You've probably heard the term "penetration test" or "pentest" and assumed it's something for banks and government agencies. And you'd be half right — those organisations do need them. But the landscape has shifted. As small businesses handle more customer data, operate more of their business online, and face more sophisticated threats, penetration testing is becoming relevant at much smaller scales than it used to be.
What a penetration test actually is
A penetration test is an authorised, structured attempt to breach your systems — before an actual attacker does. A trained security professional uses the same techniques and tools that real attackers use to find vulnerabilities in your infrastructure, websites, applications, or networks. The difference is that they report what they find to you, rather than exploiting it for their own gain.
The output is a report: here are the vulnerabilities we found, here is how severe they are, here is how we exploited them, and here is what you need to do to fix them. That report is actionable intelligence — a prioritised list of the real risks to your business.
What a pentest is not
- Not a one-time fix: A pentest tells you where the vulnerabilities are at a point in time. New vulnerabilities emerge as software changes. Testing should happen periodically.
- Not the same as a vulnerability scan: Automated scanning tools look for known vulnerabilities. A pentest involves a human attacker using creative problem-solving to find and exploit weaknesses that automated tools miss.
- Not always a compliance requirement: Some frameworks (PCI-DSS for payment processing) require regular pentests. Most small businesses aren't there yet — but that doesn't mean a pentest has no value.
Types of penetration tests
Web application testing
Targets your website or web app specifically — looking for vulnerabilities like SQL injection, broken authentication, exposed sensitive data, or cross-site scripting. If you run a site that handles customer data or has user accounts, this is the most relevant type for most small businesses.
Network penetration testing
Examines your internal or external network for vulnerabilities — misconfigured firewalls, exposed services, weak credentials on network devices. More relevant for businesses with on-premises infrastructure.
Social engineering testing
Tests your people, not just your technology. A tester will attempt to manipulate employees into revealing credentials or granting access — through phishing emails, phone calls, or in-person approaches. For businesses where human error is the most likely attack vector, this adds significant value.
The most common finding in small business penetration tests isn't exotic research. It's basic hygiene failures — default credentials left unchanged, outdated software with known exploits, unnecessary services exposed to the internet. These aren't hard to find or fix. But you have to know they're there.
When your business actually needs one
You don't need a pentest on day one. But consider it when:
- You're storing sensitive customer data — health information, financial information, personal identification
- A client or partner requires security assurance as part of a contract
- You're preparing for a funding round or acquisition where security due diligence will happen
- You've recently launched a new web application or significantly changed your infrastructure
- You've had a security incident and want to understand whether similar vulnerabilities remain
- You're in a regulated industry where periodic testing is expected
What it costs
Penetration testing pricing varies based on scope and provider:
- Web application pentest (small scope): NZD $2,000–$8,000
- Full external network + web application test: NZD $8,000–$25,000+
- Automated vulnerability scanning (a starting point, not a full pentest): NZD $500–$2,000
These are rough ranges. The actual cost depends on the size of the attack surface, the depth of testing, and the quality of the report. As with most professional services, you generally get what you pay for.
GhostRoutine's security services — coming soon
We're building out a security offering for startups and small businesses who need professional assessment without the enterprise price tag. Website security audits, external vulnerability assessments, and basic security posture reviews — scoped and priced for organisations that take security seriously without operating at enterprise scale.
If this is relevant to your business, get in touch. We'd like to understand what you need before we formally launch.
Make sure the basics are in place first: MFA on all critical accounts, software kept updated, backups in place, no unnecessary services exposed to the internet. A pentest on a system with obvious hygiene failures is like hiring a locksmith to test your security before you've put a lock on the door.
Curious about security testing for your business? Book a free call. We'll tell you honestly where you are, what level of assessment makes sense for your stage, and what we'd recommend before any paid engagement.
Book a free call →