How Much Does a Penetration Test Cost in 2026?
"How much does a pentest cost?" is the most common question we get. The price depends on what you're testing, how complex it is, and who's doing the work. Most firms won't narrow it down until you're on a sales call.
We think that's backwards. After seven-plus years of scoping and delivering penetration tests, we've put together the pricing guide we wish every firm published: real numbers, honest context, and no sales pitch attached.
The Bottom Line Up Front
Most businesses spend between $3,000 and $30,000 on a penetration test depending on the type and scope. A standard web application test for a small to mid-sized company typically falls in the $3,000 to $10,000 range. Full breakdown by test type below.
Typical Cost Ranges by Test Type
The type of test you need is the single biggest factor in pricing. These ranges reflect what we see across the market in 2026:
| Test Type | Typical Price Range | Common Duration |
|---|---|---|
| Web Application | $3,000 - $15,000 | 3 - 10 days |
| External Network | $3,500 - $12,000 | 2 - 5 days |
| Internal Network | $5,000 - $20,000 | 3 - 10 days |
| API | $3,000 - $12,000 | 2 - 7 days |
| Mobile Application | $5,000 - $20,000 | 5 - 10 days |
| Cloud Environment | $3,000 - $30,000 | 3 - 10 days |
| Red Team Engagement | $20,000+ | 2 - 6 weeks |
The low end of each range represents a focused engagement with a clearly defined scope (a single web app with standard functionality, or a small external perimeter). The high end reflects larger, more complex environments: applications with dozens of user roles, extensive API integrations, or multi-cloud architectures.
Why are the ranges so wide? Because the market is. Larger firms with sales teams, project managers, and brand overhead tend to price at the upper end. Focused firms and independent practitioners with senior-level expertise but lower overhead can deliver the same quality of manual testing for less. What matters isn't the size of the company. It's the skill and experience of the person actually doing the work.
If someone quotes you under $2,000 for a web application test, that's worth scrutinizing. If they quote you well above these ranges, make sure you understand exactly what additional value you're getting.
The 5 Factors That Drive the Price Up or Down
Knowing what drives the price up or down gives you more control over the conversation. These five factors matter most.
1. Scope and Size
This is the biggest cost driver, and it's also where you have the most control. A pentest of one web app with ten pages is a fundamentally different engagement than testing a platform with hundreds of endpoints, multiple user roles, and complex workflows. More features, more pages, more IPs, more APIs: all of it adds time, and time is what you're paying for.
If you're working with a limited budget, a good provider will help you prioritize. Test your highest-risk asset thoroughly rather than spreading thin across everything.
2. Complexity of the Environment
A straightforward e-commerce site built on Shopify is less complex to test than a custom financial platform with multi-step transaction workflows and role-based access controls spanning a dozen permission levels. Complex environments require more experienced testers, more creative approaches, and more time.
3. Compliance Requirements
If your test needs to satisfy a specific compliance framework (PCI DSS, SOC 2, HIPAA, FedRAMP), the engagement may require additional documentation, specific methodologies, or particular reporting formats. This adds cost, but it also ensures the results will actually satisfy your auditors rather than leaving you scrambling before an audit deadline.
4. Depth of Testing: Black Box, Gray Box, or White Box
We recommend gray box for most businesses. It's the best balance of cost and thoroughness. But it helps to understand all three approaches:
- Black box: The tester gets no information about your systems, simulating a true external attacker. Takes longer because of reconnaissance time up front.
- Gray box: The tester gets some information (credentials, documentation, network diagrams). This maximizes time spent on actual vulnerability discovery instead of guessing at what's in scope.
- White box: The tester gets full access to source code, architecture docs, and admin credentials. Deepest testing, but also the most time-intensive and typically the most expensive.
5. Tester Expertise and Certifications
This one is simple. A senior tester with OSCP, OSWE, or GXPN will find vulnerabilities that a junior tester running automated tools will miss entirely. They'll also find them faster. You genuinely get what you pay for here: three days with an experienced tester often turns up more critical findings than ten days with someone learning on the job.
Key Takeaway
The best way to get an accurate quote is to be specific about your scope. Know what you want tested, share documentation upfront, and ask the provider to explain how they arrived at their number. If they can't explain it, that's a red flag.
Red Flags: When a Quote Is Too Cheap
A lower price isn't automatically a red flag. A skilled independent tester with low overhead can legitimately charge less than a large firm. The warning signs are about how the work gets done.
Automated-only testing branded as pentesting
Some firms run Nessus or Qualys, repackage the scanner output with a cover page, and call it a penetration test. It's not. That's a vulnerability scan. If the engagement wraps up in a day or two, there's almost no way a human tester did meaningful manual work. A scanner report is worth a few hundred dollars. A pentest is worth thousands because a skilled person is actually doing the work.
Offshore teams with no verifiable certifications
Talented testers exist worldwide, so offshore isn't inherently a problem. But some firms outsource testing to overseas teams and mark up the results without any transparency about who's doing the work. If you can't verify the certifications and experience of the actual tester, you have no way to assess quality. Always ask.
