There’s a reason it’s so hard to benchmark penetration testing costs: Every test with every firm is unique.
Which is insane, because they’re all doing the same thing. They’re all finding holes in your infrastructure, exploiting them, and writing about it in a report. But just like so many things in cybersecurity, the devil is in the detail.
As an independent advisor, we’ve compared penetration testing costs from a range of vendors, to give you the best possible chances of benchmarking costs before you look for quotes. This page is a summary of all the cost data we’ve found, for every penetration test type.
Here it is, from the top:
- The Main Penetration Testing Pricing Models
- Network Penetration Testing Costs
- Mobile App Penetration Testing Costs
- API Penetration Testing Costs
- Web App Penetration Testing Costs
- AWS Penetration Testing Costs
- PCI Penetration Testing Costs
- Cheap Penetration Testing Costs
- Red Team Penetration Testing Costs
- Internal vs External
- Regional vs National Vendors
- Pen Test Specialist vs General Cybersecurity Vendor
- Ongoing Penetration Testing Costs
- Cost of Pentesting vs Other Security Measures
- A Note on Pen Test Reporting & Costs
- Penetration Testing Cost Case Studies
(NOTE: If your company needs a new penetration test, our free tool below matches you with a top-rated vendor that suits your requirements and budget.)
The Main Penetration Testing Pricing Models
Before diving into detail on penetration testing costs, it’s important to understand the pricing models of this service, because these don’t vary with the environment being tested.
Almost all pricing models for penetration testing will be based on total effort, as pentesting is a heavily manual service. Consultancies may package testing into credits or some other form of purchasable allotment but in all likelihood, that only relates to hours of work on the backend by the tester. In these cases, we will lump this into a fixed-cost engagement, as the organization can decide how much effort or time will be devoted to the test.
With an understanding that all penetration testing services will relate back to total effort, we can simplify the billing methods into two categories: fixed cost and time and material (T&M).
Fixed cost is a pricing model where the consultancy provides one rate and limited ability to submit change orders which results in a known price for the engagement.
T&M will typically be a contract where the hourly rate and estimated hours or effort are quoted, but this does not mean this will be the final billing cost for the statement of work. Anything over the hours estimated will still be billed and management of the total time spent working the contract will be the contracting organization’s responsibility.
When it comes to fixed cost, there will always be additional room added to the engagement as the consultancy is taking on any risk of overages or additional work beyond what was scoped, which is why the same effort in T&M is typically less that a fixed-cost engagement.
One final billing model that is becoming more common is a managed penetration testing service. The pricing model for this can vary from one company to the next, oftentimes being limited to a total number of tests in a given month, credits that can be allocated throughout the year, or a manual test up front with automated testing thereafter.
In many cases, this is simply a service where the contracting organization is committing to a certain amount of spending over the year but with more flexibility and an expected response time from the consultancy. Many times this can be accomplished by committing to a set amount of spend in the year and negotiating more favorable rates with the consultancy. Any penetration testing company would gladly provide discounted rates for committed spending over the calendar year.
Network Penetration Testing Costs
While a combination internal and external network penetration test is the gold standard, an organization may not need to expose the whole environment to testing. This is a test type with a wide scope for cost variation because there is a broad range of resources that may be inside the test scope. Fortunately, this is open to adjustment with your test vendor, so the potential for cost savings are high too.
Benchmark Cost: $15,000 – $50,000 for a test of low to moderate level of complexity.
This is our complete overview of network penetration testing costs. It describes the main cost factors for this test type, like white box vs black box, project scope, reporting provided & more.
Mobile App Penetration Testing Costs
Mobile app pen testing requires a high level of skill and expertise because it often combines testing across disciplines. Mobile apps are often connected to a company’s web apps, which have APIs and so on. A good mobile app pen test team may need to be proficient at all these test types to carry out a valuable test.
Benchmark Cost: $15,000 – $100,000
This is our full article on mobile app penetration testing costs. It breaks down the major cost factors like the ancillary connections of the app, the app platform, and more.
API Penetration Testing Costs
Since API pen tests are more commonly performed as white-box tests, their average cost is typically lower than other pen test types. Costs here are for APIs tested in isolation, and will increase if the test is more comprehensive, including a surrounding web app or cloud environment, as you will see below.
Benchmark Cost: $15,000 – $30,000
This is our in-depth article on API penetration testing costs. It describes the main cost factors of an API pen test, like API size, retesting included & more.
