What does a Pentest Cost

What does a pentest cost? It is the most commonly asked question we receive. This information will help you understand how to size your pentest and understand how to get a quote for it.

There is what appears to be much secrecy in the cybersecurity and pentesting industry over to the cost of a pentest. While this is true to an extent, it is mostly because every test is a little different from the number of systems involved in the depth of penetration testing, goals required and technologies. It all varies the cost, some in a small way and others to a great extent.

To help you understand the costs involved, we put together the following examples based on our most common tests. These are provided purely as a guide to the cost of penetration testing.

Understanding the Cost of a Pentest

Internal Pentest Cost

Internal pentests can have one of the highest costs. An internal pentest is typically against all internal systems within a business network and the wide expanse can make for a very long test. As a rule of thumb a tester can work through 20 machines per day so it does not take long for the days to mount up.

Example Scope

A typical pentest for a smaller business is usually along these lines:

  • 50 Windows workstations (mix of PCs and laptops) on one single Active Directory domain
  • 4 Windows servers (all VM’s on one VMWare server)
  • 3 printers
  • VoIP phone system
  • 2 Wireless networks

Example Price


Mobile Application Pentest

Testing mobile applications for common security flaws is a common job for us and something we do on a weekly, if not daily, basis. We have test harnesses for both Android and Apple based applications and we can perform both static and dynamic testing. Because we do these regularly and have heavily invested in our testing environments, we have been able to drive down the cost of the pentest for mobile applications.

Example Scope

Mobile application penetration testing of one android based mobile application. Simple user interface that is used to collect field data from a user on jobs and send that data back to a cloud based server. No local information is stored on the application and all authentication is performed across the mobile networks to the application server.

Example Price

£1900 – £3800

Web Application Pentest

Web application penetration testing is all about test a web application regardless of where it is hosted or what technology was used to create the application. The pentest cost for web applications varies a lot depending on the complexity of the application. When it comes to web apps, it is often best for one of the test team to go through the application with to to ensure we have a full understanding.

Example Scope

A web application penetration test against a single PHP application based on the Laravel framework that allows users to subscribe to a service, create news feeds and blog entries and sell their goods on a platform.

  • 50 dynamic pages
  • 100+ static pages
  • 300 points of interaction
  • 3 card payment options for client use
  • 3 user levels. Admin, Shop Staff and Customer
  • Testing must meet requirement 11.3 of the PCI-DSS due to the card payments.

Example Price

£3800 – £7500