How Much Does Penetration Testing Cost?
Penetration testing costs range from $5,000 to $100,000+. What drives the price, what to watch for in proposals, and how to scope an assessment that fits your budget.
The short answer: somewhere between $5,000 and $100,000+. That range is not helpful on its own, which is why most firms don’t publish pricing. But you deserve better than “contact us for a quote” when you’re trying to build a budget.
We’ve been on both sides of this conversation. We’ve scoped and delivered hundreds of assessments, and we’ve sat in the buyer’s chair evaluating proposals from other firms. Here’s what actually drives the cost, what you should expect for your money, and how to spot a proposal that’s going to waste it.
If you’re new to penetration testing, start there first. This article assumes you know what it is and you’re trying to figure out what it should cost.
Price Ranges by Test Type
These ranges reflect what you’ll see from experienced boutique and mid-size firms staffing senior testers. National firms and Big 4 consultancies typically charge 2x to 3x these rates for comparable scope.
| Test Type | Typical Range | What Drives It Higher |
|---|---|---|
| External penetration test | $5,000 to $20,000 | Number of external IPs, web-facing applications, VPN endpoints |
| Internal penetration test | $10,000 to $30,000 | Network size, segmentation complexity, Active Directory scope |
| Web application test | $5,000 to $25,000 | Application complexity, number of roles, API surface area |
| API security test | $5,000 to $20,000 | Number of endpoints, authentication complexity, business logic |
| Wireless security test | $5,000 to $15,000 | Number of sites, on-site vs. remote, guest network scope |
| Social engineering | $5,000 to $15,000 | Campaign type (phishing, vishing, physical), number of targets |
| Red team engagement | $20,000 to $100,000+ | Duration, objectives, assumed breach vs. full-scope |
What Most Mid-Size Businesses Actually Pay
If you’re a mid-size organization (200 to 500 employees) with a standard Active Directory environment, a handful of web applications, and a typical external footprint, your annual pentest combining internal and external testing will probably land in the $20,000 to $35,000 range. That’s the most common scope we see: a week of external testing, a week of internal testing, and reporting with a findings walkthrough.
That number goes up if you add web application testing, wireless assessments, or social engineering. It goes down if you phase the work across quarters (more on that below). But for budget planning purposes, $20,000 to $35,000 is a realistic starting point for a thorough annual assessment.
What Drives the Cost
Six factors account for most of the price variation between proposals.
1. Scope and Complexity
This is the biggest factor. An external test against 10 IPs is a different engagement than one against 200 IPs with a dozen web applications and VPN concentrators. Internal tests scale with network size, the number of VLANs, and whether Active Directory is a single domain or a multi-forest environment.
Web application tests scale with the number of user roles, the complexity of business logic, and whether the application exposes APIs. A simple marketing site with a contact form is a few days of work. A financial platform with role-based access, transaction workflows, and third-party integrations could be two weeks.
2. Tester Experience
This is where cheap tests fall apart. A firm staffing OSCP and GPEN-certified testers with 10+ years of offensive security experience will find things that junior analysts won’t. Chained vulnerabilities, business logic flaws, and creative privilege escalation paths require human intuition that comes from years of practice.
When you see a proposal that’s half the price of the others, ask who’s doing the testing. If the answer is “our team” without names or certifications, that’s worth pressing on.
3. Methodology
Firms following established methodologies like PTES or OSSTMM invest more time in pre-engagement scoping, intelligence gathering, and structured exploitation phases. This takes longer but produces more thorough results.
Some firms skip the structured approach and run tools until something breaks. That’s faster and cheaper, but it misses the attack chains and business-context findings that matter most.
4. Deliverable Quality
Reports vary enormously across the industry. At one end, you get an automated scanner dump with color-coded severity ratings. At the other, you get an attack narrative that walks through exactly how a tester moved from initial access to domain admin, with every finding mapped to CIS Top 18 controls and NIST 800-53 families.
The second report takes more time to write. It also gives your engineering team specific remediation steps and your compliance team audit-ready documentation. That time is part of the cost.
5. Compliance Requirements
If you’re testing for PCI-DSS, the scope must cover your cardholder data environment specifically. HIPAA assessments need to address ePHI access paths. SOC 2 and CMMC engagements require documentation that maps directly to control requirements.
Compliance-driven tests take longer because the methodology and reporting must satisfy auditor expectations, not just find vulnerabilities. The deliverables need to demonstrate coverage against specific control families. If you’re wondering whether your organization actually needs a pentest for compliance or just a vulnerability assessment, that distinction matters for scoping and cost.
6. Retesting
Some firms include a remediation retest in their base price. Others charge separately. Retesting verifies that your fixes actually worked, which matters for both security and compliance evidence. Ask about this upfront because a “cheaper” proposal plus a $5,000 retest might cost more than the firm that includes it.
Automated and Continuous Testing: Where They Fit (and Don’t)
There’s growing interest in alternatives to traditional penetration testing. Two categories keep coming up in conversations with buyers, and they’re worth understanding because they solve different problems at different price points.
Continuous Automated Red Teaming (CART)
CART platforms run ongoing, automated attack simulations against your environment. They test for known attack paths, misconfigurations, and credential weaknesses on a continuous basis. Some include a human analyst component, and a few can produce reports that satisfy certain compliance requirements when paired with that human review.
