After surveying trusted penetration testing sources and published pricing, the cost of a penetration test for the average organization is $18,300. However, it is extremely rare to locate this theoretical average company, and this average calculation hides the difference between different types of penetration testing (networks, applications, whole organizations, etc.) and different types of penetration tests (black box, gray box, white box, social engineering, etc.).
Additionally, each organization will have unique needs, and penetration testing companies will have varying levels of skills, so the range of penetration testing can start as low as a few hundred dollars and on the upper end can even exceed $100,000. This wide range can be confusing and frustrating for an organization trying to budget for a penetration test. However, this broad range can be narrowed and understood in the context of the factors that affect penetration costs.
This article will provide insight into penetration test pricing, 11 key factors affecting pricing, information needed for a penetration testing quote, and how to pick a penetration testing vendor. Use the links below to jump ahead to the topic of interest:
- Average Penetration Testing Costs
- 11 Key Factors That Affect Penetration Testing Costs
- Information Needed for a Penetration Test Quote
- How to Pick a Penetration Test Service Provider
- Bottom Line: Appropriate Penetration Testing Benefits Outweigh Costs
Need a pricing reference point? Obtain a clear picture of the cost to automatically scan more than 140,000 security checks and deploy a continuous penetration testing service. This article’s sponsor, Intruder, provides an online price calculator for application and infrastructure vulnerability scanning as well as penetration testing for three discrete levels of service. Try Intruder free for 14 days!
Average Penetration Testing Costs
Our average calculation of $18,300 comes from polling 10 different penetration testing information sources. Most sources are penetration testing companies; however, some IT purchasing advisory firms are included.
As noted in the introduction, these averages hide some variances in the types of testing:
|Average Low Price
|Average High Price
|Application or Website Penetration Test
|$8,900 / application
|$34,600 / application
|Network Penetration Test
|$9,900 / engagement
|$53,700 / engagement
These ballpark costs can be used to extrapolate the potential costs for an organization, but organizations need to also understand the inherent problems with this average pricing, standardized versus customized pricing, and biases in published pricing.
The Problem With Average Pricing
Average pricing can be misleading because penetration testing costs often use different units, or what is covered by a penetration test:
- A specific number of IP addresses
- The engagement based on an assumed company size
- A single scan
- A single application
- A single website, but all included web applications
The difference in coverage between these different coverages can lead to vastly different price ranges that may confuse inattentive readers. Buyers need to carefully review the details and not be misled by the numbers.
Standardized vs Customized Pricing
Some of the conflicts in average pricing come from differences of opinion between standardized and customized pricing. Some vendors will claim all pricing needs to be customized for the client and others will note that standardized pricing indicates a trustworthy vendor.
Both claims are incomplete unless one considers the fine print. Some standardized pricing relies upon standardized penetration tests with rigidly defined scopes. This testing limits the vulnerabilities tested or the number of IP addresses or applications scanned.
Customers certainly prefer the certainty of flat-rate, standardized pricing, but often overlook the reality that in addition to strictly limited tests the vendor typically also needs to embed contingency costs into the pricing. Standardized pricing can often be more expensive than customized pricing for the same work.
Either way, pricing is only one consideration. A buyer needs to read the fine print on published prices and statements of work to understand if the penetration tests will meet their needs.
See the Best Penetration Testing Tools
Biases in Published Pricing
Prices published on websites inevitably contain unintentional biases or misleading information to deliver specific marketing messages in favor of the vendor. A buyer needs to understand the motivation of the vendor to understand the context of the information.
For example, consider RSI, a well established penetration testing consultancy. Their website puts the cost of a “high quality, professional pen test” at $10,000-$30,000. This information serves two goals. First, it sets a high bar for costs for the customized pen testing RSI prefers to perform so customers can be prepared. Second, it positions any lower-cost penetration tests as low quality and unprofessional. In many cases this will be accurate, but not always.
On the other hand, consider Astra, a company offering standardized application testing. Their website publishes penetration test costs as low as $400 or $500 for some types of penetration scans. They even show “average penetration testing cost” for websites or apps to start at $2,500, cloud infrastructure to start at $600, and mobile apps to start at $1,500.
