Penetration Testing for Nigerian SMBs: What It Is, What It Costs, What You Get

A penetration test — commonly called a pen test — is a structured attempt to compromise the security of a system, network, or application by a professional security consultant working under a defined scope and authorisation. The objective is to find exploitable vulnerabilities before attackers do, document them with evidence of exploitability, and recommend how to fix them.

For Nigerian SMBs, penetration testing occupies an uncomfortable middle ground. It is not optional for regulated industries — CBN-supervised financial institutions, NDPR-covered data processors with significant personal data volumes, and companies handling cardholder data under PCIDSS all have explicit or implicit obligations to assess their security posture. Outside those regulated categories, it is genuinely discretionary — but the risk environment has changed significantly enough in the past three years that "discretionary" increasingly means "recommended."

This article explains what a pen test involves, what you should expect to receive, and how to evaluate whether you are getting value for your investment.

Types of Penetration Testing

Not all pen tests are the same engagement. The scope determines the cost, the duration, and the findings.

Web Application Penetration Test

The most common engagement for Nigerian SMBs. Tests the security of a specific web application (your customer portal, your ERP web interface, your e-commerce platform) for vulnerabilities including SQL injection, cross-site scripting (XSS), authentication bypass, insecure direct object references, privilege escalation, and similar OWASP Top 10¹ issues.

Duration: 3–10 days depending on application complexity What you learn: Which vulnerabilities an attacker targeting your application could exploit, with severity ratings and remediation guidance

Network/Infrastructure Penetration Test

Tests the security of your network perimeter and internal network — can an external attacker gain entry, and once inside (by any means), what can they access? Tests firewall configuration, exposed services, VPN security, internal segmentation.

Duration: 5–15 days depending on network size and complexity What you learn: External attack surface exposure, lateral movement possibilities, internal network security between systems

Social Engineering Test (Phishing)

A controlled phishing campaign to test whether your staff will click malicious links, open infected attachments, or provide credentials to a convincing fraudulent request. This tests human security controls rather than technical ones.

Duration: 1–3 weeks of campaign, plus analysis What you learn: Staff susceptibility rates, which staff groups are most vulnerable, effectiveness of security awareness training

Physical Security Test

A consultant attempts to gain unauthorised physical access to your premises — tailgating through doors, obtaining access to unattended workstations, accessing server rooms. Rarely conducted as a standalone engagement for SMBs; sometimes added to a broader assessment.

Red Team Exercise

A comprehensive, extended simulation of a sophisticated attacker — combining social engineering, technical exploitation, and physical access attempts toward a defined objective (obtain payroll data, access financial systems, achieve persistent access). Appropriate for larger organisations with mature security programmes.

The Testing Methodology

A professional penetration test follows a structured methodology:

1. Scope Definition: What systems are in scope (specific IP ranges, application URLs, user roles to test), what is explicitly out of scope (production databases to avoid service disruption, third-party systems you don't own), testing windows (to avoid confusing pen test traffic with real incidents), and authorisation documentation (written permission to conduct testing).

2. Reconnaissance: Passive information gathering — what is publicly visible about your organisation that an attacker would research? Domain registrations, employee profiles on LinkedIn, job postings that reveal technology stack, certificate transparency logs, public-facing infrastructure enumeration.

3. Scanning and Enumeration: Active identification of open ports, running services, software versions, and potential entry points.

4. Vulnerability Identification: Matching discovered services and configurations against known vulnerability databases, testing for common misconfigurations, identifying authentication weaknesses.

5. Exploitation: Attempting to exploit identified vulnerabilities to confirm they are actually exploitable (not merely theoretically present). Professional penetration testers distinguish between a vulnerability being present and a vulnerability being exploitable in your specific context — the former inflates findings; the latter provides accurate risk.

6. Post-Exploitation: Once initial access is gained, assessing what an attacker could do from that position: data access, lateral movement to other systems, privilege escalation.

7. Reporting: Documented findings with severity ratings, evidence (screenshots, command outputs), business impact context, and specific remediation recommendations.

What You Should Receive

A professional pen test deliverable includes:

Executive Summary: A non-technical summary of the overall security posture, critical findings, and priority recommendations. This is the section the CEO and Board read.

Technical Report: Detailed findings for each vulnerability, including:

Vulnerability name and CVE reference where applicable
Severity rating (Critical/High/Medium/Low/Informational) using a standard methodology (CVSS is common)
Description of the vulnerability
Evidence of exploitation (proof-of-concept commands or screenshots demonstrating the vulnerability is real and exploitable)
Business impact: what an attacker could do with this vulnerability in your context
Remediation recommendation: specific technical steps to fix the issue
References: external documentation on the vulnerability and remediation

Risk Register: A consolidated list of findings, suitable for tracking remediation progress

Nigerian Market Pricing

Penetration testing pricing in Nigeria reflects the scarcity of qualified practitioners and the cost of maintaining the certifications (OSCP, CREST, CHECK) that signify credible expertise.

