There’s a reason it’s so hard to benchmark penetration testing costs: Every test with every firm is unique.
Which is insane, because they’re all doing the same thing. They’re all finding holes in your infrastructure, exploiting them, and writing about it in a report. But just like so many things in cybersecurity, the devil is in the detail.
As an independent advisor, we’ve compared penetration testing costs from a range of vendors, to give you the best possible chances of benchmarking costs before you look for quotes. This page is a summary of all the cost data we’ve found, for every penetration test type.
Here it is, from the top:
- Actual Penetration Test Costs from Real Firms
- Network Penetration Testing Costs
- Mobile App Penetration Testing Costs
- API Penetration Testing Costs
- Web App Penetration Testing Costs
- AWS Penetration Testing Costs
- PCI Penetration Testing Costs
- Cheap Penetration Testing Costs
- Red Team Penetration Testing Costs
- Internal vs External
- Regional vs National Vendors
- Pen Test Specialist vs General Cybersecurity Vendor
- A Note on Pen Test Reporting & Costs
Actual Penetration Test Costs from Real Firms
Our best contribution to your due diligence will be this free penetration test pricing guide. We found data from 10 firms, that used 10 different vendors, on how much they paid for recent penetration tests, and what they got for the money.
The pricing guide has case studies on each test, tips for how to reduce pen test costs, and more. Start there, and if you need more detailed pricing guidance for a specific type of test, come back to this article and keep scrolling.
Network Penetration Testing Costs
While a combination internal and external network penetration test is the gold standard, an organization may not need to expose the whole environment to testing. This is a test type with a wide scope for cost variation because there is a broad range of resources that may be inside the test scope. Fortunately, this is open to adjustment with your test vendor, so the potential for cost savings are high too.
Benchmark Cost: $15,000 – $50,000 for a test of low to moderate level of complexity.
This is our complete overview of network penetration testing costs. It describes the main cost factors for this test type, like white box vs black box, project scope, reporting provided & more.
Mobile App Penetration Testing Costs
Mobile app pen testing requires a high level of skill and expertise because it often combines testing across disciplines. Mobile apps are often connected to a company’s web apps, which have APIs and so on. A good mobile app pen test team may need to be proficient at all these test types to carry out a valuable test.
Benchmark Cost: $15,000 – $100,000
This is our full article on mobile app penetration testing costs. It breaks down the major cost factors like the ancillary connections of the app, the app platform, and more.
API Penetration Testing Costs
Since API pen tests are more commonly performed as white-box tests, their average cost is typically lower than other pen test types. Costs here are for APIs tested in isolation, and will increase if the test is more comprehensive, including a surrounding web app or cloud environment, as you will see below.
Benchmark Cost: $15,000 – $30,000
This is our in-depth article on API penetration testing costs. It describes the main cost factors of an API pen test, like API size, retesting included & more.
Web App Penetration Testing Costs
Like APIs, web apps are more commonly tested with a white-box approach. Web app penetration testing costs are affected most by the number of user roles and permissions possible, the number of dynamic pages (accepting input) in the app, the number of API endpoints in the app, and whether or not the app has a mobile variation.
Benchmark Cost: $15,000 – $100,000
This is our detailed article on web app penetration testing costs. It includes an explanation of the primary cost factors like user roles/permissions, dynamic pages, and more.
AWS Penetration Testing Costs
As more resources and assets move to the cloud, the risk of security breaches increases. Fewer vendors offer cloud service penetration testing. It is a more specialized skill set than say, standard network penetration testing, and this usually means it comes at a higher price.
Benchmark Cost: $20,000 – $100,000+
This is our detailed article on the cost of AWS penetration testing. It includes breakdowns of the main cost factors like the number of accounts, services in scope and how each one moves the price of a test.
PCI Penetration Testing Costs
A penetration test to satisfy PCI-DSS requirements is unique again. A PCI pen test is often box-checking, for compliance only, and doesn’t require the depth of testing or reporting that is common in other test types. That said, there are still plenty of ways to get it wrong. There are horror stories from firms who have contracted for a PCI pen test only to be told at audit time that the test didn’t actually satisfy PCI requirements.
Benchmark Cost: $10,000 – $100,000
This is our comprehensive article on the cost of PCI penetration testing, including the main cost factors and how to reduce costs where possible.
Cheap Penetration Testing Costs
Penetration testing has become a commodity service, and some vendors have raced to the bottom to provide the lowest priced viable penetration test they can. As long as you know what you’re getting, and it meets the organization’s goals (usually to satisfy a client request, or tick a compliance box) cheap penetration testing can be worth considering.
Benchmark Cost: $4,000 – $8,000
We broke down cheap penetration testing and the associated costs in this article, discussing who this kind of pentest service is for, and what to look out for when contracting.
Red Team Penetration Testing Costs
More involved red team penetration tests have a different cost structure again. These complex engagements utilize multiple resources and, depending on the organization’s goals, can run for months, including multiple intrusion attempts. This premium pen testing service is only carried out by specialist firms, and – scope depending – comes at a higher cost than most other types of penetration test.
Benchmark Cost: $10,000 – $85,000
We broke down the 3 main cost factors for red team penetration testing in this detailed overview. It includes an overview of the red teaming process and tips for cost management.
Which ever type of test your organization needs, consider the following cost factors as well:
Internal vs External
For any of the test types above, the factor affecting price the most is whether you choose an internal or external penetration test.
Internal attack surfaces are nearly always larger, and contracting for an internal penetration test as well as an external will significantly increase the organization’s cost.
Regional vs National Vendors
For some firms, there is business value in being able to show a penetration test from a large, reputable vendor. Whether for increased trust or prestige, it is possible for these firms to justify a higher penetration test cost.
A smaller, regional penetration test firm may not carry the same recognition but may be able to perform a high-quality penetration test with an actionable report for a fraction of the cost.
Pen Test Specialist vs General Cybersecurity Vendor
Many cybersecurity vendors offer penetration testing, but some firms specialize in it. Some vendors even do only penetration testing.
Here, rather than obsessing over cost, it’s crucial to match your vendor to your goals. Are you looking to tighten the screws all the way on your security program? Perhaps a boutique pen test firm is the right choice? Are you ticking a requirement for compliance purposes? A compliance-focused vendor with pen testing capability might be a better choice.
A Note on Pen Test Reporting & Costs
Some vendors take the view that a more detailed report should justify a higher cost, but many times, the longer a report, the less value for an organization. What you really want from your vendor, of course, is a test report that will help your organization meet the goals of this pen test.
A short report, with clear and actionable steps for remediation, that comes with a follow-up meeting where the testers can advise your IT department may be the perfect result. Request a sanitized report from any prospective vendor so you can know in advance what you’ll be getting at the end of the test.