How much does a penetration test cost?

Buyers ask the price first, and that is fair. But a penetration test is not a commodity, and two quotes with the same number can buy completely different work. This guide gives you real market ranges, the factors that move them, and the questions that tell you whether a low price is a deal or a warning.

What a penetration test typically costs

Price tracks scope, but the market clusters into a few bands. Treat these as a starting point for budgeting, not a quote. Anyone who prices your environment without scoping it is guessing.

• Focused web app or API test: roughly $5,000 to $15,000.
• Mid-size external or internal network test: roughly $10,000 to $30,000.
• Complex application, cloud environment, or multi-target engagement: $25,000 to $60,000 and up.
• Full red team operation against people, process, and technology: $40,000 to $100,000 and up.
• Retainer or continuous testing: often $3,000 to $15,000 a month, depending on coverage.

What actually drives the price

Scope is the biggest lever, but it is not the only one. These are the factors that move a quote up or down.

• Scope size. The number of applications, IP ranges, user roles, and integrations sets the baseline. More surface, more time.
• Depth. A surface check costs less than an engagement that chains small flaws into a full attack path. Depth is where real risk gets found.
• Seniority. A test run by a senior engineer costs more per day than a junior running a tool, and finds what the tool never will.
• Method. Manual testing and business-logic work take longer than an automated pass, and they target the exact gaps attackers exploit.
• Compliance needs. A test that has to produce evidence for NIS2, DORA, or SOC 2 carries extra reporting and rigor.
• Retesting. A reputable provider includes a retest of the fixes. If it is missing, you will pay for it later.

Fixed scope, day rate, or retainer

Providers price in three common ways, and each fits a different situation.

• Fixed scope. You agree a defined target and a fixed fee. Best when the scope is clear and you want a predictable number.
• Day rate. You buy a block of senior days. Best for exploratory or research-heavy work where the path is not known up front.
• Retainer. You buy scheduled or continuous testing. Best for fast-moving environments that change every sprint.

Why the cheapest quote is often the most expensive

A scanner with a logo on the report costs little and finds little. It catches the obvious and misses the business-logic flaw that hands an attacker your customer data. You pass the test, feel covered, and get breached by the issues the report never connected. The cheap quote did not save money. It moved the cost to the incident. We cover this trap in detail in a scan is not a pentest.

You do not get breached by the bug in the report. You get breached by the one nobody looked for.

What you should get for the money

Price aside, a real engagement produces specific deliverables. If a quote does not include these, the number is not comparable to one that does.

• An executive summary written for the board, not a raw tool export.
• Technical findings with reproducible proof of concept, ranked by real risk.
• An attack-path narrative that shows how separate issues chain together.
• Remediation guidance your engineers can act on without guesswork.
• A free retest of the fixes within a defined window.

Questions to ask before you sign

• Who runs the test, and how senior are they?
• How much of the work is manual versus automated?
• Is a retest included, and for how long after delivery?
• Will the report satisfy my specific compliance obligation?
• Can I see a sample report with client details removed?

How we scope and price

We scope every engagement on a short call with a senior engineer, agree targets and rules in writing, and send indicative pricing within 48 hours. No SDR, no qualification maze. See our offensive security work, or book a scoping call and tell us what you are protecting.