There’s a reason it’s so hard to benchmark penetration testing costs: Every test with every firm is unique.
Which is insane, because they’re all doing the same thing. They’re all finding holes in your infrastructure, exploiting them, and writing about it in a report. But just like so many things in cybersecurity, the devil is in the detail.
As an independent advisor, we’ve compared penetration testing costs from a range of vendors to give you the best possible chance of benchmarking costs before you look for quotes. This page is a summary of all the cost data we’ve found for every penetration test type.
Here it is from the top:
- The Main Penetration Testing Pricing Models
- Network Penetration Testing Costs
- Mobile App Penetration Testing Costs
- API Penetration Testing Costs
- Web App Penetration Testing Costs
- AWS Penetration Testing Costs
- PCI Penetration Testing Costs
- Cheap Penetration Testing Costs
- SOC 2 Penetration Testing Costs
- HIPAA Penetration Testing Costs
- GDPR Penetration Testing Costs
- ISO 27001 Penetration Testing Costs
- Red Team Penetration Testing Costs
- Small Business Penetration Testing Costs
- Penetration Testing for SaaS Costs
- Penetration Testing as a Service Costs
- Internal vs External
- Regional vs National Vendors
- Pen Test Specialist vs General Cybersecurity Vendor
- Ongoing Penetration Testing Costs
- Cost of Pentesting vs Other Security Measures
- A Note on Pen Test Reporting & Costs
- Penetration Testing Cost Case Studies
(NOTE: If your company needs a new penetration test, our free tool below matches you with a top-rated vendor that suits your requirements and budget.)
The Main Penetration Testing Pricing Models
Before diving into detail on penetration testing costs, it’s important to understand the pricing models of this service because these don’t vary with the environment being tested.
Almost all pricing models for penetration testing will be based on total effort, as pen-testing is a heavily manual service. Consultancies may package testing into credits or some other form of purchasable allotment, but in all likelihood, that only relates to hours of work done on the backend by the tester. In these cases, we will lump this into a fixed-cost engagement, as the organization can decide how much effort or time will be devoted to the test.
With an understanding that all penetration testing services will relate back to total effort, we can simplify the billing methods into two categories: fixed cost and time and material (T&M).
Fixed cost is a pricing model where the consultancy provides one rate and has a limited ability to submit change orders, which results in a known price for the engagement.
T&M will typically be a contract where the hourly rate and estimated hours or effort are quoted, but this does not mean this will be the final billing cost for the statement of work. Anything over the estimated hours will still be billed, and the contracting organization will be responsible for managing the total time spent working on the contract.
When it comes to fixed cost, there will always be additional room added to the engagement as the consultancy is taking on any risk of overages or additional work beyond what was scoped, which is why the same effort in T&M is typically less than a fixed-cost engagement.
One final billing model that is becoming more common is a managed penetration testing service. The pricing model for this can vary from one company to the next, oftentimes being limited to a total number of tests in a given month, credits that can be allocated throughout the year, or a manual test up front with automated testing thereafter.
In many cases, this is simply a service where the contracting organization commits to a certain amount of spending over the year but with more flexibility and an expected response time from the consultancy. Many times, this can be accomplished by committing to a set amount of spending in the year and negotiating more favorable rates with the consultancy. Any penetration testing company would gladly provide discounted rates for committed spending over the calendar year.
Network Penetration Testing Costs
While a combination internal and external network penetration test is the gold standard, an organization may not need to expose the whole environment to testing. This test type has a wide scope for cost variation because there is a wide range of resources that may be inside the test scope. Fortunately, this is open to adjustment with your test vendor, so the potential for cost savings is high, too.
Benchmark Cost: $15,000 – $50,000 for a test of low to moderate level of complexity.
This is our complete overview of network penetration testing costs. It describes the main cost factors for this test type, such as white box vs. black box, project scope, reporting provided, and more.
(NOTE: Use our free matching tool to quickly connect with a top-rated pentest vendor that can meet your requirements and budget.)
Mobile App Penetration Testing Costs
Mobile app pen testing requires a high level of skill and expertise because it often combines testing across disciplines. Mobile apps are often connected to a company’s web apps, which have APIs and so on. A good mobile app pen test team may need to be proficient at all these test types to carry out a valuable test that will pass the relevant compliance requirements.
Benchmark Cost: $10,000 – $100,000
This is our full article on mobile app penetration testing costs. It breaks down the major cost factors, such as the app’s ancillary connections and platform.
