Skip to content
← Field Notes

How Much Does a Penetration Test Cost?

How Much Does a Penetration Test Cost?

If you are shopping for a test and just want a number, here it is up front: how much a penetration test costs usually lands somewhere between a few thousand dollars and the low tens of thousands, depending on what is being tested. This guide is for the business owner who got a quote, or three very different quotes, and wants to know what they are actually paying for before they sign.

The short version is that price tracks scope and effort. A test of one internet-facing setup costs less than a test of your whole internal network, your web app, and your staff’s resistance to phishing. That part is intuitive. The part that trips people up is that two quotes for the “same” test can be miles apart, and the cheap one is often not a real test at all. Let’s walk through it plainly.

What you are actually paying for

A penetration test is a person, an authorized one, trying to get into your systems the way a real attacker would, and then handing you a plain-English list of what they found and how to fix it. The cost is mostly skilled human time. Someone has to scope it, run it carefully so nothing breaks, chase down the chain of small issues that an automated tool skips, and write up something you can actually act on.

That is the line that separates a real test from a cheap one. An automated scanner can be pointed at your network in an afternoon and will spit out a long PDF. It finds the obvious, known stuff. A human finds the boring chain that actually gets someone in: a reused password here, a forgotten account there, one share everyone can read. You are paying for the human, not the scan.

How much does a penetration test cost across the market

Across the industry, published pricing guides put a typical penetration test somewhere around $5,000 to $50,000 or more, with averages often cited near $18,000 (see the cost guides from Astra and BrightDefense for the wider market picture). Big enterprise red-team engagements run past $100,000. Those numbers are real, but they cover everyone from a two-person startup to a bank, so they are not much help when you are a 30-person business trying to budget.

For most small and mid-sized businesses, the right number is a lot more grounded than the scary end of that range. Our own pricing starts at $4,000 for an external test and goes up from there based on what you add. We publish it openly so nobody has to “request a quote” just to learn the ballpark. You can see the full pricing here.

If you are testingWhere pricing starts
Your internet-facing setup (external)from $4,000
External plus your internal networkfrom $6,500
External, internal, web app, and phishingfrom $10,000

Retests are included on every tier. Once you fix what we found, we check the fixes at no extra charge. That is part of the test, not an upsell.

Why the cheapest quote should worry you

Here is the thing to watch for. If someone quotes you a “penetration test” for a few hundred dollars or even under a couple thousand, you are almost certainly buying an automated scan with a nice cover page. The cost guides above say the same thing: extremely cheap tests are usually scanner output repackaged as manual work.

That matters for two reasons. First, you do not get the real value, the human finding the things a tool misses. Second, if you are doing this for cyber insurance or a contract, a scan dressed up as a pentest can come back to bite you when a claim or an audit looks closely at what you actually bought. A test you cannot stand behind is worse than no test, because you thought you were covered.

This is also why most teams quote and pay $10,000 or more, often for an automated-only engagement. We think that is backwards. You should get manual and automated testing, by a real person, for a fair price. If you want the longer version of this, we wrote a whole piece on the difference between a penetration test and a vulnerability scan.

What actually moves your price

When you get a quote, the number is built from a handful of honest factors. None of them are mysterious.

  • Scope. How much are we testing? Just your external footprint, or the internal network too, the web app, your people. More surface, more time, higher cost. This is the biggest lever.
  • Complexity. A flat single-site network is quicker to test than a sprawling environment with many systems, custom apps, and lots of user roles to check.
  • Type of test. Testing a custom web application or running a phishing campaign against staff is more involved than a straightforward external network test.
  • Compliance needs. If you need the test done a particular way to satisfy an insurer, a client contract, or a framework, that shapes the work and sometimes the documentation.
  • Whether it is real. This is the one nobody lists but it is the main reason two quotes differ. Manual testing by a skilled person costs more than running a tool. It is also the only kind worth buying.

Notice what is not on that list: having a VPN, a firewall, or a remote-access portal does not make a test cost more or mean you are in trouble. Those things are supposed to exist. A good test checks whether they are patched, configured right, and behind multi-factor login, not whether you have them.

So what should a small business budget?

If you run a typical small or mid-sized Arizona business and you are testing your internet-facing systems, plan for something in the $4,000 to $6,500 range for a real, manual external or external-plus-internal test. Add a web app or a phishing component and you move toward $10,000. That is the honest band for most of the businesses we work with, and it is below what the national firms quote for the same work.

If a number you have been given is far below that, ask one question: is this a manual test by a named person, or a scan? The answer tells you what you are really buying.

FAQ

How much does a penetration test cost for a small business?

For most small businesses, a real penetration test starts around $4,000 for an external test and runs to roughly $10,000 for a full external, internal, web app, and phishing engagement. The exact number depends on how much you are testing. See our pricing for the starting points.

Why are some penetration tests so cheap?

Because they are not really penetration tests. A quote of a few hundred dollars is almost always an automated scan with a report attached. A real test is mostly skilled human time, so it costs more, and it finds the things a scanner cannot.

What makes a penetration test more expensive?

Scope and effort, mainly. Testing more systems, adding your internal network, testing a custom web app, or running a phishing campaign all add skilled hours. Manual testing by a real person also costs more than a tool, and it is the part worth paying for.

Is a penetration test worth the cost?

For most owners, yes, especially if an insurer or a client is asking for one. You walk away knowing exactly where you stand and with a prioritized fix list you can act on. A test that leaves you clearer and calmer, with retests included, is money well spent.

Where to start

Knowing how much a penetration test costs is only half the answer. The other half is knowing which test you actually need. Not sure, or wondering whether a quote you already have is fair? Tell us a little about your business and what is prompting the test, and we will come back with a straight answer and a fixed quote, no pressure and no scare tactics. Request a quote, or read more about external penetration testing to see what is involved.

Sources: Astra pentest cost guide, BrightDefense pentest pricing.

Want to know where you stand?

Tell us a little about your business and what is prompting the test. We will come back with a fair, fixed quote.

Request a quote