However, on each, Astro notes “per scan” without defining what is covered in the scan. Furthermore, they don’t indicate if the scan might include any human exploration that would qualify the “scan” as a penetration test instead of a vulnerability scan.
These lower prices suit Astra’s marketing needs because they also offer low cost scans starting at $199 per month and annual penetration testing costs starting at $1,199 per year. Astra’s objective is to satisfy budget-minded organizations with standardized scans and to gloss over that penetration testing requires active exploitation of vulnerabilities, not just scans. While they do publish a disclaimer that “the cost of mobile app pentesting and cloud penetration testing depends upon multiple factors,” a reader scanning the article can easily miss that information and only see the low prices in the bullet points and tables.
Specific penetration testing companies, such as ScienceSoft, may publish a “rough estimate” cost for projects such as $5,000 for “Black box penetration testing of a company’s business-critical web application and up to 10 IP addresses.” These costs are based on their specific experience and their expectations regarding the typical engagement. However, this cost estimate will certainly increase if the testing is required to be in-person in Tokyo (add significant travel costs) and one of the IP addresses is a Microsoft 365 domain (add risk and difficulty).
It is not exactly bait-and-switch for an organization to publish a price that is lower than the average price they charge. Unless the vendor publishes details, we can’t know the specifics.
A vendor may be accurately portraying the price for a specific type of test. A vendor may also be selecting a portion of the bill that will be paid and strategically omitting other normal charges that increase the expenses such as extra charges for reporting, travel, consulting, etc. In all fairness to vendors, there simply are too many factors and variables for a comprehensive and fully accurate price to be published that would match all of the different possible clients, needs, and circumstances.
11 Key Factors That Affect Penetration Testing Costs
It can be difficult to create an average penetration test cost when there is no such thing as an average IT environment.
The size of an organization cannot even provide a guide since size does not relate to the value or even amount of data within the IT environment. For example, some multi-billion dollar industrial facilities have the equivalent IT environment of a small law office — and that law office might contain much more sensitive, regulated, and valuable data.
In general, the cost of a penetration test will be directly proportional to the number of hours that must be spent on preparing, executing, and documenting the penetration test. However, to figure out those hours, every pen tester and organization will need to consider the factors that affect those hours and the rates applied to those hours:
- Scope & Scale
- Penetration Test Type
- Tester Experience
- Compliance Requirements
- System Type
- Remediation and Retesting
- Future Opportunities
- Special Requirements
- Contract Type
- Vendor Type
- Costs Beyond The Contract
Scope and Scale
The size of an organization and the number of systems in scope for testing will be a primary determining factor for costs. While other factors can adjust the rate per system or rate per hour, the scope and scale provides the multiplier that generally determines the bulk of the final charges.
Despite the rise in the number of penetration testing tools that can automate some penetration testing tasks, ultimately, any vulnerabilities located by automated tools should be tested for exploitation by a penetration tester. Even when an automated tool may detect no vulnerabilities a hacker with specialized knowledge might use their experience to exploit the system, network, etc.
Scope is determined by:
Number of networks: The number of IP addresses, network segments, virtual networks, wide area networks (WAN), software-defined WAN (SD-WAN), and other networks to be explored and penetration tested.
Number of devices: The number of devices, applications, websites, virtual networks, physical networks, containers, internet of things (IoT), and other elements that may require testing will each consume some amount of time for both the automated tool as well as for the human assessor.
Number of applications: The number of mobile, web apps, and websites to be tested. This may also involve API testing, database testing, and supply chain testing depending upon the type of applications and determined scope.
Number of people: If an organization decides to pursue social engineering tests, the organization may be charged by the number of people in the organization (unless flat-rate or hourly charges are used).
Scope boundaries: The organization may determine that they need to narrow the scope of the test for financial, legal, or time considerations. While selecting 3 of 6 locations, or 4 of 12 applications easily come to mind, more significant scope boundaries would be excluding SaaS providers (ex: Salesforce, Slack, Microsoft 365, etc.) and third-party APIs from major vendors such as Google, SAP, Cisco, or CrowdStrike.
