Know Where You Are Actually Vulnerable Before an Attacker Finds Out First
External pen test, internal pen test, web app test, or social engineering. Fixed scope, fixed price, written report you can hand to insurers and the board. Plus a remediation plan you can actually execute.
Most businesses that have never had a professional security assessment believe they are reasonably secure. Most are surprised by what a penetration test finds. The vulnerabilities that matter are rarely the obvious ones, they are the forgotten internet-facing service, the domain configuration that allows privilege escalation from a standard user account, or the web application that validates input on the frontend but not the backend.
North Star, based in Prince George, BC, delivers security assessments and penetration tests for businesses across British Columbia, Alberta, and Yukon. Fixed scope, fixed price, written report you can hand to your cyber insurer or board. And a remediation plan you can actually execute.
What Is Included
Every assessment is scoped in writing before work begins. Out-of-scope items are documented. Test windows are agreed. Critical findings are reported immediately, not held until the final report.
External Penetration Test
What an attacker sees from the public internet. Open ports, internet-facing services, web application entry points, externally exposed credentials, and misconfigured DNS or cloud storage. Most clients are surprised by what is visible without any insider access.
Internal Penetration Test
What happens once an attacker is inside your perimeter, via phishing, compromised credentials, or physical access. Lateral movement paths, privilege escalation routes, domain compromise chains, and access to sensitive data from a standard user starting point.
Web Application Testing
OWASP-aligned testing of custom and third-party web applications. Authentication flaws, broken access controls, insecure direct object references, injection vulnerabilities, session management issues, and business logic abuse. Suitable for applications handling customer data, financial transactions, or personal information.
Social Engineering / Phishing Simulation
Targeted phishing campaigns against your real users to test susceptibility. Reported with click rates, awareness scores by department, and recommended training topics. Often combined with a technical assessment.
How It Works
Step 1, Scoping
Statement of work produced with precise scope boundaries, out-of-scope items, test windows, rules of engagement, and emergency contacts. No ambiguity about what is being tested.
Step 2, Test
Active testing with daily status updates. Critical findings, those that require immediate action, reported to you in real time, not at the end of the engagement.
Step 3, Report
Executive summary with business-context risk narrative. Technical detail with screenshots, evidence, and reproduction steps. Prioritised remediation plan with risk ratings. Written for two audiences: executives who need to understand business risk, and technical staff who need to fix specific findings.
Step 4, Remediate (Optional)
After you address the high and critical findings, an optional retest verifies the fixes are effective. Verified retest report suitable for cyber insurance underwriters and internal audit.
Who This Is For
- BC, Alberta, or Yukon businesses required to demonstrate security testing for cyber insurance renewal or a contractual requirement from a client or regulator
- Organisations that have never had a professional security assessment and want to know where they actually stand
- Businesses about to launch a new public-facing application or move a workload to the internet
- Companies that have recently experienced an incident and need to understand what was accessed and what needs to be fixed
What buyers ask before they sign
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is automated, it runs a tool against your network and produces a list of known vulnerabilities. A penetration test involves a skilled tester who uses those findings as starting points, chains vulnerabilities together, attempts to escalate privileges, and documents what an actual attacker could achieve. Penetration tests are far more valuable for understanding real business risk.
Will the test disrupt our operations?
External tests are designed to be non-disruptive. Internal tests can be more invasive, we agree on test windows and scope boundaries specifically to avoid disrupting critical systems. Any activity that carries disruption risk is flagged and agreed before it is attempted.
What does a typical report look like?
The report includes an executive summary with a risk rating and key findings, technical findings with screenshots and reproduction steps, a risk rating for each finding (critical / high / medium / low), and a remediation roadmap prioritised by risk. The report is formatted for both executive and technical audiences.
Can we show the report to our cyber insurer?
Yes. Reports are written with insurers in mind. The executive summary provides the risk context insurers look for. Optional retest reports include verification evidence.
Do you offer ongoing security testing?
Yes. Annual penetration testing retainers are available, covering external, internal, and web application testing on a scheduled annual basis with priority booking and reduced rates.
