Penetration Testing for SaaS: What to Expect
Pen-tests range from real attacks to high-priced compliance theatre. Knowing the difference matters.
What a real pen-test looks like
Real pen-tests: 1-4 weeks, hands-on testers, documented techniques, prioritised findings.
Theatre: automated scanner output, generic recommendations, no creative attack chains.
Ask for sample reports before signing.
Four scope categories
- External: internet-facing systems.
- Internal: what an attacker can do once inside.
- Web app: your application code.
- Cloud config: your IaC + cloud accounts.
Cost ranges
Mid-market SaaS: $20-50k for an annual external + web pen-test. Add $20-40k for cloud-config + internal.
Larger orgs: $80-200k for comprehensive engagements.
Compliance-only pen-tests are cheaper and worth less.
Post-test remediation
Findings categorised by severity. Remediate critical < 7 days; high < 30 days; medium < 90 days.
Document remediation in the audit trail; the next pen-test verifies fixes held.
Antipatterns
- Lowest-bid pen-test. Compliance theatre.
- One scope category only. Misses the others.
- Pen-test without remediation budget. Findings rot.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.