Penetration Test Type
The type of penetration test will affect the number of hours required for testing and may incur additional expenses. Organizations should be familiar with the types of testing to understand how it may affect the quote.
Automated Tool Scans
Some vendors provide low-cost “penetration tests” using automated software that might only cost several hundred dollars per penetration test. However, this type of testing is more of a vulnerability scan instead of a penetration test. These scans list potential vulnerabilities without exploring the issue further by using hacking techniques to verify if the vulnerability can be exploited to extract data, disrupt operations, or enable future attacks.
This type of test may be suitable for minimum-quality check-box certification, and only the smallest organizations with the smallest potential damages should even consider these scans. Scan-only penetration tests often cannot satisfy the definition of a penetration test, do not provide the organization with a true test of their systems, and are unlikely to provide protection against future lawsuits in the event of a breach.
Professional Penetration Tests
Types of professional penetration tests are covered in more detail in What Is Penetration Testing? Complete Guide & Steps, but in short the three categories of penetration tests include:
- Black Box tests simulate hackers who know nothing of the network and do not have any access
- Gray Box tests simulate hackers that have some knowledge and access through social engineering, compromised credentials, etc.
- White Box tests provide the penetration testers with full access and require them to check all systems
Black Box tests can naturally limit the scope of a penetration test because systems and network segments that the penetration testers cannot reach will be out of scope. However, the time needed to bypass corporate network security systems (Ex: firewalls, intrusion protection systems) can be significant and an organization will need to decide if that type of testing is a priority.
It is possible to develop a hybrid test that starts off with a time-limited Black Box test to locate any easily discoverable vulnerabilities. Then the penetration test can shift to a Gray or White Box test of specific systems.
Some sources claim that White Box testing is the least expensive test because penetration testing teams do not have to defeat network security defenses. In some cases this will be true, but in other cases White Box testing can be the most expensive because of the unlimited scope.
For example, testing a simple network of 25 desktop computers will be less expensive than a black box test of the network. On the other hand, checking the source code, APIs, database connections, and integration of 25 applications embedded into a website will be more time consuming than a black box test that might only be able to access one application.
The experience of the tester will sometimes be reflected in the hourly rate. More experienced testers will tend to be more expensive, yet, counterintuitively, selecting the more expensive option can also save money. Less experienced testers may cost less per hour, but may spend more hours setting up tools or attempting unproductive attacks that a more experienced tester would be able to avoid.
On the other hand, why spend extra for expertise when a less skilled tester can do the job just as well? For organizations with small, simple networks, a less experienced and low-cost tester may be sufficient.
More experienced testers will always insist that the length of time the company has been performing penetration tests will be of utmost importance. However, an experienced company might send inexperienced testers to perform the work, so be sure to obtain the credentials for penetration testers themselves.
A buyer also needs to explore the experience of the vendor with regards to their penetration testing needs. Although penetration testing specialists may maintain a broad variety of experts, generalist IT security vendors or individual consultants will specialize in penetration tests for either network security or application security and might be unable to perform both at the same level of expertise.
Also read: Network Protection: How to Secure a Network
Some regulations may require specific testing of specific systems, using specific techniques, or specifically certified vendors. For example, the Payment Card Industry Data Security Standard (PCI DSS) began to require that organizations accepting payment cards use PCI Security Council Approved Scanning Vendors to conduct required third-party penetration tests.
In some cases required scans may lead to the development of specific testing scenarios to check for compliance with that specific standard. Organizations required to comply with a standard (Ex: HIPAA, ISO 27001, GDPR, SOC 2, etc.) will need to verify that their vendor can perform the necessary tests and provide the necessary reports to meet compliance requirements.
What the penetration test needs to explore matters. Testing a website with embedded apps, connected databases, and attached infrastructure can be very different from testing a hybrid environment of wireless networks, local data centers, cloud data centers, and SD-WAN connected users.