No retesting included
Finding vulnerabilities is half the job. Verifying that your fixes actually work is the other half. If retesting is billed as an expensive add-on rather than included in the engagement, that tells you something about the firm's priorities.
Generic, template-heavy reports
Ask to see a sample report before signing. If it's mostly boilerplate with generic CVE descriptions, the firm isn't investing time in understanding your specific environment. A quality report includes proof-of-exploitation with custom screenshots from your systems and remediation guidance written for your tech stack, not copy-pasted from a database.
A Good Rule of Thumb
If someone offers to pentest your web application for under $2,000, they're almost certainly running an automated scan and putting a nice cover on it. Manual penetration testing requires days of skilled human effort. That has a cost floor.
The ROI Calculation: Pentest Cost vs. Breach Cost
Staring at a $5,000 or $10,000 quote, it's natural to wonder if it's worth it. The math gets clear fast when you look at the alternative.
IBM's 2025 Cost of a Data Breach Report puts the global average at $4.44 million. In the U.S., it's $10.22 million. For small businesses, the number is lower but still enough to close doors: $150,000 to $500,000+ once you add up incident response, legal fees, regulatory fines, customer notification, and lost revenue.
Put it this way:
- Average U.S. breach cost: $10.22 million (IBM, 2025)
- Typical SMB breach cost: $150,000 - $500,000+ in direct costs
- A focused pentest: $3,500 - $10,000
- That pentest as a percentage of even the SMB breach floor: about 2-5%
A pentest won't guarantee you never get breached. Nothing will. But it identifies the specific vulnerabilities an attacker would use to get in, and it gives your team the information to fix them. It's not an expense. It's risk reduction that costs a fraction of what it protects against.
Then there's the damage you can't easily put a number on. When a healthcare company gets breached and patients find their records on the dark web, those patients don't come back. When a SaaS company loses customer data, their enterprise prospects ask to see the incident report during sales calls for the next two years. Reputational damage compounds long after the direct costs are settled.
What Small and Mid-Sized Businesses Should Budget
If you're an IT manager or business owner at a company with 50 to 500 employees, here's practical guidance for building a pentest budget.
For most SMBs, plan on $5,000 to $15,000 per year. That breaks down roughly like this:
- Smaller scope (one web app or external network): $3,500 - $7,000/year. Covers a focused annual engagement on your highest-risk asset, with retesting included.
- Medium scope (web app + external network, or multiple apps): $8,000 - $14,000/year. Where most mid-sized companies land. Covers your primary attack surface with real manual testing.
- Broader scope (multiple apps, internal + external network, cloud): $15,000 - $25,000+/year. Appropriate if you're handling sensitive data, operating under compliance requirements, or managing complex hybrid environments.
If budget is tight, start with whatever asset represents the greatest risk. That's usually your customer-facing web application or your external network perimeter. A thorough test of your most important asset beats a shallow scan of everything.
Why annually? Your attack surface changes. You ship new features, onboard new vendors, adjust infrastructure. Last year's test doesn't cover this year's code. Most compliance frameworks require annual testing anyway, and your security posture should evolve at least as fast as your product does.
Budgeting Tip
Treat penetration testing like a recurring line item, not an ad hoc project. Building it into your annual security budget alongside tools and training ensures it doesn't get deprioritized when other expenses come up.
How to Get an Accurate Quote
The more detail you can share upfront, the more accurate your quote will be. When you reach out, have these ready:
- What you want tested: Specific applications, network ranges, cloud environments, or APIs.
- The size of the target: Number of pages or endpoints, IP addresses, user roles, or API endpoints.
- Any compliance requirements: PCI DSS, SOC 2, HIPAA, or client-specific mandates.
- Your preferred approach: Black box, gray box, or white box (or ask for a recommendation).
- Your timeline: When testing needs to be completed. Some firms charge a premium for rush work; we can start most engagements within 24 hours at no extra cost.
A reputable firm will walk you through scoping, explain their methodology, and give you a fixed-price quote. That quote should include the test itself, a detailed findings report with remediation guidance, an executive summary for leadership, a findings review call, and retesting to verify your fixes. If a provider can't give you a clear price after a scoping conversation, that should give you pause.
Why Transparent Pricing Matters
The cybersecurity industry has a reputation for opaque pricing, and it frustrates buyers for good reason. If you don't understand what you're paying for, you can't evaluate whether you're getting good value. You end up choosing based on brand name or a sales pitch instead of substance.
When evaluating any provider (including us), look for these signs:
- Fixed-price quotes after a thorough scoping conversation, not vague estimates
- Retesting included at no additional cost (we include a 30-day retest window with every engagement)
- Direct access to the tester doing the work, not a sales team relaying messages
- No surprise fees for deliverables, meetings, or report revisions
- Sample reports with real findings, not reformatted scanner output
- Named testers with verifiable offensive security experience and certifications
Transparency builds trust. And trust is the foundation of every good security partnership. No fillers, just findings.
Get a Transparent Quote
Tell us what you need tested. We'll give you an honest, fixed-price quote with no surprises and no pressure.
Request a Quote