When an organisation starts looking for a penetration testing service, the same question almost always comes first: what does a real penetration test actually cost?
The doubt is reasonable. Between providers promising technical tests "from a few hundred", fixed proposals of several thousand and projects that comfortably run into five figures, it is hard for many IT, security or compliance leads to tell which price is fair and which proposal is inflated or, worse, too cheap to be trustworthy.
The short answer is this: a serious penetration test has no single price, because it depends on the scope, the technical complexity, the real amount of manual work, the experience of the team and the kind of validation the organisation needs. Even so, it is possible to talk about realistic market ranges, understand why they change and know how to buy penetration testing with judgement.
The nature of the service itself explains that variability. The OWASP Web Security Testing Guide remains a reference framework for structured web security testing, and a professional approach usually rests on formal methodologies and manual validation, not automation alone.
How much does a penetration test cost: the quick answer
As an indication, a professional penetration test starts from around €1,490 for a scoped web or API target, infrastructure from around €2,500, and combined external plus internal packs from around €4,900. These are our reference bands (one-off, excluding VAT):
- Scoped web or API: from around €1,490.
- Infrastructure: external test from around €2,500, internal from around €2,900.
- Combined external plus internal from around €4,900, audit-ready for ISO 27001 from around €5,500.
Want the breakdown by pack and a proposal matched to your real scope? See the penetration testing service and its pricing.
Recent public pricing guides agree on something important: the price of a professional pentest usually runs from a few thousand dollars or euros for small scopes to tens of thousands in complex scenarios, and can go well beyond that for large or red-team style exercises.
Translated into a practical reading:
- a simple website or small scope: often from around €2,000 to €6,000;
- a website, API or mid-sized environment: frequently between €5,000 and €15,000;
- complex scopes or several assets: often from €15,000 upwards;
- internal, hybrid, cloud or red-team exercises: can go considerably higher depending on depth, objectives and duration.
These figures are not a fixed tariff but a buying guide. What is useful is understanding the real work behind them.
The day rate: the reference many buyers never see
Although many proposals are presented as "fixed per project", the cost is in practice built on a combination of the number of technical days, the profile of the consultant or team, the amount of manual review, and the effort of analysis, exploitation, validation and reporting.
So when an organisation wants to buy with judgement, one of the most useful questions is not only "what is the total price" but also: how many real days does the proposal include?
As a market reference, a day of professional penetration testing usually sits in bands like these:
- roughly €500 to €1,000 per day on many standard projects;
- €650 to €1,200 or more where the scope demands senior profiles, high specialisation or complex environments;
- below that, what is often being bought is not a full pentest but a very basic, heavily automated exercise, or a scan with a little manual validation.
This is why the total figure alone can mislead. If someone offers a "serious" web pentest at an extremely low price, but the scope includes authentication, several roles, business logic, an API, control review and re-testing, the real days probably do not add up. And when the days do not add up, one of three things usually gives: the scope, the technical depth or the quality of the deliverable.
What a professional penetration testing service really includes
One of the most frequent mistakes when requesting a quote is comparing prices without comparing content. Two proposals can share a name and have nothing in common. A professional service usually includes, as a minimum:
- Scope definition: what is tested and what is not, windows, credentials, environments, restrictions and business objectives.
- Reconnaissance and initial modelling: mapping the target, its surface, technologies and critical points.
- Automated and manual testing: automation speeds things up, but the differential value is usually in manual validation and in finding logic flaws, access-control failures, flow abuse or chained weaknesses.
- Controlled exploitation: listing potential findings is not enough; the value is usually in confirming real impact safely, without disrupting operations.
- Prioritisation and reporting: findings with technical context, severity, evidence, impact and actionable recommendations.
- Debrief workshop: explaining results to technical or business owners.
- Re-testing: in many cases, a later review of remediations to verify they are genuinely closed.
This is aligned with the idea of structured testing captured by OWASP: methodology, coverage and technical guidance, not a superficial scan. When you evaluate providers, do not compare the final number alone; compare whether the project includes what you actually need. If you are unsure what that baseline looks like, our guide on what penetration testing is and its methodology sets it out.
What makes the price of a penetration test go up or down
1. The type of asset
Reviewing a simple corporate website is not the same as a critical application with complex authentication, several roles, an admin panel, integrations and an API. As a rough guide, a simple public website needs less effort; a business application raises the testing time; a well-covered API deserves specific testing; and an internal environment, infrastructure or Active Directory changes the type of work entirely.
2. Functional complexity
An application does not get more expensive only through the number of URLs or endpoints. It gets more expensive through several user roles, critical flows, complex business logic, third-party integrations, internal panels, exports and scheduled tasks, multi-tenant separation, or financial and sensitive operations. This is where the difference shows between a proposal that has been genuinely thought through and one built by eye.
3. The depth of testing
Some providers offer something close to a "quick check", and others a deep manual test. The problem is not that different levels exist; it is buying one believing it is the other. When decisions must be justified to auditors, customers or a board, it is best to avoid proposals that lean too heavily on automation. Public guidance warns that a pentest that is too cheap can end up being little more than a scan presented as a formal report.
4. Black, grey or white box
Cost also changes with the model: black box, with almost no prior information; grey box, with some access or context; white box, with more documentation and credentials. White box is not always cheaper in absolute terms: sometimes it lets the team spend more effort on depth and less on discovery, and sometimes it opens the door to a far more extensive review.
