What penetration testing actually costs in 2026 — real numbers, not “it depends.”

I’ve scoped, purchased, and reviewed the output of dozens of penetration tests over the past few years. Some were worth every dollar. A few were outright scams — automated vulnerability scans dressed up in a 40-page report template with a “pentest” label slapped on the cover.

The pricing landscape for penetration testing is genuinely confusing if you haven’t bought one before. Quotes range from $3,000 to $200,000+ for what vendors all describe as “a penetration test.” That spread isn’t just about scope differences. It’s about fundamentally different services being sold under the same name.

Here’s what penetration testing actually costs, what drives those costs, and how to avoid overpaying for the wrong thing.

Penetration Testing Cost by Type

These are real ranges based on what I’ve seen quoted and delivered in 2025-2026 for mid-market companies (100-2,000 employees, typical IT environments). Your mileage will vary with scope and complexity, but these are honest center-of-market numbers.

External network penetration test

$8,000 - $25,000

Tests your internet-facing attack surface: public IPs, DNS, mail servers, VPN endpoints, exposed services. A competent external pen test takes 5-10 days of tester time for a typical mid-market company with 50-200 external-facing assets. If someone quotes you $3,000, they’re running Nessus and reformatting the output.

Internal network penetration test

$12,000 - $35,000

Assumes the attacker is already inside — either through a compromised endpoint, a malicious insider, or post-phish access. Scope includes Active Directory enumeration, lateral movement, privilege escalation, and data access testing. Internal tests are more labor-intensive than external because the attack surface is larger and the paths are more complex. Expect 8-15 days of tester time.

Web application penetration test

$10,000 - $40,000 per application

This is per-app pricing. A simple brochure site is at the low end. A complex SaaS application with authentication, API integrations, role-based access, and file upload functionality is at the high end. The variable here is the number of authenticated roles, the complexity of the business logic, and whether you need testing of API endpoints beyond the UI. If your app handles payments or health data, expect the tester to spend more time on data-handling flows, which pushes cost up.

API penetration test

$8,000 - $30,000

Dedicated API testing (REST, GraphQL, gRPC) separate from a web app test. Pricing depends on the number of endpoints, authentication mechanisms, and whether the API documentation is current. Undocumented APIs take longer — the tester has to discover the attack surface before testing it. I’ve seen API pen tests run 50% over budget because the client’s API docs were two years out of date.

Mobile application penetration test

$15,000 - $35,000 per platform

iOS and Android are tested separately. Each platform has its own attack surface: local data storage, certificate pinning, inter-process communication, binary protections. If you need both platforms tested, budget for roughly 1.7x a single platform (not 2x — there’s overlap in the API layer testing).

Cloud infrastructure penetration test

$15,000 - $50,000

AWS, Azure, or GCP environment testing: IAM misconfigurations, storage bucket exposure, network segmentation, serverless function security, container escape paths. The scope variable here is enormous. A single-account AWS environment with 20 services is a different engagement than a multi-account landing zone with 200+ services and cross-account roles. Make sure the scope document specifies which accounts, regions, and services are in bounds.

$5,000 - $20,000

Phishing campaigns, vishing (phone-based), or physical social engineering. Phishing-only assessments are at the low end — the tester builds a pretext, sends emails to an agreed target list, and reports click/credential-capture rates. Full social engineering that includes phone pretexting and physical access attempts (badge cloning, tailgating, dumpster diving) is at the high end and requires more planning time and on-site travel.

Red team engagement

$40,000 - $150,000+

A red team engagement is not a penetration test. It’s an adversary simulation with specific objectives (e.g., “exfiltrate customer PII,” “gain domain admin,” “access the wire transfer system”). Red teams operate with minimal scope restrictions, combine multiple attack vectors, and test your detection and response capabilities — not just your preventive controls. The price reflects weeks of skilled operator time across multiple phases: reconnaissance, initial access, persistence, lateral movement, objective completion, and reporting.

What Drives Pen Test Pricing

The ranges above are wide because six factors shift the price significantly.

Scope and complexity. More assets, more applications, more complex environments = more tester time = higher cost. This is the primary driver.

Compliance requirements. If you need PCI DSS, HIPAA, or SOC 2-aligned testing with specific methodology documentation, the engagement requires additional reporting and methodology compliance, which adds 10-25% to the base cost.

