[{"data":1,"prerenderedAt":337},["ShallowReactive",2],{"blog-stories/pen-test-experience":3},{"id":4,"title":5,"body":6,"category":318,"date":319,"dateModified":319,"description":320,"draft":321,"extension":322,"faq":323,"featured":321,"headerVariant":318,"image":323,"keywords":323,"meta":324,"navigation":325,"ogDescription":326,"ogTitle":323,"path":327,"readTime":323,"schemaOrg":328,"schemaType":329,"seo":330,"sitemap":331,"stem":332,"tags":333,"twitterCard":335,"__hash__":336},"blog/blog/stories/pen-test-experience.md","An HR Tech Startup's First Penetration Test - What to Expect",{"type":7,"value":8,"toc":309},"minimark",[9,16,19,22,27,30,43,47,53,68,73,84,89,100,104,107,110,113,115,118,121,124,127,130,132,135,138,141,144,147,149,152,155,158,164,168,173,205,209,212,223,226,250,272,301],[10,11,12],"tldr",{},[13,14,15],"p",{},"An HR tech startup's first pen test cost $4,500, took two weeks, and found 12 issues (2 high, 4 medium, 6 low). Most were things the team should have caught themselves - and that's the point. It was worth it for the external validation, the findings they'd missed, and the report they could share with customers. Here's the full breakdown.",[13,17,18],{},"The engineering lead at a growing HR tech startup was nervous before their first pen test. Would the testers find something catastrophic? Would they judge the code? Would the team feel like idiots?",[13,20,21],{},"The reality was much more constructive than anyone had feared.",[23,24,26],"h2",{"id":25},"why-they-got-a-pen-test","Why They Got a Pen Test",[13,28,29],{},"Three reasons pushed the team to finally do it:",[31,32,33,37,40],"ol",{},[34,35,36],"li",{},"An enterprise customer required a security assessment",[34,38,39],{},"They wanted external validation of their security practices",[34,41,42],{},"They suspected they were missing things their automated scans didn't catch",[23,44,46],{"id":45},"the-process","The Process",[13,48,49],{},[50,51,52],"strong",{},"Week 1: Scoping and Setup",[54,55,56,59,62,65],"ul",{},[34,57,58],{},"Calls to define what was in scope (the web app, API, infrastructure)",[34,60,61],{},"Signed authorization agreement",[34,63,64],{},"Provided tester with a test account (authenticated testing)",[34,66,67],{},"Set up communication channel for urgent findings",[13,69,70],{},[50,71,72],{},"Week 2: Active Testing",[54,74,75,78,81],{},[34,76,77],{},"Tester worked through the application methodically",[34,79,80],{},"The team got real-time pings for one critical finding",[34,82,83],{},"Answered a few questions about intended functionality",[13,85,86],{},[50,87,88],{},"Week 3: Report and Debrief",[54,90,91,94,97],{},[34,92,93],{},"Received detailed PDF report",[34,95,96],{},"Video call to walk through findings",[34,98,99],{},"Opportunity to ask questions about remediation",[23,101,103],{"id":102},"what-they-found","What They Found",[13,105,106],{},"High",[13,108,109],{},"IDOR in User Profile API",[13,111,112],{},"Could access other users' profile data by changing user ID in request",[13,114,106],{},[13,116,117],{},"Weak Password Reset Token",[13,119,120],{},"Reset tokens were predictable and didn't expire quickly enough",[13,122,123],{},"Medium",[13,125,126],{},"Missing Rate Limiting on Login",[13,128,129],{},"Allowed unlimited password attempts without lockout",[13,131,123],{},[13,133,134],{},"Verbose Error Messages",[13,136,137],{},"Stack traces visible in production error responses",[13,139,140],{},"Low",[13,142,143],{},"Missing Security Headers",[13,145,146],{},"Content-Security-Policy and other headers not configured",[13,148,140],{},[13,150,151],{},"Session Timeout Too Long",[13,153,154],{},"Sessions valid for 30 days without re-authentication",[13,156,157],{},"Plus 6 additional low/informational findings about configurations and best practices.",[159,160,161],"story-block",{},[13,162,163],{},"\"Honestly, the IDOR finding was embarrassing,\" the lead engineer admitted. \"The team should have caught that. But that's why you get external testers - they look at your app with fresh eyes and no assumptions about how it 'should' work.