Web App Penetration Testing Costs
Like APIs, web apps are more commonly tested with a white-box approach. Web app penetration testing costs are affected most by the number of user roles and permissions possible, the number of dynamic pages (accepting input) in the app, the number of API endpoints in the app, and whether or not the app has a mobile variation.
Benchmark Cost: $15,000 – $100,000
This is our detailed article on web app penetration testing costs. It includes an explanation of the primary cost factors like user roles/permissions, dynamic pages, and more.
AWS Penetration Testing Costs
As more resources and assets move to the cloud, the risk of security breaches increases. Fewer vendors offer cloud service penetration testing. It is a more specialized skill set than say, standard network penetration testing, and this usually means it comes at a higher price.
Benchmark Cost: $20,000 – $100,000+
This is our detailed article on the cost of AWS penetration testing. It includes breakdowns of the main cost factors like the number of accounts, services in scope and how each one moves the price of a test.
PCI Penetration Testing Costs
A penetration test to satisfy PCI-DSS requirements is unique again. A PCI pen test is often box-checking, for compliance only, and doesn’t require the depth of testing or reporting that is common in other test types. That said, there are still plenty of ways to get it wrong. There are horror stories from firms who have contracted for a PCI pen test only to be told at audit time that the test didn’t actually satisfy PCI requirements.
Benchmark Cost: $10,000 – $100,000
This is our comprehensive article on the cost of PCI penetration testing, including the main cost factors and how to reduce costs where possible.
Cheap Penetration Testing Costs
Penetration testing has become a commodity service, and some vendors have raced to the bottom to provide the lowest priced viable penetration test they can. As long as you know what you’re getting, and it meets the organization’s goals (usually to satisfy a client request, or tick a compliance box) cheap penetration testing can be worth considering.
Benchmark Cost: $4,000 – $8,000
We broke down cheap penetration testing and the associated costs in this article, discussing who this kind of pentest service is for, and what to look out for when contracting.
Red Team Penetration Testing Costs
More involved red team penetration tests have a different cost structure again. These complex engagements utilize multiple resources and, depending on the organization’s goals, can run for months, including multiple intrusion attempts. This premium pen testing service is only carried out by specialist firms, and – scope depending – comes at a higher cost than most other types of penetration test.
Benchmark Cost: $10,000 – $85,000
We broke down the 3 main cost factors for red team penetration testing in this detailed overview. It includes an overview of the red teaming process and tips for cost management.
Which ever type of test your organization needs, consider the following cost factors as well:
Internal vs External
For any of the test types above, the factor affecting price the most is whether you choose an internal or external penetration test.
Internal attack surfaces are nearly always larger, and contracting for an internal penetration test as well as an external will significantly increase the organization’s cost.
Regional vs National Vendors
For some firms, there is business value in being able to show a penetration test from a large, reputable vendor. Whether for increased trust or prestige, it is possible for these firms to justify a higher penetration test cost.
A smaller, regional penetration test firm may not carry the same recognition but may be able to perform a high-quality penetration test with an actionable report for a fraction of the cost.
Pen Test Specialist vs General Cybersecurity Vendor
Many cybersecurity vendors offer penetration testing, but some firms specialize in it. Some vendors even do only penetration testing.
Here, rather than obsessing over cost, it’s crucial to match your vendor to your goals. Are you looking to tighten the screws all the way on your security program? Perhaps a boutique pen test firm is the right choice? Are you ticking a requirement for compliance purposes? A compliance-focused vendor with pen testing capability might be a better choice.
Ongoing Penetration Testing Costs
While there are cases where penetration testing may be a one-time cost, this is not a typical cost pattern for most organizations.
In many cases, an organization should expect to have follow-up costs for remediation testing, validation testing, or just recurring testing.
Before touching on recurring testing frequencies that should be planned for, one cost that can be accounted for upfront during the initial contract is related to remediation or validation testing. If your organization is interested in having these add-on services, regardless of test type, it is worthwhile to negotiate those upfront as this may help with getting a better rate or overall price.
As for recurring testing, it really depends on the test type and the maturity of the organization. Application penetration testing can be done yearly, or more frequently if an application is under rapid development with large changes. Network penetration testing is typically anywhere from quarterly to yearly and for PCI-compliant organizations, this is required to be bi-annual. Finally, red-team activity can be anywhere from quarterly to yearly or less frequent. The reality is that in most cases, the organization will set the frequency for follow-up testing based on risk tolerance and changes in the environment.
Cost of Pentesting vs Other Security Measures
Penetration testing services are harder to compare to other security controls or capabilities, because the product is intangible, outside of the final report. A pentest is a point-in-time assessment, where a consultancy will disappear for weeks at a time to conduct testing and come back with a report.
