Request a pentest

Typical scope

  • Web app + API
  • Network / AD
  • Cloud / Kubernetes
  • Red team

Resources

Browse providers

Penetration testing costs

Penetration testing costs depend less on a vendor name and more on scope, depth, and constraints. Clear definitions lead to offers that are comparable and reliable.

From practice: unclear access, missing test accounts, or undocumented entry points often lead to re-estimation or reduced scope.

What really drives cost

Scope & assets

Number of applications, APIs, hosts, cloud accounts, and external entry points.

Depth & method

Manual testing, business-logic checks, auth bypass, and exploit evidence.

Constraints

Prod vs staging, timeboxing, RoE, access to test accounts or logs.

Deliverables

Executive summary, technical report, PoCs, re-test, and fix verification.

Why there is no fixed price

Pentests are tailored to your systems. Small differences in scope, access paths, or test depth can shift effort significantly. That is why scoping clarity matters more than any price list.

Typical cost drivers

  • many systems or highly connected environments
  • complex authentication and role models
  • production systems with tight test windows
  • multiple test types in parallel (web + network + cloud)
  • additional compliance requirements (e.g., specific report formats)

How to control effort and quality

  • Make scope explicit:

    goals, boundaries, assets, test windows.

  • Prioritize: start with critical systems, cover edges later.

  • Provide context: architecture, auth, tech stack, known risks.

  • Define expectations:

    which risk and impact criteria apply?

Example for orientation

A small scope with a few apps and clear roles is predictable. A broad scope with many subdomains, multiple roles, and production dependencies requires more time for exploration, alignment, and re-tests.

What a good offer should include

  • clear test goals and boundaries
  • method and approach (e.g., OWASP/ASVS, PTES)
  • effort estimate and team roles
  • expected deliverables with example structure
  • re-test policy and stop criteria
Scope note

This page provides orientation for effort estimation. It does not replace a binding offer, legal advice, or a compliance assessment.

Next step

Briefly describe your need. We help assess scope and effort realistically. Note: we advise on preparation and selection, but do not run tests.

Open request form

Not sure which test type fits?

Request a pentest