Web Application Pen Test: ₦500,000–₦2,500,000 for a standard application. Complexity factors: number of user roles tested, number of API endpoints, authentication complexity, integration complexity.

Network Pen Test: ₦800,000–₦4,000,000 depending on the number of in-scope hosts /24 /subnet sizes and internal network complexity.

Phishing Campaign: ₦400,000–₦1,200,000. Varies with campaign duration and customisation level.

Full Assessment (Web + Network + Phishing): ₦2,500,000–₦8,000,000 for a mid-size Nigerian business covering all major attack surfaces.

Prices below these ranges warrant scrutiny. Credible penetration testing is time-intensive skilled work; unusually cheap engagements typically reflect automated scanning passed off as manual pen testing, or junior practitioners working without proper methodology.

Red Flags When Evaluating Vendors

No scope definition process: A firm that quotes without understanding your environment cannot have priced the work accurately. Expect a scoping questionnaire or call before receiving a proposal.

Automated scan reports as deliverables: Vulnerability scanner output (from tools like Nessus or Qualys) is not a penetration test. It is a list of potential vulnerabilities without confirmation of exploitability, without contextual severity assessment, and without post-exploitation analysis. Some firms pass scanner output as penetration test reports. Ask to see a sample report from a comparable engagement.

No certification evidence: Ask for practitioner certifications. OSCP (Offensive Security Certified Professional)² is the most respected practical certification for penetration testing; CREST³ is a UK-origin quality mark with international recognition. CHECK is specifically an NCSC (UK National Cyber Security Centre) scheme for assessing UK government systems — it is not widely recognised outside the UK context. CEH (Certified Ethical Hacker) is a technical knowledge certification but does not certify hands-on exploitation capability the way OSCP does. CISSP and CISM are management-oriented qualifications focused on security programme governance rather than penetration testing.

No retesting included: A quality pen test engagement includes a retest after remediation — a follow-up assessment confirming the reported vulnerabilities have been fixed. If this is not offered, you have no confirmation that your remediation worked.

Using the Report Constructively

The pen test report is an investment that only generates ROI if you act on it. Many Nigerian companies commission pen tests for compliance reasons and then discover the report produces no action because no one is assigned to remediate findings.

Structure the remediation process:

Triage: Sort findings by severity. Critical and High findings are acted on immediately. Medium findings are scheduled. Low and Informational findings are reviewed in the next planning cycle.
Assign ownership: Each finding should have a named owner responsible for remediation and a target date.
Track progress: Use the risk register as a live document. Update status as items are remediated.
Retest: Request retest of Critical and High findings, at minimum, after remediation.
Next assessment: Plan the next pen test. Annual assessments are the standard for most business applications; quarterly for high-value or high-risk systems.

Penetration testing is not a one-time compliance checkbox. The security landscape changes with every new vulnerability disclosure, every new deployment to your application, and every change to your infrastructure. A point-in-time test is valuable; a regular testing programme that tracks your security posture over time is more so.

The Business Case

For a Nigerian company processing transactions, holding customer data, or operating systems whose compromise would cause direct financial loss or regulatory penalty, the business case for regular pen testing is straightforward:

Cost of a web application pen test: ₦800,000–₦1,500,000 annually
Cost of a data breach for a regulated institution: ₦10M NDPR fine minimum + remediation + reputational cost
Cost of a business email compromise incident (covered in the prior article in this series): ₦1.5M–₦25M median loss

The probability-weighted value of avoided incidents from a vulnerability found and fixed during pen testing substantially exceeds the cost of the assessment, for any business operating at meaningful scale. The question is not whether to do it — it is finding a vendor capable of doing it well.

The CFO's Guide to Security ROI: Quantifying Breach Prevention — A framework for calculating the financial return on security investments like penetration testing, including annualised loss expectancy modelling for Nigerian businesses.
Business Email Compromise: The Attack Costing Nigerian Businesses Billions — How BEC attacks exploit business processes rather than technical vulnerabilities, and the controls that prevent them.
From Reactive to Proactive: Security Automation That Pays for Itself — The automated detection controls that complement penetration testing by continuously monitoring for the attack patterns a pen test identifies.

Sources

OWASP (Open Web Application Security Project), owasp.org
EC-Council, CEH certification, eccouncil.org
Offensive Security, OSCP certification, offsec.com
NCSC CHECK scheme (UK), ncsc.gov.uk
CREST certification, crest-approved.org