5. Compliance, audit or third parties
A pentest for internal improvement is not the same as one that must serve a procurement process, an audit, a certification or a contractual requirement. If the organisation needs evidence, traceability, closure meetings or more executive deliverables, the effort rises. That is also why many organisations combine a penetration test with a cybersecurity audit or with vulnerability management.
6. Whether re-testing is included
A proposal without re-testing tends to look cheaper. But if you then need a second phase to confirm fixes, the total cost changes. In serious contexts, re-testing usually adds a lot of value, because it turns the report into a real reduction of risk. Recognised standards bodies such as CREST and national guidance like the UK NCSC's on penetration testing make the same point about rigour and follow-up.
When a cheap penetration test turns out expensive
Seeking efficiency is reasonable. Seeking an unrealistically cheap pentest is not. The typical signs of a problematic proposal are: a very low budget for an apparently broad scope; little detail on methodology; little weight on manual review; a generic report; severities with no context; no debrief meeting; no re-testing; and promises of impossible timelines.
This does not mean every affordable provider is bad. It means you should ask for clarity: what exactly is tested, how many days sit behind it, how much is manual, who signs the work, and what deliverable you will receive. Our guide on how to read a penetration testing report helps you judge that deliverable before you commit.
How to compare penetration testing quotes without getting it wrong
When you receive several proposals, compare them with this logic:
- Real scope: does it include web, API, admin panel, mobile, infrastructure, or only part of it?
- Number of days: even if it is not stated explicitly, try to understand how many real days sit behind it.
- Manual depth: how much is manual analysis versus automation?
- Methodology: does it rest on recognised good practice? OWASP is a clear reference for web environments.
- Team profile: a junior running a checklist is not the same as a team that can chain findings and prioritise impact.
- Report quality: will it be useful for your technical team, for management and for third parties?
- Debrief and re-testing: are they included, or billed separately?
If one proposal looks much cheaper but drops several of these layers, you are simply not comparing the same service. The distinction between testing types is worth understanding in its own right, which is what we cover in a security audit versus a penetration test and in penetration testing versus red team versus BAS.
How much a penetration test costs by project type
Web application testing
The most common case. For small applications or low-stakes sites it can stay in moderate bands, but when there is authentication, several roles, complex flows or business logic, the cost rises quickly. Recent public references place many web projects from a few thousand to considerably higher depending on complexity.
API testing
APIs should not be treated as a free appendix of the front end. If the API matters, it deserves specific testing: authentication, authorisation, rate limiting, data exposure, business abuse and consistency across methods. Several public analyses even separate web and API pricing as distinct components.
Internal testing
This usually needs a different dynamic: segmentation, privileges, lateral movement, credentials, internal exposure and corporate services. The cost model changes because the work changes. For adversary-style depth, a red team exercise is a different proposition again.
Cloud or hybrid testing
When identity and access management, cloud configuration, public exposure, storage, secrets, integrations and distributed services come in, a project can look "small" in the number of assets and still be genuinely complex.
One-off pentest or a continuous programme?
It depends on your maturity. If you are about to launch an application, pass a customer review or validate a critical asset, a one-off test makes sense. But if your real problem is new assets appearing, frequent changes, a backlog of findings and little basis for prioritisation, an isolated test is not always enough. In those cases it is usually more effective to combine a cybersecurity audit to review overall posture, a penetration test to validate real impact, and vulnerability management to sustain the reduction of exposure over time.
When it is worth commissioning a penetration test, and when it is not
It is especially worth it when you are about to release a new application, you have made major changes, a customer or third party asks for validation, you handle sensitive data, or you want to check whether your current posture withstands a serious test.
It is not always the best first purchase when you do not yet have a clear asset inventory, the environment is disorganised and changing, there is not even a minimum baseline of hardening, or your main problem is operational and continuous rather than one-off. In those cases it can make more sense to start with cybersecurity consulting, an audit or a vulnerability management programme, and then run the pentest where it truly adds value.
The most common mistake when asking for a price
The most common mistake is to request a quote with a line like "I need a price for a pentest for my company". That almost always produces proposals that are hard to compare. It is better to provide, at least: the type of asset; the number of applications or environments; whether there is authentication; whether there are different roles; whether there is an API; whether it is production or pre-production; whether credentials are required; whether you need a technical report, an executive one or both; whether you want re-testing; and whether there is a deadline. The better the scope is framed, the better the quote and the lower the risk of buying something that does not fit.
So, what does a penetration test really cost?
The most practical answer: if the scope is small, you can be in a relatively contained band; if it is a real business application, it is normal to move to a mid band; if the environment is complex or the objective demanding, you should assume a higher budget; and if a proposal looks too cheap for the work promised, something important is probably missing.
Our experience and recent pricing references converge on the same idea: professional penetration testing usually runs from a few thousand for simple scopes to tens of thousands in broader scenarios with complexity, compliance or multiple targets. The point is not to chase the lowest number, but to buy a test that genuinely helps you detect relevant weaknesses, validate impact, prioritise well and fix with judgement. If you are also weighing providers more broadly, our guide on how to buy cybersecurity in 2026 and the companion piece on how much a cybersecurity audit costs are a good next read.
Want a penetration testing quote matched to your real environment?
At Hard2bit we analyse the scope, the technical complexity and the objective of the project to propose a penetration testing service with judgement: without inflating unnecessary work and without selling you a simple scan as if it were a real test. If it helps, we can support you in defining the scope, estimating the days and weighing whether you need a penetration test, a cybersecurity audit or a combined approach with vulnerability management. Talk to an expert and request your initial assessment here.