Tester credentials and firm reputation. An OSCP-certified tester from a boutique offensive security firm charges differently than a junior analyst at a large consultancy running a playbook. CREST, OSCE, OSEP, and GXPN certifications signal deeper expertise and command premium rates. That premium is usually worth it — the quality difference between a skilled manual tester and a checklist operator is enormous.

Retesting. Most firms include initial findings delivery but charge separately for retesting after remediation. Retesting typically runs 15-25% of the original engagement cost. Some firms include one retest in the base price — ask before you sign.

Reporting depth. A technical findings report is standard. Executive summaries, board-ready presentations, and detailed remediation guidance with prioritized roadmaps cost extra at some firms and are included at others. Clarify what’s in scope.

Timeline. Rush engagements (need results in 2 weeks instead of 6) can carry a 25-50% premium. Plan ahead.

The Provider Spectrum

Who you hire matters as much as what you buy.

Freelance pen testers ($100-$200/hour). Lower cost, but you’re betting on one person’s skills and availability. Good freelancers exist — some are former offensive security consultants who went independent. But there’s no peer review, no methodology standardization, and no organizational accountability if something goes wrong. Best for targeted, well-scoped assessments where you know the tester personally.

Boutique offensive security firms ($200-$400/hour). This is the sweet spot for most mid-market companies. Firms like Bishop Fox, NetSPI, TrustedSec, and Black Hills InfoSec have deep offensive expertise, strong methodology, and enough team depth for peer review. Their testers are typically OSCP+ certified and do this work full-time. You’re paying for expertise, not brand.

Big 4 / large consultancies ($300-$500/hour). Deloitte, EY, PwC, KPMG all have penetration testing practices. The brand carries weight with boards and auditors. The tradeoff: the senior partner who sold the engagement isn’t the person doing the testing. The actual work is often performed by junior consultants following a methodology document. You might get excellent testers or you might get someone who passed the OSCP six months ago and is on their third engagement. Ask who’s doing the hands-on work.

Bug bounty platforms (variable). HackerOne, Bugcrowd, and Synack offer crowd-sourced testing models. These aren’t traditional pen tests — they’re continuous programs where independent researchers test your assets and get paid per valid finding. The economics are different: you pay for results, not time. The downside is inconsistent coverage and no guarantee of methodology completeness. Bug bounty complements pen testing; it doesn’t replace it for compliance or comprehensive coverage purposes.

Red Flags in Pen Test Pricing

After reviewing enough pen test proposals and deliverables, certain patterns reliably predict a bad engagement.

Price under $5,000 for anything beyond a tiny scope. A legitimate penetration test requires skilled human analysis. If someone is offering a “comprehensive network penetration test” for $4,000, they’re running automated scanners and formatting the output. You’re buying a vulnerability scan with a pen test cover page. That’s not worthless — but it’s not a pen test, and you shouldn’t pay pen test prices for scan output.

Fixed price with no scoping conversation. Any firm that quotes a flat fee before understanding your environment is pricing a commodity service, not a skilled assessment. A real pen test firm needs to understand your asset count, complexity, compliance requirements, and testing objectives before quoting. If they quote sight-unseen, they’ve already decided how much time they’re going to spend regardless of what they find.

No methodology documentation. Ask what methodology they follow (OWASP, PTES, OSSTMM, CREST). If the answer is vague or absent, the testing approach will be ad hoc. Ad hoc testing finds some vulnerabilities. Methodical testing finds them systematically and ensures coverage.

Deliverable is just a scanner output. Ask for a sample report (redacted). If the findings section reads like Nessus or Burp Suite output with no manual analysis, exploitation evidence, or attack narrative, that’s what you’ll get. A pen test report should include proof-of-concept exploitation, attack chains, and business impact analysis — not just CVE numbers and CVSS scores.

How to Scope a Pen Test Without Overspending

The most common mistake I see is either over-scoping (testing everything at once) or under-scoping (testing so little that the results aren’t actionable).

Start with a risk assessment. Before scoping a pen test, know what you’re trying to protect and what your most likely attack vectors are. A security risk assessment identifies the assets and threats that matter most. That assessment drives pen test scope — test the things that would hurt most if compromised, not everything with an IP address.

Phase your testing. Instead of one massive engagement annually, consider splitting scope across quarters. External network this quarter, web app next quarter, internal network and AD the quarter after. This spreads cost, keeps findings fresh, and gives your team time to remediate between tests.

Be specific about scope documents. The scope document should list: in-scope IP ranges and domains, in-scope applications with URLs, testing hours and any blackout windows, whether social engineering is included, whether DoS testing is permitted, who holds the escalation phone number. Ambiguous scope leads to either wasted tester time or missed attack surface.

