One of the most common questions we receive during scoping calls is straightforward: how much does a penetration test cost? The honest answer is that it depends on scope, but that response — while accurate — is not particularly useful when you are building a security budget. This guide provides transparent pricing ranges based on current market rates for manual penetration testing, so you can plan with confidence.
Penetration Testing Cost Ranges by Type
The following ranges reflect market rates for manual penetration testing — not automated vulnerability scan reports marketed as "pentests." If a vendor quotes significantly below these ranges, ask what percentage of the assessment is manual versus automated. The answer will be instructive.
External Network Penetration Test
Typical range: $8,000–$15,000
An external network penetration test evaluates your perimeter from the perspective of an unauthenticated attacker on the internet. Scope includes all externally-facing IP addresses, services, and applications. The tester enumerates exposed services, identifies misconfigurations, exploits vulnerabilities, and attempts to gain internal network access through the perimeter.
Internal Network Penetration Test
Typical range: $10,000–$25,000
An internal test simulates a threat actor who has already gained initial access — through phishing, a compromised VPN credential, or physical access. This is where Active Directory attacks, lateral movement, privilege escalation, and trust relationship abuse are tested. Scope and complexity vary significantly based on the number of network segments, Active Directory forests, and physical sites.
Web Application Penetration Test
Typical range: $8,000–$25,000
Web application testing goes beyond the OWASP Top 10 to include business logic testing, authentication bypass, IDOR chains, API security, race conditions, and session management flaws. Pricing depends on application complexity: a simple marketing site with login is on the lower end; a multi-role SaaS platform with complex API integrations is on the higher end.
Combined Engagements
Typical range: $15,000–$50,000
Most organizations benefit from combining external and internal network testing, often with web application testing included. Combined engagements are priced at a discount versus individual tests, and they provide a comprehensive view of your security posture that auditors prefer to see.
What Drives the Price Up or Down?
- Scope: Number of IP ranges, applications, and network segments directly impacts effort. A single /24 subnet takes less time than a multi-site enterprise with 50 VLANs.
- Complexity: Active Directory environments with multiple forests, complex trust relationships, or hybrid cloud configurations require more testing time.
- Approach: Black-box testing (no information provided) typically costs more than gray-box (standard user credentials provided) because the tester spends more time on reconnaissance.
- Compliance requirements: Tests scoped to satisfy specific compliance frameworks (PCI DSS 11.4, SOC 2, HIPAA, NY DFS 23 NYCRR 500) may require additional documentation and attestation.
- Timeline: Expedited engagements (less than 2 weeks from SOW to testing) may carry a premium.
- Re-testing: Reputable firms include a complimentary re-test within 90 days to validate remediation. If re-testing is an add-on charge, ask why.
Red Flags in Penetration Testing Pricing
Watch for these indicators that a "penetration test" quote may actually be an automated vulnerability scan:
- Pricing under $3,000: A qualified manual test cannot be completed at this price point. You are likely receiving a Nessus/Qualys scan with a cover page.
- Fixed pricing regardless of scope: If the price does not change whether you have 10 IPs or 10,000, the vendor is not scoping a manual assessment.
- No scoping call: A legitimate penetration tester needs to understand your environment before providing a quote. If the price arrives without questions, the methodology will be generic.
- Report delivered within 48 hours: Manual testing requires time. If a "full penetration test" report appears in two days, it was generated by a scanner.
How to Budget for Penetration Testing
For most mid-market organizations, budget $15,000–$40,000 annually for a comprehensive penetration testing program. This typically covers:
- One combined external/internal network test per year
- One web application test per major release or annually
- Remediation re-testing (should be included at no additional cost)
- Attestation letters for compliance documentation
Organizations in regulated industries — financial services, healthcare, legal — should plan for quarterly testing rotations, which can be structured as annual retainer agreements at reduced per-test rates.
The cost of not testing is quantifiable: the average data breach costs $4.88 million (IBM, 2024). A $25,000 annual penetration testing investment is insurance against a risk that is orders of magnitude more expensive.