing — it's where the highest-impact quick wins usually hide.
Timeline and cost
A scoped pen test for a single-product early-stage SaaS typically runs 1–2 weeks of testing plus a week of reporting. Cost ranges widely — a solid boutique firm will quote $8K–$20K for scope this size. Avoid anyone offering $2K "pen tests"; those are vulnerability scans with a prettier PDF.
What a good report looks like
Every finding should have: description, impact, reproduction steps, recommended remediation, and severity rating. Critical and High findings should include enough detail that your engineers can fix them without a call back to the tester. Findings that read "user input not sanitized" and nothing else are not useful.
Remediation — where the actual value lives
Most first pen tests produce 5–15 findings. Fix the Criticals and Highs within 30 days. For Medium findings, document why you're accepting or planning to fix. For Lows, track them but don't over-rotate.
The remediation summary letter — a follow-up document confirming which findings have been closed — is what you hand to auditors and enterprise buyers. It matters more than the original report.
Questions to ask before you sign
- Who is doing the testing? Name and background of the actual tester.
- Is it manual testing or automated scanning?
- What's included in the report? Will I get a remediation retest letter?
- Will the report be accepted by SOC 2 / ISO auditors?
If any answer is vague, get a different quote. Good pen test firms are transparent by default.
Stop managing compliance in spreadsheets.
Simpra is the AI-native platform that turns policies, controls, evidence, and risk into one live system of record.