CART is valuable for what it does: continuous visibility into your security posture between point-in-time assessments. If a new vulnerability gets introduced on a Tuesday, you don’t have to wait for next year’s annual pentest to find it.
But CART isn’t a full penetration test. These platforms run predefined playbooks. They don’t scope an engagement around your specific business risks, and they don’t produce the kind of attack narrative and framework-mapped deliverables that a manual assessment does. Even CART platforms with human analysts attached are typically focused on validating specific attack paths, not conducting the open-ended, objective-driven testing that defines a real engagement.
Commodity “AI Pentest” Services
A newer category of vendors offers low-cost, fully automated scanning marketed as “AI-powered penetration testing.” These are more limited than CART platforms. They typically run vulnerability scans with some automated exploitation and package the results into a report.
The problem is situational awareness. These tools don’t understand your business context. They can’t tell the difference between a test environment and production. They won’t notice that your benefits portal trusts data from a third-party provider in a way that creates a lateral movement path to payroll records. They won’t realize that your password reset flow leaks account enumeration data that enables targeted phishing.
At the low end of the market, some of these services are rebranded vulnerability scans. That’s a legitimate service on its own, but calling it a penetration test creates false confidence.
Which Approach, and When
For most organizations, the right answer is a combination:
- Annual manual penetration test for the in-depth, point-in-time assessment that compliance requires and your security program needs. This is where human-driven testing finds the business logic flaws, chained attack paths, and creative exploits that automated tools miss.
- CART or continuous scanning between annual tests for ongoing visibility. Good for catching regressions and new exposures as your environment changes.
- Commodity automated tools as a supplement if budget allows, but not as a replacement for either of the above.
On the compliance side, check with your auditor before relying on any automated-only approach. PCI-DSS requires testing by a “qualified security assessor.” HIPAA guidance specifies “technical evaluation” that implies human judgment. Most auditors will not accept automated output alone as a substitute for a manual penetration test.
Red Flags in Pentest Proposals
After reviewing hundreds of proposals (from the buying side), these patterns consistently signal a low-quality engagement.
“Automated assessment” framed as penetration testing. Vulnerability scanning is not penetration testing. If the proposal describes running Nessus or Qualys and packaging the output, that’s a vulnerability assessment. Useful, but different. A penetration test involves manual exploitation and creative attack paths.
No named methodology. If the proposal doesn’t reference PTES, OSSTMM, OWASP Testing Guide, or NIST SP 800-115, ask what methodology they follow. “Our proprietary methodology” without details is a yellow flag.
Vague deliverables. “A report of findings” tells you nothing. Ask for a sample report. Look for: executive summary, attack narrative, individual finding detail with evidence, framework mapping, remediation guidance, and positive observations (what’s working well).
No retesting included or offered. Finding vulnerabilities without verifying fixes is half the job. If retest isn’t in the proposal, ask what it costs to add.
Timeline that’s too short. A meaningful internal and external test for a mid-size environment takes 5 to 10 business days of active testing, plus time for reporting. If someone quotes two days for the same scope, they’re cutting corners.
What You Should Get for Your Money
Regardless of price point, a quality penetration test delivers these things.
A findings walkthrough. Not just a PDF dropped in your inbox. A live session where the testers walk your team through every finding, answer questions, and discuss remediation priorities. This should be included, not an add-on.
Framework-mapped findings. Every finding should reference specific controls (CIS Top 18, NIST 800-53, or whatever framework your organization tracks against). This turns a security report into compliance documentation your auditors can use.
An attack narrative. For internal tests especially, you should see the step-by-step path the tester took from initial access to their objectives. This tells your team the story of what an attacker would do, not just a list of individual vulnerabilities.
Positive observations. What’s working well matters too. Good reports call out strong controls so your team gets credit for what they’ve built and knows where to keep investing.
Actionable remediation guidance. Not “patch your systems.” Specific steps, in priority order, with enough detail that your engineering team can act without guessing.
Post-report support. Questions will come up after the walkthrough. Weeks or months later, someone on your team will revisit a finding and need clarification. A good firm picks up the phone.
How to Scope an Assessment That Fits Your Budget
If the full-scope engagement is beyond your current budget, there are honest ways to right-size it without sacrificing quality.
Phase it. Do external this quarter, internal next quarter, web applications the quarter after. Each test stands on its own, and you build a full picture over the year.
Prioritize by risk. If you know your web application handles sensitive data but your internal network is relatively simple, put the budget toward the application test first.
Start with a gap assessment. If you’re not sure where your biggest risks are, a gap assessment against CIS Top 18 or NIST CSF can identify where testing will have the most impact. That way your pentest budget targets the areas that matter most.
Ask about bundling. Most firms offer better per-test pricing when you commit to multiple assessments or an annual testing program.
Get a Quote Scoped to Your Environment
Every organization is different. The ranges above are a starting point, but the real answer depends on your environment, your compliance requirements, and what you’re trying to learn.
We scope every engagement to your actual risks and objectives, not a one-size-fits-all checklist. If something isn’t relevant to your environment, we won’t test it just to pad a report.
Request a free consultation and we’ll walk through your environment together. No pressure, no generic proposals. Just a straight conversation about what makes sense for your organization.