API Penetration Testing Costs
Since API pen tests are more commonly performed as white-box tests, their average cost is typically lower than that of other pen test types. Costs here are for APIs tested in isolation and will increase if the test is more comprehensive, including a surrounding web app or cloud environment, as you will see below.
Benchmark Cost: $15,000 – $30,000
This is our in-depth article on API penetration testing costs. It describes the main cost factors of an API pen test, such as API size, retesting included, and more.
Web App Penetration Testing Costs
Like APIs, web apps are more commonly tested with a white-box approach. Web app penetration testing costs are affected most by the number of user roles and permissions possible, the number of dynamic pages (accepting input) in the app, the number of API endpoints in the app, and whether or not the app has a mobile variation.
Benchmark Cost: $15,000 – $100,000
This is our detailed article on web app penetration testing costs. It includes an explanation of the primary cost factors like user roles/permissions, dynamic pages, and more.
AWS Penetration Testing Costs
As more resources and assets move to the cloud, the risk of security breaches increases. Fewer vendors offer cloud service penetration testing, which requires a more specialized skill set than, say, standard network penetration testing. This usually means it comes at a higher price.
Benchmark Cost: $20,000 – $100,000+
This is our detailed article on the cost of AWS penetration testing. It includes breakdowns of the main cost factors, such as the number of accounts and services in scope, and how each one affects the price of a test.
PCI Penetration Testing Costs
A penetration test to satisfy PCI-DSS requirements is unique again. A PCI pen test is often box-checking for compliance only and doesn’t require the depth of testing or reporting that is common in other test types. That said, there are still plenty of ways to get it wrong. There are horror stories from firms that have contracted for a PCI pen test and were only told at audit time that the test didn’t actually satisfy PCI requirements.
Benchmark Cost: $5,000 – $50,000
This is our comprehensive article on the cost of PCI penetration testing, including the main cost factors and how to reduce costs where possible.
Cheap Penetration Testing Costs
Penetration testing has become a commodity service, and some vendors have raced to the bottom to provide the lowest-priced viable penetration test they can. As long as you know what you’re getting and it meets the organization’s goals (usually to satisfy a client request or tick a compliance box), cheap penetration testing can be worth considering.
Benchmark Cost: $4,000 – $8,000
In this article, we break down cheap penetration testing and the associated costs, discussing who this kind of pentest service is for and what to look out for when contracting.
SOC 2 Penetration Testing Costs
As we’ve pointed out, SOC 2 doesn’t require a penetration test, but most companies choose to have one as part of their compliance effort as a means to externally validate multiple security controls. As a bonus, having the up-to-date pentest report will mean you’re not scrambling to attain one when your next client requests it. The kind of pentest typically chosen to assist SOC 2 compliance is less comprehensive and lower in cost than other kinds.
Benchmark Cost: $5,000 – $20,000
We went into detail on pentests for SOC 2 in this article, including what should be in scope and how you can save.
HIPAA Penetration Testing Costs
Like SOC 2, the HIPAA security rule doesn’t mandate a pentest, but, in our CISO’s words, “it is nigh on impossible to validate that other required HIPAA controls are working effectively without some form of penetration testing.” As such, the cost of a pentest for HIPAA compliance has more to do with your environment & what’s in scope than specific adherence to the security rule.
Benchmark Cost: $10,000 – $50,000
Our article on HIPAA penetration testing spells out some of the costs in more detail, including advice on how regularly to test, and which assets should be in scope according to HIPAA 45 CFR § 164.308(a)(7)(ii)(E).
GDPR Penetration Testing Costs
This is another instance of a compliance framework that doesn’t mandate penetration testing specifically but is difficult to comply with unless a penetration testing regime is in place. Many vendors sell a “GDPR pentest”, in an attempt to elevate prices for what is a stock standard test.
Benchmark Cost: $10,000 – $30,000
In our detailed breakdown of GDPR penetration testing, our CISO delves into Article 32 (said to be the most direct injunction to pentest) and what you should seek to attain as part of any pentest for this purpose.
ISO 27001 Penetration Testing Costs
While ISO 27001’s A.12.16 Technical Vulnerability Management requirement can be met with a vulnerability scan only, our CISO advises that a pentest to attain certification is still better practice. For this reason, and like GDPR, a cottage industry of “ISO27001 pentesting” exists but should be avoided.
Benchmark Costs: $5,000 – $50,000
In our comprehensive article on ISO 27001 pentests, CISO Aaron Weissman recommends bundling a pentest with your ISO 27001 risk assessment to reduce costs.