How is pricing structured?
Fixed-scope, fixed-price project engagements. Price is based on scope: number of IP ranges or hosts for external/internal tests, number of applications for web app tests. Scoped during the statement of work phase.
Why North Star
North Star is a Prince George-based cybersecurity provider serving businesses across Northern BC, BC, Alberta, and Yukon. Our assessments are fixed-scope and fixed-price, no scope creep, no billing surprises. Reports are written to be useful: the remediation plan reflects your actual environment, not a generic template. And we offer follow-on remediation support so findings do not sit in a report collecting dust.
Get a quote on assessments & pen testing.
Tell us a bit about your environment and we'll come back with a scoped proposal in two business days. No obligation, no pressure.
Request a Quote Back to CybersecurityA test that shows you where you are actually vulnerable, not just where you think you are.
A cybersecurity assessment is a structured review of your defences: your network perimeter, your endpoint protection, your identity controls, your patch levels, and your staff awareness. A penetration test goes a step further: a tester actively tries to exploit what the assessment finds, using the same techniques an attacker would use, to determine whether a theoretical vulnerability is actually exploitable in your environment. The output of both is a written report you can act on, not a dashboard that shows green and red lights without explaining what they mean.
For a Kamloops accounting firm with 20 staff and a Microsoft 365 tenant, a baseline assessment might reveal that legacy authentication is still enabled (allowing password spray attacks), that three admin accounts have no MFA, and that the firewall firmware is two years out of date. Those findings are not exotic. They are the exact conditions that show up in most BC and AB SMBs we assess. The value is that you know about them before an attacker does, and you have a prioritized remediation plan rather than a vague sense of concern about cybersecurity.
Assessment and pen test deliverables.
- External network penetration test: active testing of your public-facing systems from the perspective of an outside attacker. Covers exposed ports, web applications, and public IP ranges.
- Internal penetration test: testing from inside your network, simulating a compromised workstation or an insider threat. Covers lateral movement, privilege escalation, and domain controller access.
- Web application penetration test: OWASP Top 10 testing of custom web applications or client portals. Authentication bypass, injection, IDOR, and session handling.
- Microsoft 365 security assessment: review of your Entra ID (Azure AD) configuration, Conditional Access policies, admin privilege hygiene, legacy authentication, and Secure Score baseline.
- Social engineering test: targeted phishing campaign against your staff to measure click rate and credential submission rate. Separate from ongoing training campaigns.
- Written report: executive summary (non-technical), technical findings with severity ratings, proof-of-concept evidence, and a prioritized remediation list with estimated effort.
- Remediation plan: step-by-step guidance on fixing every finding, with references to the specific configuration changes or patches required.
- Attestation letter: a signed letter confirming testing was performed, suitable for cyber insurance questionnaires and audit evidence packages.
Businesses that need to know where they stand before something happens.
A cybersecurity assessment is appropriate for any business that has not had one in the last two years, is applying for or renewing cyber insurance, is onboarding a new enterprise client that requires proof of security controls, or is about to undergo a significant IT change (cloud migration, new ERP, new office). In BC and Alberta, cyber insurance carriers increasingly require evidence of annual penetration testing or at least a security assessment as part of their underwriting process.
Businesses in professional services, legal, accounting, and engineering handle sensitive client data under PIPEDA, BC PIPA, and AB PIPA. Those regulations require reasonable security safeguards. A security assessment provides both the gap analysis and the documented evidence that you are taking security seriously. It is also useful as a baseline before engaging managed security services, so you know what you are starting from.
For construction companies pursuing COR certification or oilfield services companies working on SAFE-certified sites, IT security is increasingly part of the overall safety and operational framework that enterprise clients require before awarding contracts. A pen test report and a remediation plan gives you something concrete to present when a client's procurement team asks about your cybersecurity posture.
Fixed-scope, fixed-price project engagements.
Security assessments and penetration tests are scoped and priced per engagement, not on a monthly retainer. The price depends on the scope: number of external IP addresses, number of internal systems, whether web application testing is included, and whether social engineering is in scope. North Star provides a fixed-price proposal after a brief scoping call, so you know the cost before work begins. Remediation support following the test can be scoped as a separate engagement or absorbed into a managed services plan.
