How Much Does a Penetration Test Cost? A Realistic Pricing Guide

Why Pentest Pricing Is Opaque

Ask three penetration testing companies what they charge and you will get three wildly different answers -- not because the market is irrational, but because penetration testing is not a commodity. The scope, depth, methodology, and expertise involved vary enormously between providers and between engagements. A web application pentest can legitimately cost anywhere from $4,000 to $40,000 depending on the application's complexity, the provider's methodology, and the depth of testing required.

This price range frustrates buyers who are used to straightforward SaaS pricing. But the variance is real and justified. Understanding what drives it helps you set a realistic budget, avoid overpaying for automated scan output, and avoid underpaying for work that requires genuine expertise.

Pricing Models

Penetration testing providers typically offer one of three pricing structures. Each has implications for how the engagement is managed and what you ultimately receive.

Fixed-Price Engagements

The provider assesses your scope and quotes a flat fee for the entire engagement. This is the most common model and works well when the scope is clearly defined and unlikely to change. You know exactly what you will pay, and the provider commits to a defined deliverable.

The risk with fixed-price is on the provider's side -- if the engagement takes longer than estimated, they absorb the cost. In practice, this means some providers pad their estimates significantly, while others cut testing short if they run over budget. A provider that conducts thorough scoping before quoting is less likely to encounter either problem.

Time-and-Materials

You pay for the actual hours spent testing, typically at a daily or hourly rate. Senior penetration testers in the US market typically bill between $200 and $400 per hour, or $1,500 to $3,000 per day. European and UK rates are comparable in local currency, while providers based in other regions may charge less.

Time-and-materials works well for engagements with uncertain scope -- internal network tests where the extent of the environment is unknown, or red team engagements where the testing depth adapts based on what is discovered. The risk shifts to the buyer: you may pay more than expected if the environment is more complex than anticipated.

Retainer / PTaaS

A monthly or annual retainer provides ongoing access to testing services. This model ranges from a fixed number of testing days per month to continuous platform-based testing. Monthly retainers for small to mid-size organizations typically range from $3,000 to $15,000, with enterprise retainers significantly higher.

The retainer model suits organizations with continuous deployment pipelines that need ongoing security validation, compliance requirements for regular testing (PCI DSS quarterly scans, for example), and teams that want to integrate security testing into their development lifecycle rather than treating it as an annual event.

What Drives the Cost

Seven factors account for most of the price variation between penetration testing engagements.

1. Scope and Complexity

This is the single largest cost driver. A simple marketing website with no authentication is fundamentally different from a SaaS platform with role-based access control, payment processing, API integrations, and mobile applications.

For web application testing, complexity scales with the number of user roles (each role requires separate testing of authorization controls), the number of distinct functional areas, API endpoint count, authentication complexity (SSO, MFA, OAuth flows), and whether the application handles sensitive data types that require additional care during testing (payment cards, health records, financial data).

For network testing, scope is typically measured in IP ranges and the number of live hosts, network segmentation complexity, the presence of Active Directory and its trust relationships, and whether wireless, VPN, or remote access infrastructure is included.

2. Test Type

Different types of penetration testing require different skill sets, tools, and time investments:

• External network penetration test -- Testing internet-facing infrastructure for vulnerabilities an external attacker could exploit. Typically 3-7 days for a small to medium network. Common range: $5,000 to $20,000.
• Web application penetration test -- Manual testing of a web application's security controls, business logic, and API. Duration depends entirely on application complexity. Common range: $8,000 to $30,000 for a standard SaaS application.
• Internal network penetration test -- Simulates a threat actor who has gained initial access to the internal network. Tests lateral movement, privilege escalation, and Active Directory security. Typically requires on-site access or VPN connectivity. Common range: $10,000 to $35,000.
• Active Directory security assessment -- Focused assessment of AD configuration, trust relationships, Group Policy, privilege escalation paths, and Kerberos attack vectors. Common range: $12,000 to $25,000.
• Mobile application penetration test -- Testing iOS and/or Android applications including client-side security, API interactions, data storage, and platform-specific vulnerabilities. Common range: $8,000 to $20,000 per platform.
• Red team engagement -- Objective-based assessment simulating a real-world adversary across multiple attack vectors (phishing, physical, network, application). The most comprehensive and expensive test type. Common range: $30,000 to $150,000+.

These ranges assume a competent provider with certified testers performing manual work. Prices below these ranges typically indicate automated-only testing or junior staff.

3. Provider Expertise and Reputation

A boutique firm staffed entirely with OSCP/OSWE-certified consultants who have a decade of experience commands higher rates than a large consultancy that may assign your engagement to a junior analyst. Both have their place, but the outputs are measurably different.

The premium for elite providers is typically 30-50% above market average. Whether that premium is justified depends on the criticality of the systems being tested. For a payments platform handling millions in transactions, the premium is trivial relative to the risk. For a compliance checkbox on a low-risk system, a mid-tier provider may deliver sufficient value.

4. Compliance Requirements

Testing performed to satisfy specific compliance frameworks often requires additional documentation, specific methodology adherence, and particular reporting formats.

PCI DSS penetration testing must follow the guidance in PCI DSS Requirement 11.4 and the associated Information Supplement on penetration testing. This requires specific segmentation testing, retesting of findings, and documentation that the methodology covers all required areas. The compliance overhead adds 15-25% to the base cost.