Different skills and tools are needed for penetration testers to attack networks, mobile apps, website apps, websites, databases, cloud infrastructure, virtual networks, Kubernetes clusters, and SaaS tools. While the number of systems will remain the primary cost driver, the type of system may determine the rate for the testers.
Remediation and Retesting
After a penetration tester discovers and verifies a vulnerability, the organization will need to remediate the issue. In many cases, organizations will want their current IT vendors to remediate issues and use the penetration testing vendor to test the remediation.
In other cases, the penetration testing vendor will be asked to perform remediation since they found, exploited, and demonstrated expertise with the vulnerability in the IT technology. However, some consider asking a penetration testing company to check their own remediation efforts to be a conflict of interest.
Any remediated vulnerability will need to be scanned and tested again to prove the validity of the remediation. Complex remediation retests or a high number of remediations retested can increase overall penetration testing costs. Fortunately, in many cases, remediation retesting will not be a significant cost factor.
Many penetration testing contracts will be for 1-3 year engagements with periodic testing on a monthly or quarterly basis. This type of arrangement can allow the penetration testing vendor to offer discounts based on the prospect of ongoing work, which makes both revenue and expenses predictable.
As the penetration testing company becomes more familiar with the organization’s infrastructure, their attacking teams will be able to move faster in penetration testing to reach changed or new systems. However, this experience can prevent black box testing because of too much familiarity with the customer’s systems, and the penetration testers may fail to look at the systems with fresh eyes. Organizations often will seek to change penetration testing vendors after 3 years to see if fresh perspectives will discover new vulnerabilities.
An organization can always increase costs with special requests and unusual requirements. For example, off-hours testing, onsite requirements, physical security tests, observations of processes, and social engineering can significantly affect the overall costs for a penetration test.
Off-hours testing: If an organization wants to minimize disruption, it may require penetration testing at night or during weekends to minimize disrupting normal employee activities. Of course, this may lead to extra charges or increased pen testing rates for the activities outside of normal business hours.
Onsite requirements: Offsite remote testing will be limited to IT attacks on IT systems and remote social engineering attacks (phone calls, phishing emails, etc.). In-person or onsite testing will incur travel expenses, but can provide a more robust range of attacks for both IT and other systems (physical security, etc.).
Observation of processes: Sensitive data regulations, such as HIPAA, may require a penetration team to evaluate the physical environment to ensure that no unauthorized person can observe regulated data. For example, a pen tester may be required to enter a hospital and observe the employee computer monitors to ensure no HIPAA data can be seen by patients or visitors.
Physical security test: Some penetration tests can be required to test on-site physical security systems such as security guards, door locks, alarm systems, and security cameras. These tests can require a completely different skill set with different rates and related risks such as physical damage to facilities (broken windows, locks, etc.).
Social engineering: Social engineering tests attempt to trick employees into revealing secrets that can be exploited to gain access to systems, disrupt operations, or steal data. Many organizations are used to the phishing simulation of employee cybersecurity training tools, but social engineering can go much further.
“Social engineering is the art of exploring human stupidity – and there is no patch for human stupidity,” explains Scott Lyons, CEO of penetration testing firm Red Lion. “Only 2% of successful attacks are on systems. 98% are through the vector of social engineering (phishing, personal interactions, USB drive drops, etc.).”
Most employees are not stupid, yet even the smartest employee can have stupid moments that lead to a breach. Social engineering can help identify key mistakes and identify mitigating controls to prevent exploitation.
Common examples of social engineering from a penetration test beyond typical phishing emails include: dropping malware-loaded USB drives in the employee parking lot, calling employees with fake IT calls, or sending someone in person to attempt to trick an employee into making a mistake. Social engineering can be controversial. On the one hand, it can be expensive to conduct and it can embarrass employees. On the other hand, it can be very successful and provide real-world experience for the organization.
Vendors can offer two types of contracts for limited engagements: fixed cost or time and materials (T&M). Companies like fixed cost contracts because of the cost certainty, but keep in mind that the vendor will need to add additional padding to account for likely scope creep and unexpected contingencies.
