Penetration Testing for SaaS: What to Expect

Pen-tests range from real attacks to high-priced compliance theatre. Knowing the difference matters.

What a real pen-test looks like

Real pen-tests run 1-4 weeks with hands-on testers, documented techniques, and prioritised findings. Compliance theatre is automated scanner output with generic recommendations and no creative attack chains. Ask for sample reports before signing.

• 1-4 weeks of hands-on work. Real testers spend real time; the engagement is human-scale, not automated-tool-scale.
• Documented techniques. Each finding traces to a specific attack technique; reproducible by the security team.
• Prioritised findings. Severity plus reachability plus exploit chain; not a CVSS score dump.
• Sample reports. Ask before signing; the previous engagement’s shape predicts the next; theatre is visible.

Four scope categories

Pen-test scope falls into four categories. Each covers a different attacker class; together they cover the realistic threat model. Picking only one leaves the others untested.

• External. Internet-facing systems; web app exposed to the public internet; the front door.
• Internal. What an attacker can do once inside; lateral movement, privilege escalation, data exfiltration.
• Web app. Your application code; OWASP Top 10 plus custom logic flaws; the most common attack surface.
• Cloud config. Your IaC plus cloud accounts; misconfigured S3, over-broad IAM, exposed metadata.

Cost ranges

Mid-market SaaS: $20-50k for an annual external + web pen-test. Add $20-40k for cloud-config + internal.

Larger orgs: $80-200k for comprehensive engagements.

Compliance-only pen-tests are cheaper and worth less.

Post-test remediation

Findings categorised by severity. Remediate critical < 7 days; high < 30 days; medium < 90 days.

Document remediation in the audit trail; the next pen-test verifies fixes held.

Antipatterns

• Lowest-bid pen-test. Compliance theatre.
• One scope category only. Misses the others.
• Pen-test without remediation budget. Findings rot.

What to do this week

Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.