Many organizations will ask, “what am I getting compared to our endpoint detection and response provider or a firewall solution provider?” The reality is that the organization will get an understanding of where weaknesses occur, how those controls or tools might be implemented, how those weaknesses can be exploited, and what the potential impact may be. This makes it really hard to compare the cost to a more tangible hardware/software-based partner solution. Keeping this in mind, there are relationships between those services and penetration testing. The larger and more complex a company, the higher the cost will be for security in general.
The most relatable services to compare costs to would-be vulnerability assessments, risk assessments, and gap assessments, as these services all provide some output after a dark period of work to the organization. Let’s dig into some high-level cost comparisons between these services.
Vulnerability assessments for example will typically cost anywhere from 10% to 50% of the cost of a penetration test.
Keep in mind that, while both testing services are geared at finding vulnerabilities and reporting those findings to the organization, vulnerability assessments are typically highly automated and not attempting to determine actual impact. With the majority of testing being automated, the cost can be expected to be significantly lower, but an organization should also expect a higher false positive rate compared to penetration testing.
For risk assessments, these engagements are typically in the same price range, if not more expensive, than penetration testing. Typically, this type of service can be anywhere from 85% to 150% of a penetration test. The large range is related to the complexity of the organization, industry, and regulatory requirements. An organization operating in an industry like banking, government, or healthcare would require a more intensive risk assessment that will span more controls and larger scope, which would increase the overall cost.
Finally, gap assessments are engagements that are typically associated with reviewing controls and policy documentation related to a specific standard or certification (ISO27001, NIST800-271, PCI, etc.). These engagements are commonly one to two weeks, pending appropriate documentation, as they simply evaluate if appropriate controls and policies are in place.
Due to this, the cost of a gap assessment to an organization could be 75% to 125% of the cost of a typical penetration test.
A Note on Pen Test Reporting & Costs
Some vendors take the view that a more detailed report should justify a higher cost, but many times, the longer a report, the less value for an organization. What you really want from your vendor, of course, is a test report that will help your organization meet the goals of this pen test.
A short report, with clear and actionable steps for remediation, that comes with a follow-up meeting where the testers can advise your IT department may be the perfect result. Request a sanitized report from any prospective vendor so you can know in advance what you’ll be getting at the end of the test.
Penetration Testing Cost Case Studies
To help in benchmarking your pentest costs, we have included two case studies of recent penetration tests with their approximate prices.
#1: Financial Technology Company Application Penetration Testing
Industry: Financial Technology
Size of the Organization: 700
Scope: External exposed APIs (~40), external users (~8 roles)
Cost: ~$20,000 yearly
A financial technology company that is operating a multi-tenant application is required to conduct yearly penetration testing against its flagship application. It was a modern application built with API integrations available to customers to integrate. The company time-boxed the yearly test at 2 weeks to help keep the cost down since it conducts the tests on a yearly basis.
Additional Details: The test was a total of 2 weeks with 2 days of reporting. The focus was on major changes to the application and a deep dive into specific vulnerabilities (eg access control, injection) to help make the cost of the test more cost-effective.
Analysis: The approach taken with recurring testing on an application is not a-typical for many organizations. Rather than doubling the price to do a full deep dive every year, the company focused on new features with select deep dives. This allowed for better use of the budget on a yearly basis, while still meeting customer requirements.
#2: Recurring Network Penetration Testing in Biotech
Industry: BioTech
Size of the Organization: 1,000+
Scope: Quarterly External Testing, ~500 hosts in scope
Cost: ~$60,000 yearly
A BioTech company decided to conduct quarterly external penetration testing against their network to make sure that no new issues were introduced. The concern was not just related to changes in the environment but making sure no missed patches, configurations, or rogue IT assets were left exposed.
Additional Details: Each test was around 3 weeks with reporting included. Per the information available, the consultancy company provided discounts for the committed spend. Each quarterly test also consisted of validation testing to make sure any previously identified high or critical findings were remediated within 1 month of the closing of the test.
Analysis: Being a large company that is most likely a target of many malicious actors, using a strategy of recurring testing is a great way to keep on top of vulnerabilities or issues that may crop up in the environment. Tests were not overly long, but that is not needed when working with the same testing company, as deep knowledge of the organization can be developed. Overall, this is a great approach to keeping an environment secure and conducting due diligence.
For more pentest cost case studies from real companies, see our free penetration test pricing guide. We found data from 10 firms, that used 10 different vendors, and outlined how much they paid for recent penetration tests, and what they got for the money.