Align testing to compliance cadence. If PCI DSS requires annual pen testing, schedule it to complete 2-3 months before your audit so you have time to remediate findings. Same for SOC 2 observations — pen test findings that are open at audit time become exceptions. Use our cybersecurity risk assessment checklist to make sure nothing falls through the cracks.

Pen Test Frequency and Budget Planning

Annual minimum. Most compliance frameworks (PCI DSS, SOC 2, HITRUST) require at least annual penetration testing. This is the floor, not the ceiling.

Quarterly for high-risk environments. If you’re deploying code weekly, operating in a regulated industry, or handling sensitive customer data, annual testing leaves too long a gap. Quarterly testing — rotating scope across your environment — catches vulnerabilities introduced by changes between annual tests.

Continuous for mature programs. Organizations with mature security programs supplement periodic pen testing with continuous approaches: bug bounty programs, automated attack simulation (BAS), and red team exercises. The combination of periodic depth (pen test) and continuous breadth (bug bounty + BAS) provides the most comprehensive coverage.

Budget rule of thumb. For a mid-market company, expect to spend 5-15% of your annual security budget on offensive testing. If your total security spend is $500,000, that’s $25,000-$75,000 annually across all testing activities. This is one of the highest-ROI security investments you can make — it’s cheaper to find vulnerabilities through testing than through incident response. For a deeper look at how to frame that ROI conversation, see our guide on measuring cybersecurity ROI.

What a Pen Test Is Worth vs. What It Costs

A penetration test that costs $20,000 and discovers a critical vulnerability in your external-facing application — one that could lead to a data breach with $2M+ in incident response, notification, legal, and regulatory costs — has a return that makes the pricing discussion irrelevant.

The flip side: a $50,000 pen test that produces a 60-page report your team doesn’t have the bandwidth to remediate has a negative return. The test itself doesn’t reduce risk. Remediation reduces risk. Budget for both.

When I work with companies through strategic oversight engagements, pen testing is one piece of a broader security program — not a standalone checkbox. The test tells you where you’re exposed. The program determines whether you actually close the gaps. Without the governance layer to prioritize, resource, and track remediation, even the best pen test is just an expensive inventory of problems you already have.

If you’re ready to scope a penetration test or build offensive testing into your security program, let’s talk about what makes sense for your environment.

FAQ

How much does a basic penetration test cost?

A basic external network penetration test for a small-to-mid-market company typically costs $8,000-$15,000. This covers your internet-facing assets — public IPs, DNS, mail servers, VPN endpoints. Internal network tests run $12,000-$25,000. Web application tests start around $10,000 per app. These are for competent, manual testing from a reputable firm — not automated scan output repackaged as a pen test. If you’re seeing quotes significantly below these ranges, scrutinize what’s actually being delivered.

How often should we do penetration testing?

At minimum, annually — and most compliance frameworks require it. If you deploy code frequently, operate in a regulated industry, or have experienced a significant infrastructure change, quarterly testing with rotating scope provides better coverage. The goal is to catch vulnerabilities introduced by changes between test cycles. Continuous approaches like bug bounty programs complement periodic testing but don’t replace the methodical coverage a structured pen test provides.

What’s the difference between a penetration test and a vulnerability scan?

A vulnerability scan is automated — a tool like Nessus or Qualys scans your environment against a database of known vulnerabilities and produces a list of findings. A penetration test is manual — a skilled tester attempts to actually exploit vulnerabilities, chain them together, escalate privileges, and demonstrate real business impact. The scan tells you what might be vulnerable. The pen test tells you what’s actually exploitable and how far an attacker can get. Both are valuable; they’re not interchangeable. If your “pen test” report reads like scanner output, you bought a scan.

Should we use a freelancer or a firm for pen testing?

It depends on scope and accountability requirements. Freelance pen testers can deliver excellent work for well-scoped, targeted assessments — especially if you know the tester’s track record. For comprehensive assessments, compliance-driven testing, or engagements where you need organizational accountability (someone to call if a tester accidentally breaks something in production), a reputable offensive security firm is the safer choice. The firm provides methodology standardization, peer review of findings, and a professional liability structure that an individual freelancer typically cannot.

Nicholas Carlson — Technical Advisor, vCSO.ai. Building security tools and advising on cybersecurity product strategy.

Penetration Testing Cost: 2026 Pricing Guide