\"",[23,165,167],{"id":166},"was-it-worth-4500","Was It Worth $4,500?",[13,169,170],{},[50,171,172],{},"Yes, for several reasons:",[54,174,175,181,187,193,199],{},[34,176,177,180],{},[50,178,179],{},"Found real issues",": The IDOR alone could have been a serious incident",[34,182,183,186],{},[50,184,185],{},"External validation",": They could share the report with the enterprise customer",[34,188,189,192],{},[50,190,191],{},"Confidence boost",": No critical findings in most areas the team had hardened",[34,194,195,198],{},[50,196,197],{},"Learning opportunity",": Understanding how a tester thinks improved their own reviews",[34,200,201,204],{},[50,202,203],{},"Sales enablement",": \"We do annual pen tests\" is a real competitive advantage",[23,206,208],{"id":207},"how-to-prepare","How to Prepare",[13,210,211],{},"Before your pen test, fix the obvious issues first. Don't pay someone to tell you:",[54,213,214,217,220],{},[34,215,216],{},"Your API keys are in the JavaScript bundle",[34,218,219],{},"You're not using HTTPS",[34,221,222],{},"Your npm dependencies have critical vulnerabilities",[13,224,225],{},"Run automated scans, fix those issues, then bring in a pen tester to find what automation misses.",[227,228,230],"lesson-box",{"title":229},"Pen Test Preparation Tips",[54,231,232,235,238,241,244,247],{},[34,233,234],{},"Fix obvious issues before the test (automated scan findings)",[34,236,237],{},"Define scope clearly - what's in, what's out",[34,239,240],{},"Provide appropriate access levels for thorough testing",[34,242,243],{},"Set up communication for urgent findings",[34,245,246],{},"Allocate dev time to fix issues after the report",[34,248,249],{},"Plan for a re-test to verify fixes (often discounted)",[251,252,253,260,266],"faq-section",{},[254,255,257],"faq-item",{"question":256},"How much does a pen test cost?",[13,258,259],{},"For a small web application, expect $3,000-$8,000 for a thorough test. More complex apps with mobile, API, and infrastructure can be $10,000+. Get quotes from multiple firms.",[254,261,263],{"question":262},"When should a startup get their first pen test?",[13,264,265],{},"When you have real users and have already fixed obvious issues. Or when a customer/investor requires it. Don't do it too early - fix the basics first so you get value from the human tester finding things automation can't.",[254,267,269],{"question":268},"What's the difference between a pen test and a vulnerability scan?",[13,270,271],{},"Vulnerability scans are automated and find known issues. Pen tests have humans actively trying to break in using creativity, business logic understanding, and chained attacks. Both are valuable; they catch different things.",[273,274,275,281,286,291,296],"related-articles",{},[276,277],"related-card",{"description":278,"href":279,"title":280},"A white hat hacker found a vulnerability in a food delivery startup's platform and reported it responsibly before anyone","/blog/stories/hacker-reached-out","The Hacker Who Reached Out to a Food Delivery Startup First",[276,282],{"description":283,"href":284,"title":285},"A real estate tech company had cyber insurance and a breach. The insurer denied the claim. The painful lesson about what","/blog/stories/insurance-claim-denied","When Insurance Denied a Real Estate Tech Company's Breach Claim",[276,287],{"description":288,"href":289,"title":290},"An investor asked 'What's your security posture?' and we weren't ready. Here's how we turned that awkward moment into a ","/blog/stories/investor-asked-about-security","When an Investor Asked About Security - How to Be Ready",[276,292],{"description":293,"href":294,"title":295},"A stranger found a health-tech startup's admin panel at /admin with no authentication. They could see all patient data, ","/blog/stories/admin-panel-found","When Someone Found a Health-Tech Startup's Unprotected Admin Panel",[276,297],{"description":298,"href":299,"title":300},"In early 2025, AI-assisted attackers compromised 50,000 FortiGate firewalls in weeks. Here's what happened and why it ma","/blog/stories/ai-assisted-fortigate-attack","How Attackers Used AI to Breach 50,000 FortiGate Firewalls",[302,303,306],"cta-box",{"href":304,"label":305},"/","Check Your Vibe Now",[13,307,308],{},"Fix the obvious issues first so your pen test budget goes toward finding what automation can't.",{"title":310,"searchDepth":311,"depth":311,"links":312},"",2,[313,314,315,316,317],{"id":25,"depth":311,"text":26},{"id":45,"depth":311,"text":46},{"id":102,"depth":311,"text":103},{"id":166,"depth":311,"text":167},{"id":207,"depth":311,"text":208},"stories","2026-02-16","An HR tech startup hired their first penetration tester and didn't know what to expect. Here's what the process looked like, what they found, and whether it was worth the investment.",false,"md",null,{},true,"What to expect from your first penetration test and whether it's worth it.","/blog/stories/pen-test-experience","[object Object]","BlogPosting",{"title":5,"description":320},{"loc":327},"blog/stories/pen-test-experience",[334],"Experience Report","summary_large_image","Nx7JkGK3lbnbU8H0TfMydxuuY35VOjRnqsCkfWlgXKo",1775843936313]