Penetration Testing for Ontario Nonprofits & Community Health Centres

Your board, funders, and insurers expect you to know where your vulnerabilities are. A penetration test gives you that answer — and a clear, plain-language report you can share with confidence.

Ready To Get Started?

Nonprofits and CHCs are being asked to prove their security posture — often for the first time

For most of the Ontario community health centres and nonprofits we work with, penetration testing used to be optional. That’s changed. Cyber insurance renewals now ask whether you’ve had one. Funders want documentation that grants aren’t flowing into an environment with open doors. Boards want a straight answer on where the real risk lives before the next audit.

The problem is that most penetration testing services are priced and written for enterprise IT teams. The reports come back in a language your board can’t read. The scope assumes staff and tools you don’t have. And the “findings” bury the two or three things that actually matter.

You need a test that’s right-sized for your environment, a report you can actually hand to your board, and a partner who can walk your team through what to fix first.

Contact Customer Success
hacker, hacking, cyber security, hack, cyber space, cyber, cyber attack, computer security, internet security, digital security, internet, computer, technology, security, password, data, virus, crime, online, network, web, criminal, protection, thief, theft, safety, identity, business, danger, phishing, code, stealing, spy, secure, spyware, fraud, digital, privacy, spam, steal, hacker, cyber security, cyber security, cyber security, cyber security, cyber security, cyber, security, security, security, privacy

What you get with a Lai and Associates Penetration Test

A clear picture of where you’re actually exposed

Automated discovery backed by manual validation, so you know which risks are real and which are noise.

Reports your board and funders can read

A plain-language findings report, a one-page executive summary, and documentation aligned to PHIPA and funder expectations.

A remediation plan you can act on

A guided walkthrough of the results with your team and a prioritized roadmap — not a 60-page PDF you have to interpret alone.

Canadian community health centre

Everything you need, built for nonprofits

Every engagement includes the same core scope. Nothing upsold, nothing hidden.

  • External penetration test of 1–10 public-facing IPs
  • Public website and standard internet-facing services
  • Automated discovery paired with manual validation
  • Plain-language findings report
  • Executive summary for your board or funders
  • Guided walkthrough of results with your team
  • Prioritized remediation roadmap
  • PHIPA- and compliance-aligned documentation

Included at no cost: Microsoft Base Phishing Simulation

For CHCs and nonprofits in Canada, we include a Microsoft-native phishing simulation with every engagement. You’ll see how your team would respond to a realistic phishing attempt — without adding a new tool or subscription.

How It Works

1. Book a call with our team

A 15-minute consultation to confirm scope, timeline, and whether a penetration test is actually the right next step for you.

2. We begin testing

Non-disruptive testing over 2–3 weeks, scheduled around your operations. No downtime, no surprises, no calls from your staff asking what’s going on.

3. You’re protected

You receive your report, a guided walkthrough, and a prioritized remediation plan — with documentation ready for your board, funders, or insurer.

DISCOUTED PRICING

Nonprofit and CHC pricing

Starting at $4,550 CAD

Includes full penetration test, phishing simulation, executive report, and guided walkthrough. Includes the following:

  • External penetration test (1–10 public-facing IPs)
  • Manual validation of automated findings
  • Plain-language findings report + board-ready executive summary
  • Guided walkthrough with your team
  • Prioritized remediation roadmap
  • PHIPA- and compliance-aligned documentation
  • Microsoft Base Phishing Simulation — free for Canadian CHCs and nonprofits

Scope expands on request — internal network testing, larger IP ranges, web application testing, and retesting are available as add-ons. We’ll confirm pricing during your consultation.

Book a Free 15-Minute Consultation

Why Lai and Associates

We’ve worked with Ontario’s community health centres and nonprofits for over a decade. We know your environment, your compliance requirements, and your budget reality.

Trusted by community health centres across Ontario

Built for your sector

We work with nonprofits, CHCs, and healthcare organizations every day. This isn’t an enterprise service being sold down-market — it’s designed for your staffing, tooling, and reporting reality.

Zero disruption

Testing is scheduled around your operations. No downtime, no surprises, no panicked calls from clinic staff.

Compliance-ready

Every report is aligned to PHIPA, funder requirements, and the board-level reporting your ED needs to present.

Microsoft Solutions Partner Designations- Modern Work | Security

Certified expertise across the Microsoft ecosystem your team already runs on — from Entra and Defender to Microsoft 365 configuration reviews.

Lai and Associate team member working on a laptop

Frequently Asked Questions

What's the difference between a vulnerability scan and a penetration test?

A vulnerability scan is automated — it produces a list of possible issues, many of which turn out to be noise. A penetration test adds manual validation by a security professional who confirms which findings are real, ranks them by risk, and documents how they could actually be exploited. Boards and insurers increasingly expect the latter.

Will testing disrupt our clinic, operations, or website?

No. Our external testing is non-disruptive by design. We schedule around your operations, stay within agreed-upon scope, and keep your IT contact in the loop throughout. You won’t see downtime and your staff won’t notice testing is happening.

Who is the report written for?

Two audiences: your technical team and your leadership team. You get a detailed findings report your IT staff or MSP can act on, plus a one-page executive summary written in plain language for your board, funders, or insurer.

Does your report align with PHIPA?

Yes. Our findings and documentation are structured to support PHIPA obligations, funder reporting, and insurance renewal questionnaires. If your funder or insurer has a specific format they need, let us know during the consultation and we’ll align the deliverable.

How long does the full engagement take?

Two to three weeks from kickoff to final walkthrough, scheduled around your calendar. The consultation itself is 15 minutes.

We've had a penetration test before. Do we need another one?

Most funders, insurers, and cybersecurity frameworks recommend annual testing — or after any significant change to your environment (new systems, office moves, major staff transitions). If you’ve had one recently, we can scope a lighter re-test focused on what’s changed.

Ready to know where you stand?

A 15-minute consultation is the fastest way to find out how a penetration test can help the security posture of your organization.