What clients ask before starting.
How is a penetration test different from a vulnerability scan?
A vulnerability scan is automated: a tool checks your systems against a database of known vulnerabilities and flags anything that matches. A penetration test uses a human tester who actively tries to exploit those vulnerabilities and chains them together the way an attacker would. A scan might flag a vulnerability as high severity; a pen tester will tell you whether it is actually exploitable in your specific environment and what the realistic impact of exploitation is. Pen tests produce findings that are confirmed exploitable, not just theoretically possible.
Will the test break anything?
We scope and stage tests to minimize operational impact. External tests run against production systems with care taken to avoid denial-of-service conditions. Internal tests are typically run during business hours with your IT team notified and monitoring. We document every test action with timestamps so that if something unusual happens in your environment, you can correlate it to our activity. Critical production systems can be excluded from active exploitation if agreed during scoping. We have not caused a production outage during a test.
How long does a test take?
A typical external penetration test takes two to three business days of active testing, followed by one to two weeks of report writing and review. Internal testing adds another one to two days. Web application testing depends on the complexity of the application. The full cycle from scoping call to final report delivery is typically three to five weeks. Rush timelines are possible if you have an insurance deadline; contact us to discuss.
Can I use the report for my cyber insurance application?
Yes. The report includes an attestation letter confirming the test was performed, the scope, the tester, and the date. Most Canadian cyber insurance carriers accept this as evidence of penetration testing. If your insurer has a specific required format or methodology (such as CREST-certified testing), let us know during scoping and we will confirm whether our methodology satisfies the requirement.
Fixed scope, plain-language report, actionable remediation.
North Star delivers security assessments and penetration tests with a fixed price, a written report in plain language, and a remediation plan you can actually execute. We are based in Prince George, BC, covering BC, Alberta, and the Yukon, and we understand the specific regulatory context of Canadian businesses: BC PIPA, AB PIPA, PIPEDA, and the insurance and compliance requirements that Canadian carriers impose. We use AI-assisted tooling to accelerate the reconnaissance and vulnerability identification phases, but every finding is reviewed and confirmed by a human tester before it appears in the report. We do not generate automated scan output and call it a penetration test.
Frequently asked questions
What is included in a cybersecurity assessment vancouver bc?
Our comprehensive assessment includes a deep dive into your external and internal network security, cloud environment configurations (like Microsoft 365), and existing security policies. We perform vulnerability scanning to identify weak points, review administrative access controls, and evaluate your employee security awareness. The goal is to provide a complete picture of your digital risk profile within the British Columbia business landscape.
How long does a professional security assessment take to complete?
The duration of an assessment typically ranges from one to four weeks depending on the complexity of your IT infrastructure and the number of employees. We begin with an initial discovery phase, followed by technical testing and data analysis. Finally, we present a detailed report outlining our findings and a prioritised list of remediation steps to strengthen your defences against cyber threats.
Will an assessment disrupt my daily business operations?
We design our assessments to be as non-intrusive as possible. Most technical scanning and data collection activities are performed passively or during off-peak hours to ensure zero to minimal impact on your team's productivity. Our consultants work closely with your internal staff to coordinate any necessary testing, ensuring that your Vancouver business remains fully operational throughout the entire evaluation process.
How often should my company conduct a security audit?
We recommend that SMBs and mid-market firms in BC undergo a full cybersecurity assessment at least once per year. However, more frequent audits may be necessary if you have undergone significant infrastructure changes, migrated to new cloud services, or if your industry faces specific regulatory compliance requirements. Regular testing ensures that new vulnerabilities are caught early as the global threat landscape continues to shift.
What happens after the assessment is finished?
Once the assessment is complete, North Star provides a comprehensive report and a debriefing session. We explain the identified risks in plain English, categorising them by severity. From there, we can help you implement a remediation plan, which may include upgrading your networking equipment, deploying EDR solutions, or conducting security awareness training. We offer ongoing managed services to maintain these high security standards long term.