Penetration Testing Cost Guide for 2026: What Drives the Number

Why this guide does not have a price list

Penetration testing is a scope-bound professional service, not a software subscription. The same engagement type — say, "a web application pentest" — can move several-fold in cost depending on what is actually in scope. Two web apps with the same name on the box can differ by ten times the endpoint count, by five roles versus thirty-five, by single-tenant versus deeply multi-tenant, by staging-available versus production-only, and by whether the report needs to satisfy one auditor or four.

A responsible vendor quotes after scoping, not before — and quotes a fixed number, not an hourly estimate. This guide explains what actually moves the number, how to think about ranges by engagement type, and how to scope your side of the conversation so the price you hear back is not a surprise. It does not list CyberGuards' prices, because the only honest price for your scope comes out of a thirty-minute scoping call. It does explain why our prices land where they do.

What you are paying for

A penetration test is not a tool license, an audit, or a compliance certificate. It is a time-boxed, scope-bound investigation conducted by humans, the output of which is a report and a remediation conversation. Three line items account for almost the entire bill of a well-run engagement.

• Senior tester days on your specific surface. The single largest line item in any honest quote. Not a checklist walked once a quarter, not a scanner output with a logo, not a junior handed your account after the sales call.
• A report your engineers, auditors, and board will use. Reporting is typically a fifth to a quarter of the total time, and it is where the value lands. Findings with working proofs of concept, paste-ready remediations, severity that means something, and a control mapping auditors accept on first read.
• A retest of reported findings after you fix them. Included in scope by default with reputable vendors. The retest is what turns your report from a test-day snapshot into the post-fix document you can show customers and auditors.

Anything in a proposal that is not directly producing one of those three things is overhead. Feature checkboxes — dashboards, briefing decks, AI-flavored prioritization layers — can be useful, but they are not the product. The testers and the report are the product. Pricing should reflect that.

The seven drivers that move the number

If you understand these seven, you can predict roughly where a quote will land before you receive it. They are listed in roughly the order of how much each tends to move pricing.

1. Size of the attack surface in scope. Endpoints in a web app, operations in an API, IP addresses in a network, accounts in a cloud tenancy, models and tools in an AI feature. More surface, more tester-days, more cost.
2. Role and tenant complexity. A two-role application with a single tenant is a different engagement from a ten-role multi-tenant SaaS where every role can act against every resource. Role-matrix coverage is the highest-leverage line of testing on most modern apps — and a major driver of engagement length.
3. Depth of testing. Unauthenticated-only testing is shallower and shorter. Authenticated, role-by-role, cross-tenant testing is deeper and longer. Most material findings live on the authenticated side of the boundary, which is why most reputable engagements are at least partially authenticated.
4. Compliance framework alignment. Mapping findings to SOC 2 trust services criteria, ISO 27001:2022 Annex A controls, PCI DSS v4 requirements, HIPAA safeguards, or NIST 800-53 control families adds reporting time. Multiple frameworks at once add more. The work is worth doing — the report your auditor sees is the version that determines whether the control passes — but it is real time and it shows up in the quote.
5. Environment and safe-testing constraints. Staging available, production-only, segmented internal networks behind a jump host, air-gapped environments, regulated data in scope — each of these adds setup time and constrains what the tester can do per hour.
6. Retest and remediation support. Whether retest and a remediation walkthrough are included in the base price changes the headline number but also the value. Quotes without retest look cheaper on the proposal and ship a report that ages out of date the moment you start fixing things.
7. Tester seniority and region. The per-day rate underneath every line above varies with the seniority of the testers and where they sit. A senior tester in North America or Western Europe is materially more expensive per day than a junior tester in a low-cost region — and on most engagements the price difference is justified by the depth difference. The exception is bulk-scan work, which a junior can do well and which a senior should not be billed for.

Cost ranges by engagement type

Here is where the ranges typically land — described qualitatively, because any specific dollar number written here would be misleading for half the readers. Combine these with the seven drivers above to triangulate where your scope will sit.