Red Team Penetration Testing Costs
Again, more involved red team penetration tests have a different cost structure. These complex engagements utilize multiple resources and, depending on the organization’s goals, can run for months, including multiple intrusion attempts. This premium pen testing service is only carried out by specialist firms and—scope-dependent—comes at a higher cost than most other types of penetration tests.
Benchmark Cost: $15,000 – $85,000
In this detailed overview, we break down the 3 main cost factors for red team penetration testing. It also includes an overview of the red teaming process and tips for cost management.
Small Business Penetration Testing Costs
Small businesses represent a disproportionate number of victims of data breaches. As such, more of them are seeking some form of penetration test, and more vendors are filling the space to provide these often affordable, low-scope assessments. Small businesses with e-commerce stores, mobile apps, and brick-and-mortar storefronts are increasingly using pen tests to secure their external attack surfaces and reduce security risks.
Benchmark Cost: $5,000 – $10,000
In our full article on small business penetration testing, CISO Aaron Weissman explains which tests small businesses should prefer and how they should apply them as part of a broader cybersecurity strategy.
Penetration Testing for SaaS Costs
Businesses with a SaaS application face unique security challenges that the right pentest vendor will understand and be able to address. Usually split between a corporate network and the product/app itself, this pentest type can be costly but highly valuable as part of a sound CS strategy.
Benchmark Cost: $20,000 – $100,000
In the overview, CISO Aaron Weismann explains that SaaS app pentest costs will relate to the number of user roles and APIs in scope. While average costs are higher, it is still possible to contract a lower-cost test if the scope is carefully planned and reduced where possible.
Penetration Testing as a Service Costs
The fastest-growing penetration testing market this year is PTaaS or penetration testing as a service. These largely automated pentests are increasingly versatile and make sense as a low-cost option for a wide range of SMEs. That said, many vendors have jumped on the PTaaS bandwagon, and there is a large variation in the quality of service between them.
Benchmark Cost: $15,000 – $100,000 P.A.
Like any automated solution, PTaaS has risks, and in our full article on It, CISO Nathaniel Cole points out which companies should consider it an option and which should avoid it.
Whichever type of test your organization needs, consider the following cost factors as well:
Internal vs External
For any of the test types above, the factor affecting price the most is whether you choose an internal or external penetration test.
Internal attack surfaces are nearly always larger, and contracting for an internal penetration test as well as an external one will significantly increase the organization’s cost.
Regional vs National Vendors
For some firms, there is business value in showing a penetration test from a large, reputable vendor. Whether for increased trust or prestige, these firms can justify a higher penetration test cost.
A smaller, regional penetration test firm may not carry the same recognition but may be able to perform a high-quality penetration test with an actionable report for a fraction of the cost.
Pen Test Specialist vs General Cybersecurity Vendor
Many cybersecurity vendors offer penetration testing, but some firms specialize in it. Some vendors even do only penetration testing.
Here, rather than obsessing over cost, it’s crucial to match your vendor to your goals. Are you looking to tighten the screws all the way on your security program? Perhaps a boutique pen test firm is the right choice? Are you ticking a requirement for compliance purposes? A compliance-focused vendor with pen testing capability might be a better choice.
(NOTE: Use our free matching tool to quickly connect with a top-rated pentest vendor that can meet your requirements and budget.)
Ongoing Penetration Testing Costs
While there are cases where penetration testing may be a one-time cost, this is not a typical cost pattern for most organizations.
In many cases, an organization should expect to have follow-up costs for remediation testing, validation testing, or just recurring testing.
Before touching on recurring testing frequencies that should be planned for, one cost that can be accounted for upfront during the initial contract is related to remediation or validation testing. If your organization is interested in having these add-on services, regardless of test type, it is worthwhile to negotiate those upfront as this may help with getting a better rate or overall price.
As for recurring testing, it really depends on the test type and the maturity of the organization. Application penetration testing can be done yearly, or more frequently if an application is under rapid development with large changes. Network penetration testing is typically done anywhere from quarterly to yearly, and for PCI-compliant organizations, this is required to be bi-annual. Finally, red-team activity can be anywhere from quarterly to yearly or less frequent. The reality is that, in most cases, the organization will set the frequency for follow-up testing based on risk tolerance and changes in the environment.
Cost of Pentesting vs Other Security Measures
Penetration testing services are harder to compare to other security controls or capabilities, because the product is intangible, outside of the final report. A pentest is a point-in-time assessment, where a consultancy will disappear for weeks at a time to conduct testing and come back with a report.
