Five scoping mistakes that double your pen-test bill

Five scoping mistakes that double your pen-test bill

Most pen tests cost more than they should because of decisions the buyer made — or didn't make — on the scoping call. The provider can only quote what you describe. Vague scope produces padded quotes. Padded quotes produce sticker shock. Sticker shock produces twelve weeks of back-and-forth before the engagement even starts.

Here are the five scoping mistakes that consistently inflate quotes by 50–100%, with the specific correction that fixes each.

Mistake 1: scoping the whole product when only one part needs testing

Buyer says: "We want a pen test of our SaaS platform."

What the provider hears: marketing site, login flow, dashboard, settings, admin panel, internal tools, mobile apps, public API, partner API, billing portal, support widget, status page. They scope to cover all of it because they have to assume worst case.

What you actually need: pen test of the customer-facing dashboard and the public API.

The fix is to write down the actual application boundaries you care about and exclude everything else explicitly. The scoping document should list URL prefixes that are in scope and a separate list that's explicitly out of scope. Your marketing site running on a static host doesn't need a pen test. The Salesforce-hosted partner portal you don't control isn't yours to test. Your billing flows run on Stripe — Stripe pen tests Stripe.

A clean in-scope/out-of-scope list typically removes 40–60% of what a generic quote covered.

Mistake 2: not providing a test account, then asking for "full coverage"

A pen test that can't authenticate hits maybe 15% of your real attack surface. Everything that matters — IDOR, broken access control, privilege escalation, business-logic abuse, authenticated injection — lives behind the login wall.

When a buyer doesn't provide test accounts during scoping, providers either (a) quote for the unauthenticated subset and don't tell you, (b) quote for everything and add a hefty buffer in case provisioning takes forever, or (c) refuse to commit to depth and use hours instead of fixed fee.

The fix: before the scoping call, provision two test accounts (you'll need a second for IDOR testing — see below), in your staging environment if you don't want them touching production. Have credentials ready. Pre-set them to whatever role you want tested.

This single decision shifts the quote from "we'll cover what we can" to "we'll cover the full authenticated surface for this fixed price" — and it usually drops the variance band by 20–30%.

Mistake 3: forgetting to mention multi-tenancy

Multi-tenancy doubles the test depth. Every endpoint that takes an organization or workspace identifier needs to be tested for cross-tenant access. Every shared resource needs a check that tenant A can't see tenant B's data. Every webhook, every export, every search needs the test.

If your application is multi-tenant and the scope doesn't say so, the provider quotes single-tenant scope. When they get to the engagement and discover otherwise, you get a change order, or they cut corners.

The fix: in the scoping form, write the word "multi-tenant" if you are. Provide test accounts in two separate tenants. Identify your two or three highest-sensitivity resource types (records? files? messages?) so the tester knows where to focus the cross-tenant probing.

This is almost always the highest-impact disclosure you can make. A finding like "tenant A can read tenant B's customer records via the export endpoint" is a procurement-killer; you want it found by your tester, not by your prospect's security team.

Mistake 4: asking for "everything OWASP" when you mean "the bits that matter to my auditor"

OWASP Top 10 (web), API Top 10, ASVS Level 1, ASVS Level 2, ASVS Level 3 — these are all valid scopes, and they have wildly different cost profiles. ASVS L1 is roughly 130 controls. L2 is around 280. L3 is 360+ and includes formal threat modeling and source-code review.

Most SaaS pen tests should be scoped to ASVS L2 or "OWASP Top 10 plus business logic". Asking for L3 doubles the price and almost no auditor or enterprise customer actually requires it. Asking for L1 is cheap but leaves real gaps an attacker would find.

The fix: ask your auditor or your largest customer's security team which level they want to see referenced in the report. The answer is almost always L2. Get it in writing — that gives you defensible scope when procurement asks why you didn't go higher.

Mistake 5: trying to bundle three different products into one engagement

A web app, a mobile app, and a public API are three different testing motions. Different tools, different mindsets, different reporting structures, often different testers. Bundling them into one engagement looks cheaper but the actual work is the same. You end up either paying more or getting a worse test of each surface.

The fix: scope them separately, run them sequentially with a couple of weeks between. A common pattern: web app this month, mobile next month, API the month after. You get specialized attention on each, you spread the spend across quarters, and you can react to findings from one before starting the next. CyberGrid's quote structure explicitly supports this — pricing is per-surface, not per-bundle, precisely because bundling produces worse outcomes.

If you do want to bundle for procurement-cycle reasons, ask the provider for a single SOW with three line items rather than one blended fee. You get the same paperwork efficiency without the test-quality compromise.

A scoping email template that fixes all five

Steal this for your next pen-test inquiry:

Hi — looking for a pen-test quote on the following:

>

In scope: https://app.acme.com/ (customer dashboard, multi-tenant SaaS, 4 roles: viewer, editor, admin, owner) and https://api.acme.com/v1/ (REST, ~40 endpoints, OAuth bearer auth). Two staging tenants will be provisioned with three accounts each (one per role except viewer) by start date.

>

Out of scope: marketing site (acme.com), docs (docs.acme.com), Stripe-hosted billing (billing.acme.com), Intercom widget, any third-party SaaS we use, any internal tools.

>

Methodology: OWASP ASVS Level 2 plus business logic. Cross-tenant access testing required (two tenants provided). Both authenticated and unauthenticated coverage.

>

Reporting: PDF report with reproduction steps + CVSS for every finding; OWASP/ASVS/SOC 2 mapping appendix; one free retest within 90 days. Need to land in our auditor's evidence binder for SOC 2 Type II.

>

Timeline: want to kick off in 2-4 weeks, complete within 30 days of kickoff.

>

Quote please. Fixed fee preferred.

A scoping inquiry that looks like that gets clean fixed-fee quotes from every reputable provider. A scoping inquiry that says "we want a pen test" gets you a 50% padding buffer and a sales call to figure out what you actually meant.