Engagement	Typical duration	Cost shape
Single web application	2–3 weeks of testing + reporting	Low five figures for a focused engagement; rising with role count, integrations, and tenancy depth.
API (REST or GraphQL)	2–3 weeks of testing + reporting	Low five figures for a focused API; rising with endpoint inventory and business-logic depth.
Multi-app SaaS engagement	3–5 weeks of testing + reporting	Mid five figures and up — the price reflects shared services, SSO, and role matrix across the suite, not just per-app additions.
External + internal network	3–5 weeks of testing + reporting	Mid five figures and up — scales with IP scope, segmentation, AD or identity provider depth, and access model.
Cloud (AWS, Azure, GCP)	2–4 weeks of testing + reporting	Mid five figures typical — driven by account count, IAM trust paths, and workload type. Multi-cloud or multi-account environments run higher.
Red team engagement	4–6 weeks of operations	Higher than a standard pentest — duration, multi-stage objectives, detection-program engagement, and any physical or social-engineering scope all move it up.
AI / LLM feature test	2–4 weeks of testing + reporting	Comparable to a focused web app or API engagement, varying with model surface, RAG and tool-use depth, and OWASP LLM Top 10 coverage.
Compliance pentest	Depends on underlying surface	Adds reporting time to the underlying engagement for control mapping across SOC 2, ISO, PCI, HIPAA, or NIST.
Retest of reported findings	Days, after fixes	Should be included in the base engagement price. A separate line item — especially an hourly one — is a pricing pattern to question.

"Low five figures" and "mid five figures" are deliberately qualitative. The same engagement type runs at the low end of those bands in some markets and the high end in others, and the surface details — number of apps, role count, integrations — can move it inside the band by a factor of two or more without anyone padding the quote. Use the qualitative bands to sanity-check a number, not to predict one.

What should be included in the price

Read the proposal carefully. A reputable engagement includes the following without separate line items.

• A senior tester on your engagement, named, with a resume attached to the proposal. The person on the scoping call should be the person doing the work.
• A shared communication channel open through the engagement, with same-day disclosure of critical findings. Critical findings do not wait for the final report.
• Reporting that serves three audiences in one document. A one-page board summary; an executive section with compliance control mapping; a developer section where every finding has working proof of concept, reproduction steps, severity, and paste-ready remediation.
• Retest of reported findings. After your team ships fixes, the affected findings are retested and the report is reissued so the version your auditors and customers see reflects post-fix state.
• A remediation walkthrough. A working session with your engineering team where the tester walks through findings, answers stack-specific questions, and pairs on the harder remediations.
• A follow-up window. An open channel for questions for a defined period after report delivery — typically thirty to ninety days.

If any of those sit as separate line items in a proposal, ask why. A reputable vendor's number includes all of it, and the proposal reads accordingly.

What is legitimately extra

Some additions to a base engagement are reasonable to price separately, because they cannot be sensibly anticipated at scoping time:

• Out-of-scope surface added mid-engagement. A new product line, a newly acquired company's environment, or a region you did not have at scoping that you now want covered.
• On-site or travel-dependent work. Physical red team operations, on-premises network testing where remote access is not feasible, or insider-threat scenarios that require a tester in your office.
• Specialized scope. IoT or embedded device testing, OT or industrial control systems, hardware testing, or social engineering of staff.
• Re-engagement on a material change. A retest of the same surface after a major release, a new authentication system, or a region or partner expansion. The retest of reported findings is included; the retest of the whole environment after material change is a new engagement.
• Expedited delivery. A standard timeline can usually be expedited if testers are available. Compressed delivery sometimes carries a premium because it locks more of the bench than a normal engagement does.

How to scope so the quote does not surprise you

Most cost surprises trace back to a scoping call that did not collect the right artifacts. Bring three things, and the quote will land where you expect.

• A surface inventory. Apps with rough endpoint counts, APIs with operation counts, networks with CIDR ranges, cloud accounts with workload type and rough resource counts. Half a page is enough; precision matters more than length.
• A role and tenant matrix. For multi-tenant SaaS products this is the single highest-leverage document you can bring. Roles, tenants, and what each role is expected to be able to do across critical resources. The matrix you write down on the call almost always differs from what the application actually enforces — and that gap is most of the engagement.
• A business outcome. Why you are running this engagement now: a customer asking for a current report, an audit on the calendar, a board-level concern, a new feature shipping, a regulator inquiry. The reason shapes the scope, the timeline, and the framing of the report.

A scoping call that ends with a fixed scope, a fixed price, a fixed delivery date, and a one-page statement of work is the strongest signal that you are talking to a vendor who has done this before. A scoping call that ends with "we will send a proposal next week" is not necessarily a deal-breaker — sometimes the vendor needs to check bench availability — but it is a tempo signal worth noticing.

Pricing red flags in proposals

The proposal document often tells you more about how the engagement will run than the sales conversation does. Read for the following pricing patterns.

