What a pen test actually costs in 2026

What a pen test actually costs in 2026

Most pen-test buyers walk into the market with one anchor — a number a friend at another company told them — and discover within three conversations that the range is bewildering. The same scope can come back at $2,999 from a boutique, $8,000 from a referral firm, $18,000 from a mid-sized consultancy, and $45,000 from a Big Four cyber practice. None of those quotes are necessarily lying. They're pricing different things and pretending they're the same thing.

Here's how the pricing actually works.

The four real cost drivers

Every honest pen-test quote is really a function of four variables. If a quote doesn't make all four explicit, it's a sales artifact, not an engineering estimate.

Scope size. Counted in "endpoints" if it's an API, "user roles" if it's an authenticated web app, "screens" if it's mobile, "subnets" if it's network. The honest unit varies, but the honest quote will be explicit about which one and how many. A 50-endpoint API takes longer than a 12-endpoint one. Anyone quoting a fixed price without asking is either underscoping (and will surprise you later) or padding for the worst case (and you're overpaying).

Tester-days. This is the unit that actually determines cost. A senior pen tester in the US/EU costs $1,200–$2,000 per day fully loaded; a junior $400–$700; an offshore senior $500–$900. Most pen tests run 5–15 tester-days. A "boutique" $4,000 quote against a 15-tester-day scope is using either juniors, offshore talent, or both — neither is bad if disclosed, both are misleading if not.

Tooling and automation depth. Anyone running fully manual against a web app in 2026 is wasting your money on $1,500/day labor doing things nuclei, ZAP, and ffuf can do in 20 minutes. Anyone running fully automated and calling it a pen test is selling you a vulnerability scan with a higher price tag. The honest answer is mostly automation for coverage plus 30–50% human time for business-logic, chaining, and writeup.

Report quality. This is where the variance becomes absurd. A junior tester at a boutique produces a 12-page report that looks like a nuclei dump. A senior at a respected firm produces a 40-page artifact your auditor and your customer's security review team will both accept without follow-up questions. The work to produce the second one is real, and it's where you actually feel the cost difference.

The five honest price tiers in the market right now

After buying and selling these for years, here's the rough market shape:

Tier 1: $1,500–$3,000 — automated scan in a pen-test wrapper. Boutique runs nuclei, maybe ZAP, generates the report from templates with light human review. Useful for unblocking a low-stakes procurement check. Not useful as evidence of security maturity. Most "AI pen test" listings are this.

Tier 2: $4,000–$8,000 — fixed-fee modern pen test. What CyberGrid sells. Sophisticated automation does the coverage, a senior does business-logic + chaining + writeup. Report is auditor-grade. Fits a SaaS company 20–200 employees with one product and a couple of roles.

Tier 3: $10,000–$25,000 — traditional boutique pen test. 5–12 tester-days of named senior talent. More white-glove scoping, more time on novel attacks, deeper authenticated coverage. Worth it when your application has high attack surface (multi-tenant, complex permissions, payments).

Tier 4: $30,000–$80,000 — enterprise pen test from a top firm. Cobalt, Bishop Fox, NCC, Trail of Bits, Doyensec. Multiple senior testers, multi-week engagement, dedicated technical PM, full attack-tree development. Justifiable when the cost of a missed finding is itself in the high six figures.

Tier 5: $100,000+ — red team or specialized assessment. Multi-week, multi-vector, social engineering optional, physical optional, custom tooling. You know if you need this.

What's actually inside a $4,999 fixed-fee modern pen test

This is the part most buyers don't see. Here's the work breakdown for a typical SaaS web-app engagement at this tier:

• Day 0.5 — scoping. The provider runs a short call, walks the auth flow, identifies in-scope roles, captures any sensitive endpoints to exclude, agrees on dates and contact for emergencies.
• Day 1 — automated coverage. Authenticated nuclei against every in-scope path (with session cookies provided by you), ZAP active scan, ffuf for parameter and directory fuzzing, sqlmap with non-destructive payloads on every parameterized query. All findings go into a triage queue.
• Days 2–3 — human testing. A senior works through OWASP ASVS L2 manually: auth, session, access control, input validation, output encoding, business logic. This is where the IDORs, the broken object-level authorization, the privilege escalations, the workflow-bypass bugs come from. Nothing scans for these.
• Day 3.5 — chaining. Take every low/medium and see if any combination produces a critical. A reflected XSS plus a missing SameSite cookie attribute is a different class of finding than either alone.
• Day 4 — report. Write up every finding with reproduction steps, CVSS, suggested fix. Map to OWASP/ASVS/PCI. PDF for the customer, evidence file for the auditor.

That's seven workdays of senior time, plus tool licenses and the report template. At $1,500/day blended, the floor is around $4,500. Anyone charging $1,999 for this is using juniors, offshoring, or skipping steps. Anyone charging $25,000 is buying you days you may not need.

Red flags in a pen-test quote

If you see any of these, ask harder questions before you sign:

• No mention of methodology. OWASP ASVS L1/L2, PTES, NIST 800-115 — the quote should reference at least one and tell you which level.
• No mention of who is testing. Senior name? Bio? Or "a member of our team"? The latter is fine for tier 1 but not for tier 3+.
• Refusal to share a sample report. Every reputable firm has a sanitized sample. If they won't share one, the actual reports are bad.
• "Hourly billing, estimated 80–120 hours." This is procurement's worst nightmare. It's also unnecessary at the SaaS scale most buyers operate at — a competent provider can fixed-fee this.
• "AI-driven" without saying what that means. Real AI augmentation today is finding-triage and writeup acceleration. A "fully AI pen test" is a vuln scan with marketing.
• No retest included. A pen test without a retest is half a deliverable. You fix the findings and have no third-party confirmation they're actually fixed. Standard inclusion: one free retest within 90 days.

How to negotiate

Three levers that work:

Bundle. If you buy an annual contract or commit to two engagements a year, expect 15–25% off list. Most boutiques will negotiate; the big firms won't.

Scope down. Don't pay for testing of the marketing site, the static docs, or the third-party billing portal you don't control. Trim to your actual application and your own infrastructure. The cheapest way to cut cost is to scope honestly.

Time the deal. End of quarter and end of calendar year both produce discounting. The big firms have public-company quotas to hit. The boutiques have rent to pay.

What this means for your buying decision

If you're a SaaS company under 200 employees with one product, your honest answer is almost always one of the following:

• Tier 1 ($1,500–$3,000) is fine if you're checking a box for a single low-stakes procurement question and you don't need the report to be defensible later.
• Tier 2 ($4,000–$8,000) is the sweet spot for SOC 2 readiness, enterprise customer security review, and ongoing security hygiene. This is where CyberGrid plays.
• Tier 3 ($10,000–$25,000) is right when your application surface is genuinely complex — multi-tenant SaaS with five+ roles, payments, healthcare data, anything where missing a finding costs you a customer in the high six figures.
• Tier 4+ is right when you're enterprise, regulated, or your security program is the difference between landing or losing a $500K+ contract.

Most of the unhappy customers in this market are paying tier-4 prices for tier-2 outcomes, or paying tier-1 prices and trying to use the deliverable for tier-3 purposes. Pick the right tier for the actual problem, ask the four cost-driver questions, and the price stops feeling random.