In many cases, a fixed cost contract will be higher in cost when compared to T&M contracts. In either case, the contract will likely detail specific penetration testing covered by the contract and what circumstances will require additional charges outside the scope of the contract.
Buyers can often work with vendors to create long term contracts that cover rolling tests or multi-year terms.
When selecting a vendor, an organization will need to consider two key aspects: specialist versus generalist and vendor size. These aspects play a key role in determining the fit of the vendor with the organization and their requirements for the penetration test.
Specialist versus generalist
In selecting a vendor based on this aspect, the organization needs to select a fit within the spectrum that includes penetration test specialists at one end and IT generalists capable of conducting penetration tests at the other. Within the spectrum are vendors that broaden their range a bit to include compliance as well as penetration testing.
Companies may be tempted to stay in their comfort zone and contract with their IT generalist to also conduct penetration tests. Organizations should avoid using the same vendor that installed or remediated IT systems for two reasons.
First, the organization likely used their penetration testing capabilities to check the proper installation of the current environment and are unlikely to locate any additional vulnerabilities. Second, they have a conflict of interest since any discovered vulnerability suggests improper installation of IT systems and there is a possibility the vendor will look to hide some embarrassing discoveries.
The focus of a compliance or penetration testing specialist in their field typically leads to enhanced expertise and an ability to test the organization’s systems with more rigor than a generalist. However, while these rules of thumb tend to be accurate, a newer penetration testing company with little experience will not be as capable as a large IT vendor with a full-time, experienced penetration testing staff.
In general, the larger the vendor, the higher the cost of the penetration test, but some specialists can have higher rates due to their expertise. The more critical factor for vendor size is the fit with the organization’s needs.
For example, a boutique penetration testing company of three specialists located in Boston may be very skilled and capable. However, if the customer is a large multinational bank that requires physical examinations of 120 branch offices in 30 countries conducted in a three-month period, the boutique firm simply will not be large enough to complete the task in time.
An organization may need to pick a vendor that matches them with regards to size and location of offices, especially for time-sensitive tests. Organizations also may favor a vendor of a larger size, assuming that the larger organization will also have a larger capacity to absorb financial terms and liabilities.
For example, that large multinational bank may also require an invoice at the end of each month and payment terms of 60 days, which effectively delays payments for 90 days. A smaller boutique firm may not have the cash flow to wait 90 days for payment. Similarly, in the event of a lawsuit, the boutique firm may not have sufficient assets for the bank to obtain suitable compensation for potential damages.
Costs Beyond the Contract
The first ten factors in this list affect the pricing of the contract. However, many organizations overlook and fail to budget for the costs beyond the contract: internal IT team labor costs, internal IT team capability tests, test environments, and penetration test damages.
Internal IT Team Labor Costs
When conducting a penetration test, the internal IT team will consume time responding to, preparing for, or recovering from the penetration test activities. White and gray box penetration testing will be more time-consuming because credentials, IP address lists, network diagrams, and other supporting materials will need to be prepared for the penetration test team.
Internal IT Team Capability Tests
When performing a penetration test, there are two options for how to involve the internal IT security team: With warning or without warning.
Warning the security team will lead the security team to spend extra time preparing for a penetration test which will increase both their abilities and internal costs related to the penetration test. However, warning the staff provides key advantages.
First, it will increase the ability of the IT security staff overall. Second, it will ensure sufficient staff will be available in the event that the penetration testing team disrupts a key operations system, such as a payment processing server. Lastly, a test conducted without warning might result in an unhappy and embarrassed security team.
Despite the benefits of providing warning, some organizations perform penetration tests without warning to gain an accurate assessment of the organization’s current abilities. A surprise test accurately simulates an attack and the IT security team’s ability to detect, triage, counter, and remediate attacks based on their current capabilities, tools, and IT system status.
An effective way to avoid the negative consequences of a surprise penetration test is to conduct the test in phases. Initially, conduct a black box test and see what the attackers can find.