SOC 2, ISO 27001, and similar frameworks are less prescriptive about methodology but require evidence of testing in specific formats. Providers experienced with these frameworks build the required documentation into their standard process, while less experienced providers may charge extra for compliance-formatted reporting.

5. Retesting

Retesting -- verifying that remediated vulnerabilities are actually fixed -- is an essential part of any pentest engagement. Some providers include one round of retesting in their base price. Others charge separately, typically 10-20% of the original engagement cost.

If retesting is not included, factor it into your budget. A pentest without retesting is an incomplete engagement -- you have findings but no confirmation that your fixes worked.

6. Reporting Depth

The gap between a minimal report and a comprehensive one is substantial. A quality pentest report includes an executive summary for leadership, detailed technical findings with proof-of-concept evidence, CVSS scoring with justification, specific remediation guidance, and strategic recommendations. Producing this level of documentation takes significant time -- often 20-30% of the total engagement effort.

Providers that undercut on price frequently recoup margin by minimizing reporting effort. The irony is that the report is the only tangible deliverable of a penetration test. Saving money on reporting is like hiring an architect and telling them not to bother with blueprints.

7. Geography

Provider location affects pricing due to cost-of-living differences and market dynamics. US and UK-based providers typically charge the highest rates. European providers vary by country. Offshore providers can offer significantly lower prices but may present challenges with communication, time zones, and regulatory compliance (particularly for engagements involving sensitive data that should not leave certain jurisdictions).

Why the Cheapest Option Is Rarely the Best Value

A $4,000 penetration test that produces automated scan output rebranded in a PDF template is not inexpensive -- it is a waste of $4,000. You could run the same scanner yourself for the cost of a license. The value of a penetration test comes from manual testing, creative attack thinking, business logic analysis, and expert interpretation of results. Those things require experienced humans spending significant time, and experienced humans are not cheap.

The cost of a missed vulnerability dwarfs the cost difference between a budget and premium provider. A single exploited SQL injection can result in a data breach costing hundreds of thousands in incident response, legal fees, regulatory fines, and reputational damage. The difference between a $5,000 test and a $15,000 test is trivial against that exposure.

That said, the most expensive provider is not automatically the best. Price is a proxy for quality, not a guarantee of it. Evaluate providers on the criteria outlined in our guide to choosing a penetration testing company -- certifications, methodology, sample reports, and named testers -- rather than assuming price alone indicates quality.

How to Budget for Penetration Testing

If your organization is budgeting for penetration testing for the first time, use these guidelines as starting points.

Minimum Viable Security Testing Budget

For a startup or small business with a single web application and basic infrastructure:

• Annual web application pentest: $8,000 - $15,000
• Annual external network assessment: $5,000 - $10,000
• Retesting (if not included): $2,000 - $4,000
• Total: $15,000 - $29,000 per year

Mid-Market Organization

For an organization with multiple applications, internal network infrastructure, and compliance requirements:

• Quarterly or semi-annual web application testing: $20,000 - $60,000
• Annual internal and external network testing: $15,000 - $35,000
• Annual Active Directory assessment: $12,000 - $25,000
• Retesting and remediation verification: $5,000 - $15,000
• Total: $52,000 - $135,000 per year

Enterprise

Enterprise security testing budgets vary too widely to generalize, but typically include continuous PTaaS for critical applications, quarterly assessments of new systems and major changes, annual red team exercises, specialized testing (IoT, OT/SCADA, cloud infrastructure), and bug bounty programs as a supplement to formal testing.

The ROI of Penetration Testing

Penetration testing is an expense that generates no direct revenue. Justifying the budget requires framing the cost against the risks it mitigates.

Breach cost avoidance. The average cost of a data breach continues to climb year over year. A single critical vulnerability found and fixed during a pentest that would have led to a breach represents an ROI of 10x to 100x the testing cost.

Compliance cost avoidance. Regulatory fines for inadequate security controls can be severe. PCI DSS non-compliance penalties range from $5,000 to $100,000 per month. A pentest that identifies and helps remediate compliance gaps before an audit prevents these costs entirely.

Insurance premium reduction. Cyber insurance underwriters increasingly require evidence of regular penetration testing. Organizations that can demonstrate a mature testing program often receive lower premiums -- sometimes enough to offset a significant portion of the testing cost.

Customer trust and sales enablement. For B2B organizations, the ability to share pentest reports (or summaries) with prospects during the sales process is a competitive differentiator. Enterprise buyers increasingly require evidence of security testing as a condition of vendor approval.

Getting Accurate Quotes

To receive accurate, comparable quotes from multiple providers, prepare a scope document that includes:

• Target URLs, IP ranges, and environment details
• Application complexity metrics (user roles, page count, API endpoints)
• Compliance requirements and reporting format needs
• Preferred testing windows and timeline
• Whether retesting should be included in the quote
• Whether you need on-site presence or can accommodate remote testing

Our PT Scoping Wizard generates a structured scope document that covers all of these elements. Using a consistent scope document across providers ensures you are comparing equivalent proposals rather than guessing at what each provider included or excluded from their quote.

Next Steps

Start by defining what you need tested. Our PT Scoping Wizard walks you through the process and produces a scope document you can share with providers for accurate quotes.

If you are still evaluating whether you need a full penetration test or if a vulnerability assessment would suffice, our comparison of penetration testing vs. vulnerability scanning clarifies the differences. And for a complete picture of what the engagement looks like, read what to expect from a penetration test.

Browse our security assessment services to see how CyberShield can help.