• Per-finding pricing. "We charge per vulnerability found." Real pentests find what is there; per-finding pricing creates an incentive to inflate counts or split findings.
• Hourly-only billing. Hourly billing is normal for some consulting work, but on a pentest with an agreed scope, hourly billing usually means scope creep is in the vendor's interest. Fixed-price quotes after scoping are the standard.
• Findings count commitments. "We typically find twenty or more vulnerabilities per engagement." A real pentest is not a quota.
• Retest as a separate line item. Most acutely the case when retest is hourly. The report you ship to auditors and customers will lag reality if retest is not built into the base price.
• Headline pricing materially below market. A quote that is half what comparable vendors are quoting for the same scope is almost always a smaller engagement than the proposal implies — fewer tester-days, junior testers, or a scan dressed as a pentest.
• "Daily executive briefings" as a headline feature. Briefings are fine; if they are featured ahead of the testers and the report, the proposal is dressing up a thin engagement.
• One-week engagement on a multi-app SaaS. The math rarely works. Two senior testers for a working week is ten tester-days, and a meaningful share of that goes to reconnaissance, role-matrix setup, and reporting. On a multi-tenant product you are buying coverage, not depth.

Contract terms that affect total cost of ownership

The total cost of working with a pentest vendor is not just the engagement fee. A few contract clauses materially change the long-run value of the relationship.

• Right to share the report. You should have unlimited right to share the final report with customers, auditors, regulators, and prospects under NDA. Clauses that gate distribution on vendor approval add friction at exactly the moment the report is most valuable.
• Data handling and retention. What does the vendor do with screenshots, exfiltrated test data, and report drafts at the end of the engagement? Industry-typical practice is deletion within thirty to ninety days with written confirmation.
• Subcontractors. Whether subcontractors are used, who they are, where they sit, and whether they sign NDAs with terms equivalent to yours. A vendor that does not subcontract is more expensive per day than one that does, and on most engagements that premium is justified by depth and consistency.
• Liability and insurance. Standard liability caps are typically one to three times the engagement fee. Professional liability (errors and omissions) and cyber liability insurance with meaningful limits are the norm; ask for certificates.
• Right to re-engagement on materially underdelivered work. An articulated process for a no-cost rerun if the engagement falls clearly short is a sign that the vendor stands behind the work.

How CyberGuards approaches pricing

We do not publish a price list because we do not believe a price list is honest for this product. We do publish how we price, which is the part you can compare against any other vendor.

• Scope-based, fixed before kickoff. The scoping call is thirty minutes. You leave with a fixed scope, a fixed price, and a fixed delivery date. No hourly billing, no scope creep, no per-finding charges.
• Senior testers, every engagement. The person on the scoping call is the person doing the testing. No subcontractors, no junior handoffs after signing.
• Retest of reported findings included. Built into the base price by default. The report your auditors and customers see reflects post-fix state, not test-day state.
• Same-day disclosure of critical findings. On a shared channel with your security and engineering leads, throughout the engagement.
• Reporting that serves three audiences in one document. Board summary, executive control-mapped section, and developer-actionable findings — every finding with a working proof of concept and a paste-ready remediation.
• Remediation walkthrough and a follow-up window. A working session after report delivery, and an open channel for questions through the remediation period.

Where our number lands relative to the qualitative tiers above depends on the same drivers that move any vendor's number: surface size, role and tenant complexity, depth, frameworks, retest and remediation support, and the seniority of the bench. The shape of the engagement also matters — a focused web application pentest prices differently from an audit-aligned compliance pentest mapped to multiple frameworks, and a red team operation sits in a different band altogether. The single most accurate way to know what we would charge for your scope is to do the scoping call. Most happen the same week.

The bottom line on cost

Three things are worth holding in mind when you are evaluating quotes side by side. First, the cheapest quote on a shortlist is almost never the right answer — and is often the most expensive on a per-tester-day basis once you adjust for what is actually included. Second, the cost of a bad engagement — a missed finding that ships into production, a customer that stalls at procurement, an audit finding that comes back next year — dwarfs the price difference between any two responsible vendors on the shortlist. And third, the report is the deliverable; the testers are the product. A quote that does not show you what those two things look like, in writing and via a redacted sample, is a quote you cannot evaluate.

If you want to know what we would charge for your scope, the scoping call is thirty minutes, costs nothing, and ends with a fixed scope, a fixed price, and a fixed delivery date — whether or not you choose us.