Updated: 2026-01-26

Request a pentest

Typical scope

  • Web app + API
  • Network / AD
  • Cloud / Kubernetes
  • Red team

Resources

Browse providers

Penetration Testing (Pentest)

Penetration Testing: Scope, Costs & Provider Selection

A Practical Guide for Web, Network, Cloud & Red Team

A penetration test (pentest) is a controlled attack simulation designed to uncover exploitable vulnerabilities, prioritize risk, and derive concrete remediation steps.

This page helps you solve three things clearly:

  1. Which pentest type fits your situation?
  2. How to scope properly (without surprises)?
  3. How to identify serious providers – and realistic costs?

Request a pentest

Choose pentest type

Scope template

Proof instead of scan output

Pentests demonstrate exploit paths – including impact and reproduction.

Fix priorities

You know what must be fixed first (and why).

Clean scoping

Clear boundaries, rules, accounts, time windows – no surprises.

When does a pentest make sense?

Typical triggers

  • Go-live / launch or major releases
  • Architecture changes (e.g. new auth, new segments)
  • Cloud migration / Kubernetes introduction
  • Enterprise customers require pentest evidence
  • Recurring findings / security incidents

What a pentest does NOT replace

  • ongoing vulnerability management
  • code-review-only quality assurance
  • SIEM/MDR or incident response maturity

Which pentest fits? (Decision guide)

If your risk is…Then usually makes sense…

Web app/API is internet-exposed or processes sensitive data

Web application pentest

AD/network/segmentation is critical (sites, VPN, server landscape)

Network pentest

IAM/cloud config/Kubernetes is core infrastructure

Cloud pentest

You want to realistically test detection & response (SOC/MDR exists)

Red Team test

Pentest Types

Web Application Pentest

Web apps & APIs: auth, roles, business logic, OWASP & API security.

Network Pentest

Internal/external: services, segmentation, AD, privilege escalation.

Cloud Pentest

AWS/Azure/Kubernetes: IAM, storage, networks, workloads.

Red Team Test

Goal-oriented attack simulation for detection & response.

Scope Template

In Scope
  • Targets: (URLs / IP ranges / accounts / clusters / subscriptions)
  • Auth/Roles: (role list + test accounts per role)
  • Environment: (staging preferred / production possible with rules)
  • Goals: (e.g. data access, admin takeover, tenant escape)
Out of Scope
  • DoS/load testing
  • Social engineering (unless agreed)
  • Physical access
Rules of Engagement
  • Test window: (dates/times)
  • Monitoring: (who monitors / escalation path)
  • Emergency stop: (contact + process)

Results & Deliverables (what you receive)

Executive Summary

Management-ready risk overview including priorities.

Technical Report

Reproduction steps, evidence, affected assets, clear remediation guidance.

Attack Paths

How an attacker moves from A to B – including business impact.

Remediation Plan

Fix-first list, ownership, optional retest/verification.

Costs: what to expect

Webapp/API

€5k–25k

Network/AD

€6k–30k

Cloud/K8s

€6k–35k

Red Team

€20k–80k

Cost drivers
  • Number of targets & complexity (roles/flows/segments/accounts)
  • Staging vs production (rules, monitoring, coordination)
  • Reporting depth & compliance requirements
  • Retest / fix verification

Rule of thumb: if a provider is extremely cheap, you usually get a scan + PDF – not a meaningful pentest.

Choosing a provider: scorecard & red flags

Scorecard (serious providers)

  • Methodology explained (manual + verified, not tools only)
  • Sample report available
  • Clear RoE & abort rules
  • Prioritization by impact & exploitability
  • Debrief/walkthrough included
  • Transparent retest policy

Red Flags

  • “Delivery in 24h” without proper scoping
  • No questions about roles/flows/architecture
  • Report without reproduction/evidence
  • CVSS list only, no context
  • DoS/load tests “by default”
Questions you should ask
  • How do you scope (in/out-of-scope) and what do your RoE look like?
  • How much is manual vs tool-based?

  • Can you show a sample report (including prioritization and remediation guidance)?

  • Is a debrief included? Who participates?
  • How is retesting/verification handled?

Common pentest mistakes

Mistakes

  • Unclear scope → wrong effort, wrong expectations
  • Tool-only scans instead of manual testing
  • No retest planned
  • Production testing without rules/monitoring

Better

  • Use a scope template + define RoE clearly
  • Explain roles/flows/architecture
  • Define fix-first priorities + ownership
  • Treat retesting as part of the plan

FAQ

How long does a pentest take?

Typically a few days to several weeks – depending on targets, roles/flows, and complexity. Red Team tests usually run for multiple weeks.

Does it have to be staging, or can production be tested?

Both are possible. Production requires clear rules, monitoring, abort processes, and coordinated time windows.

Is a vulnerability scan the same as a pentest?

No. A pentest includes manual testing, exploit paths, and impact-based prioritization – scans only provide indicators.

Will I receive a management report?

Yes – typically including an executive summary, risk overview, and prioritized remediation plan.

Resources

Guides

Compare

Costs

Request a pentest

If you’re unsure about scope or test type: briefly describe your situation. We’ll help you classify it.

Request a pentest

Not sure which test type fits?

Request a pentest