If key systems could be jeopardized, the attackers can provide notice to the organization and schedule a secondary phase to exploit the discovered vulnerability when the IT team can be on hand and prepared to deal with the consequences of a successful exploitation. Shifting to a phase with warned IT staff will minimize embarrassment and operations disruption.
An organization may want to protect their operations from disruption and conduct penetration tests within a developmental or test environment. For example, a large ecommerce site could not tolerate the lost sales from downtime if the penetration testing crashes the product database. However, when establishing a test environment, an organization also needs to ensure that they will budget for the additional resources to create, secure, and maintain that test environment.
Penetration Test Damages
A penetration testing team will require the company to hold the penetration testing company harmless for damages and other costs related to a successful penetration test. While these costs will not be predictable, a contingency budget should be prepared for possible damages. This can range from the costs of replacing broken windows from a successful physical penetration test to the intangible lost business costs related to the disruption of an ecommerce website.
Information Needed for a Penetration Test Quote
To aid a vendor in generating informative and useful quotes, a buyer will need to prepare estimates or define key factors such as:
- Scale and Scope
- Penetration Test Type
- Compliance Requirements
- System Type
- Future Opportunities
- Special Requirements
- Contract Type
Additional preparation might be useful to extract more value from the penetration test or reduce costs.
How to Pick a Penetration Test Service Provider
When selecting a penetration testing vendor, organizations can become overwhelmed trying to look past the claims of the vendor to determine actual capabilities. Even with fully verified claims, an organization may find it difficult to distinguish between comparable vendors. The buyer must judge the capabilities of the vendor, measure experience, determine trustworthiness, and determine fit in the buying process.
References: A primary method is to check references, although a vendor will certainly hand-pick happy customers. Be sure to ask those happy customers about a time when the vendor made a mistake or delivered bad news and how the vendor handled it. With medium to large engagements, mistakes will happen and how a vendor handles problems can be quite informative.
Understandable proposals: Buyers should examine the proposed plan for the penetration test and how the company presents it. Is the plan easy to understand? Comprehensive? Does the plan match the company’s needs? Beware of promises of rates or turnaround times too good to be true.
Can the vendor explain the penetration test methods clearly? The best experts can explain difficult concepts in simple terms without trying to blind the audience with a flood of acronyms.
Credentials: Also ask for the credentials and certifications of the penetration testers performing the work. Vendor credentials for tools are okay, but nowhere near as rigorous a qualification as an Offensive Security Certified Professional (OSCP).
Sample reports: If possible obtain anonymized or sample penetration test reports to judge the potential final work product. The reports should present clear findings that are easy enough to understand at a high level for non-technical executives and in detail for the IT and security teams performing remediation. Beware of vendors that provide reports that contain company names and IP addresses — perhaps your proprietary data will be on the next sample report handed out by that vendor.
Test runs: When in doubt, engage the top prospects in trial test runs. Many vendors will accept a trial engagement with a retainer fee and initial requirements.
Often these will be black box engagements where the vendor will be asked to explore and report on the company’s main IP address. The buyer can then use real penetration testing to explore the capabilities of the vendor as they execute the phases of penetration testing, the clarity of their communication, and the fit with the organization.
Bottom Line: Penetration Testing Costs
Any professional penetration testing expense will be worth it. Every vulnerability located offsets potentially much larger costs of a breach. Even a report of ‘no findings’ provides invaluable peace of mind and evidence that the organization has exercised reasonable effort in defending their IT environment and critical data.
Companies that do not perform their own penetration tests will be less prepared for attackers, and may be unpleasantly surprised if one of their partners performs a supply chain penetration test and finds the organization lacking. In either of these cases, the organization may lose significant business or suffer harm.
No matter the confidence of the organization in their IT security, only a rigorous penetration test can validate that confidence. Confidence without validation may be arrogance waiting for a rude awakening.
- How to Implement a Penetration Testing Program in 10 Steps
- 24 Top Open Source Penetration Testing Tools
- Vulnerability Management as a Service (VMaaS): Ultimate Guide
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.