ERA SECURITY SERVICES

Ethical Hacking & Free Penetration Testing for Canadian Organizations

Leverage ERA’s expert security team and enterprise lab infrastructure to help your organization meet ISO 27001, SOC 2, and Cyber Insurance readiness standards — at no cost.

Book a Scoping Call →

Why ERA Offers This Program

For more than 15 years the Electronic Recycling Association has made secure data handling a cornerstone of its mission. Our data-destruction, hard-drive shredding, and IT asset disposition services have given us a deep bench of security talent — and an inventory of enterprise servers, switches, and network equipment we can dedicate to a secure testing lab.

Our free Ethical Hacking & Penetration Testing program puts that talent and infrastructure to work for Canadian businesses and non-profits preparing for ISO 27001, SOC 2 Type II, or a cyber insurance renewal, but may not have budget for a full commercial engagement. Engagements are led by Arturo and ERA’s certified security engineers.

What’s Included in the Free Penetration Test

A full engagement, not just a scan. Here’s what your organization receives:

External Network Pen Test

Authorized testing of internet-facing systems you own or control.

Web App Security Testing

Manual testing aligned to the OWASP Top 10.

Vulnerability Assessment

Authenticated and unauthenticated scanning with risk prioritization.

Executive Summary Report

Board-ready findings written for non-technical leadership.

Technical Findings

Mapped to ISO 27001 Annex A controls and SOC 2 Trust Services Criteria.

Remediation & Free Retest

Guidance your IT team can act on, plus one complimentary retest.

How the Engagement Works

A clear six-step process from first call to retest:

  1. Scoping call. We meet with your team to understand the systems in scope and your compliance goal (ISO 27001, SOC 2, cyber insurance).
  2. Written authorization. Before any testing begins we sign a Scope of Work, Rules of Engagement, and Authorization Letter. No testing is ever performed without your written permission.
  3. Testing window. Our team executes the engagement from ERA’s dedicated security lab — isolated servers built specifically for authorized testing.
  4. Reporting. You receive an executive report and a technical findings document, typically within two weeks of test completion.
  5. Debrief. We walk your IT and leadership teams through the findings and prioritize remediation.
  6. Retest. Once critical findings are remediated, we re-verify the fixes at no additional cost.

Who Qualifies

  • Canadian-registered businesses, non-profits, and charitable organizations
  • Organizations actively pursuing ISO 27001, SOC 2 Type I or II, or a cyber insurance application/renewal
  • Organizations able to provide written authorization over the systems in scope
  • Priority is given to charitable and mission-driven organizations

Community & Industry Involvement

Beyond client engagements, ERA’s security team is active in the Canadian security community. We host periodic hackathons, attend local 2600 meetings, and collaborate with Canadian internet infrastructure stakeholders on coordinated security research — always within authorized disclosure frameworks.

Frequently Asked Questions

What is ethical hacking?

Ethical hacking, also called penetration testing or authorized security testing, is the practice of simulating real-world attacks against systems with the explicit written permission of their owner. The goal is to find and fix vulnerabilities before a malicious actor exploits them.

How is this different from a vulnerability scan?

A vulnerability scan is automated and produces a long list of potential issues. A penetration test is performed by a human expert who validates which findings are truly exploitable in your environment, chains them together, and demonstrates real business impact — the level of evidence auditors and insurers want to see.

Do we really need to provide written authorization?

Yes, always. Penetration testing without written authorization violates section 342.1 of the Canadian Criminal Code. Our Rules of Engagement and signed Authorization Letter protect both your organization and ours.

How do you protect our data during testing?

All engagement data is handled under NDA and stored on encrypted, isolated systems within ERA’s testing lab. ERA is ISO/IEC 27001 certified for information security management — the same standard we help you achieve.

How long does a typical engagement take?

Most external engagements run one to two weeks of active testing, followed by one to two weeks of report writing and debrief. Complex environments can run longer; we’ll scope it with you.

Is this really free?

Yes. We offset the cost through the value of the lab and talent ERA already has in-house, and through our non-profit mission of supporting Canadian organizations. Engagements are allocated based on availability and mission fit; larger or highly complex environments may be offered at a subsidized rate.

What happens after the test?

You receive your reports and a live debrief with our team. We’ll walk you through remediation priorities, answer questions from your auditor or insurance broker, and schedule a complimentary retest once critical findings are fixed.

Ready to Scope Your Free Penetration Test?

Contact ERA’s security team for a no-obligation scoping call. We’ll review your compliance goals, confirm eligibility, and outline next steps.

Contact the Security Team →