How much does a pentest cost? The criteria that drive the price
A pentest can cost €1,000 or €15,000. The range is as wide as the services it covers are different. Before requesting a quote, it helps to understand the variables that move the price, so you don't compare apples to oranges and don't buy form without substance.
Variable 1: scope
This is the most decisive factor. A pentest on a 10-endpoint web application is not the same work as auditing a multi-tenant SaaS platform with a complex GraphQL API, iOS/Android mobile apps, and cloud infrastructure. The larger the surface, the more time is required.
Best practice is to define a precise scope before requesting a quote. "All of our security" is not a scope. "The REST API of our appointment booking application, tested grey box with a standard user account" is.
Variable 2: duration
Duration follows from scope. A targeted pentest on a simple application takes 1 to 2 days. A full audit (web, API, mobile, cloud) takes 3 to 5 days. A red team engagement can range from 5 days to several weeks.
Cutting duration to reduce cost directly affects coverage: a tester given one day instead of three can only test a fraction of the surface. This isn't a problem if the scope is reduced accordingly, but it is if expectations remain the same.
Variable 3: information level (black, grey, white box)
In black box, the tester spends part of the time on reconnaissance. In grey box, they start with an account and can go deeper faster. In white box, they access the code and can cover vectors unreachable through dynamic testing alone.
The information level doesn't directly change the daily rate, but it changes the quality-to-depth ratio for a given budget. A well-scoped grey box over 2 days will often cover more than a black box over 3 days on the same scope.
For more on choosing between levels, the dedicated article on the three box types breaks down the decision criteria.
Variable 4: test type
A web pentest differs from a mobile pentest, an Active Directory infrastructure audit, or a red team engagement. Skills, tools, and duration vary by type. An Active Directory audit requires specific expertise not every tester has. A mobile test involves reverse engineering and runtime analysis (Frida, Objection). A red team engagement integrates phishing, physical intrusion, and lateral movement.
Realistic price ranges in 2026
- Targeted pentest (web or API, 1 to 2 days): €1,000 to €3,000 excl. tax. Defined scope, report, and 1-month remediation follow-up.
- Full pentest (web, API, cloud or mobile, 3 to 5 days): €3,500 to €8,000 excl. tax. Detailed report, verbal debrief, and 3-month follow-up included.
- Infrastructure / Active Directory audit (3 to 5 days): €4,000 to €9,000 excl. tax depending on domain complexity and network scope.
- Red team or adversary simulation (5 days to several weeks): quoted after scoping. Duration and scenario complexity determine the budget.
A €500 pentest is not a pentest. It's an automated scan with an auto-generated PDF report and a logo on it.
What hides behind a price that's too low
A very low price (below €1,000 for a "web pentest") almost always hides one of these realities:
- An automated scan (Nessus, OpenVAS, OWASP ZAP) presented as a pentest. Automated tools systematically miss business logic vulnerabilities, IDOR flaws, and authorisation issues.
- Partial coverage: a few hours of testing, a generic report not tailored to your context.
- No post-report support: you receive the PDF, you're on your own after that.
What a fair price includes
Beyond the test itself, a serious pentest includes: precise scoping before the engagement, a structured report with proof of exploitation (not just a CVE list), a verbal debrief to answer the technical team's questions, and support during remediation. Skipping this last part risks partial fixes.
At Cybreach Consulting, remediation support is included for 3 months after every pentest. The engagement doesn't end at report delivery. The full engagement process is detailed here.
The right selection criterion is not the lowest price. It's the ratio between what you want to learn from the engagement and the depth of coverage the budget genuinely allows.
Frequently asked questions
How much does a penetration test cost?
The price depends mainly on the scope, the type of test and its duration: from €500 excl. VAT for a Discovery Audit up to €4,500 excl. VAT for a 5-day Full Pentest.Why does pentest pricing vary so much?
For an apparently identical service, the cost can vary fourfold depending on the size of the scope, the level of access provided (black, grey or white box) and the depth of exploitation required.Is a cheap pentest a bad sign?
A very low price often hides a simple automated scan rather than a real manual test. The right benchmark: a quote that matches a clear definition of what is actually tested.
Further reading
A question after reading?
Want a firm quote on a specific scope? Send a message, free scoping within 48 hours.
Or book a 30-minute scoping call directly
Book a call →