Many organizations will ask, “What am I getting compared to our endpoint detection and response provider or a firewall solution provider?” The reality is that the organization will get an understanding of where weaknesses occur, how those controls or tools might be implemented, how those weaknesses can be exploited, and what the potential impact may be. This makes it really hard to compare the cost to a more tangible hardware/software-based partner solution. Keeping this in mind, there are relationships between those services and penetration testing. The larger and more complex a company, the higher the cost will be for security in general.
The most relatable services to compare costs to would be vulnerability assessments, risk assessments, and gap assessments, as these services all provide some output after a dark period of work to the organization. Let’s dig into some high-level cost comparisons between these services.
Vulnerability assessments for example will typically cost anywhere from 10% to 50% of the cost of a penetration test.
Keep in mind that while both testing services are geared at finding vulnerabilities and reporting those findings to the organization, vulnerability assessments are typically highly automated and not attempting to determine actual impact. With the majority of testing being automated, the cost can be expected to be significantly lower, but an organization should also expect a higher false positive rate compared to penetration testing.
For risk assessments, these engagements are typically in the same price range, if not more expensive, than penetration testing. Typically, this type of service can be anywhere from 85% to 150% of a penetration test. The large range is related to the complexity of the organization, industry, and regulatory requirements. An organization operating in an industry like banking, government, or healthcare would require a more intensive risk assessment that will span more controls and larger scope, which would increase the overall cost.
Finally, gap assessments are engagements that are typically associated with reviewing controls and policy documentation related to a specific standard or certification (ISO27001, NIST800-271, PCI, etc.). These engagements are commonly one to two weeks, pending appropriate documentation, as they simply evaluate if appropriate controls and policies are in place.
Due to this, the cost of a gap assessment to an organization could be 75% to 125% of the cost of a typical penetration test.
A Note on Pen Test Reporting & Costs
Some vendors take the view that a more detailed report should justify a higher cost, but many times, the longer a report, the less value for an organization. What you really want from your vendor, of course, is a test report that will help your organization meet the goals of this pen test.
A short report with clear and actionable steps for remediation comes with a follow-up meeting where the testers can advise your IT department, which may be the perfect result. Request a sanitized report from any prospective vendor so you can know in advance what you’ll be getting at the end of the test.
Penetration Testing Cost Case Studies
To help you benchmark your pentest costs, we have included two case studies of recent penetration tests with approximate prices.
#1: Financial Technology Company Application Penetration Testing
Industry: Financial Technology
Size of the Organization: 700
Scope: External exposed APIs (~40), external users (~8 roles)
Cost: ~$20,000 yearly
A financial technology company that is operating a multi-tenant application is required to conduct yearly penetration testing against its flagship application. It was a modern application built with API integrations available to customers to integrate. The company time-boxed the yearly test at 2 weeks to help keep the cost down since it conducts the tests on a yearly basis.
Additional Details: The test was a total of 2 weeks with 2 days of reporting. The focus was on major changes to the application and a deep dive into specific vulnerabilities (e.g., access control, injection) to help make the cost of the test more cost-effective.
Analysis: The approach taken with recurring testing on an application is not typical for many organizations. Rather than doubling the price to do a full deep dive every year, the company focused on new features with select deep dives. This allowed for better use of the budget on a yearly basis while still meeting customer requirements.
#2: Recurring Network Penetration Testing in Biotech
Industry: BioTech
Size of the Organization: 1,000+
Scope: Quarterly External Testing, ~500 hosts in scope
Cost: ~$60,000 yearly
A BioTech company decided to conduct quarterly external penetration testing against their network to make sure that no new issues were introduced. The concern was not just related to changes in the environment but also about making sure no missed patches, configurations, or rogue IT assets were left exposed.
Additional Details: Each test was around 3 weeks, with reporting included. Per the information available, the consultancy company provided discounts for the committed spend. Each quarterly test also consisted of validation testing to make sure any previously identified high or critical findings were remediated within 1 month of the closing of the test.
Analysis: As a large company that is most likely a target of many malicious actors, using a strategy of recurring testing is a great way to keep on top of vulnerabilities or issues that may crop up in the environment. The tests were not overly long, but that is not needed when working with the same testing company, as deep knowledge of the organization can be developed. Overall, this is a great approach to keeping an environment secure and conducting due diligence.
(DON’T FORGET: You can use our free matching tool to quickly connect with a top-rated pentest vendor that can meet your requirements and budget.)
For more pentest cost case studies from real companies, see our free penetration test pricing guide. We found data from 10 firms that used 10 different vendors and outlined how much they paid for recent penetration tests and what they got for the money.
