What does a penetration test cost? What goes into the price and what to watch for

A penetration test can run to a few thousand zloty, or a few hundred. That spread is not the tester's whim. It comes from what actually falls inside the scope and who sits on the other side. Here we break the price down: what drives it, why the cheapest bid usually turns out to be the most expensive, and how to spot a provider who gives you real value instead of a printout from a scanner.
A pentest is not an automated scan
A vulnerability scanner is a tool. It walks through your system and returns a list of known bugs from the CVE database. A pentest starts where the scanner stops. A person studies the architecture, chains single weaknesses together, and probes the business logic, the part an automated tool does not understand: how to bypass the payment flow, how to reach someone else's data from an ordinary user account, how one small oversight leads to a full server takeover.
So a good pentest report is not a pile of alerts to sift through. It describes real risk and gives concrete, workable fixes, ordered by what threatens you most. If someone offers a “pentest” for a price that barely covers one day of a specialist's work, you will almost certainly get a scanner export, not a security assessment.
Black box, grey box, white box: different access, different cost
The level of access you give the tester drives the hours of work, and with them the price.
- Black box: the tester starts with no knowledge of the system, like an outside attacker. Closest to a real attack, but reconnaissance takes the most time.
- Grey box: the tester gets limited access, say an ordinary user account. This simulates someone who has already broken the first line of defense or works from the inside. Usually the best ratio of cost to coverage.
- White box: the tester has full knowledge, including source code and diagrams. This goes through the application at the greatest depth, point by point.
What goes into the price
The price of a pentest is mostly the working hours of experienced people and the infrastructure that lets them work. It is made up of:
- The team. A good pentester means years of practice, certifications, and constant learning of new techniques. On top of salary come training, conferences, and equipment. Behind every test there is also a quality review of the report, not one person doing everything.
- Tools. Professional scanners and attack-simulation platforms are commercial licenses renewed every year. The best teams add their own custom tools on top.
- Scope. A small brochure site is a different effort than an e-commerce platform with integrations, an API, and several applications. Every extra system means more days of work.
- Complexity. A typical site on a popular CMS is predictable. An unusual, heavily integrated environment needs more time and narrow specialization.
- Depth. A surface check costs less, but only going into the business logic and unusual attack vectors shows the real security picture.
- The report and the paperwork. A clear report with priorities and fix instructions is separate analytical work. Add to that contracts, an NDA, insurance, and project coordination.
In practice this is priced in working days (person-days). A simple test is a few days; a complex platform or a Red Team simulation runs to dozens of days or more. So instead of asking for “the price of a pentest,” start by defining the scope, because the scope decides the number.
Why the cheapest bid usually turns out most expensive
A low price comes from less time, and less time means a shallower analysis. You usually find out the consequences too late:
- A false sense of security. The report says “all clear” because the test never reached the places where the problem actually is.
- Missed vulnerabilities. Flaws that take time and ingenuity stay untouched.
- A report with no value. A generic tool export, full of false alarms, with no guidance on what to fix and how.
- No support after the test. You are left alone with a list of problems, with no walkthrough and no retest after the fixes.
The cost of a solid pentest is a fraction of the cost of a real incident: downtime, rebuilding systems, fines, and lost trust. Saving on the test usually just moves the spending later, to a worse moment.
How to pick a provider
Before you compare numbers, compare what stands behind them. Ask about:
- Experience in your industry and with your type of systems.
- References and completed projects, ideally with client contacts you can call.
- The team: who exactly does the testing, which certifications they hold (for example OSCP, OSWE, CISSP), and how much practice they have.
- A sample, anonymized report, so you can judge whether it is clear and actionable for your IT team.
- A methodology aligned with recognized standards (OWASP, PTES, NIST) and a clearly written scope.
- Confidentiality: a solid NDA and liability insurance.
- What happens after the test: a walkthrough of the findings and a retest once the fixes are in place.
The lowest number is rarely the best decision. Compare offers as a whole: what you actually get for that price.
What it costs in practice
The honest answer is that it depends on the scope, and the spread is wide. A simple site is a few days of work and the lowest price band. A mid-sized web or mobile app usually runs to a dozen or more days, because business logic and an API back end come into play. Infrastructure tests scale with the number of servers, devices, and network segments. The widest scope, a full security audit or Red Teaming for mature organizations, runs to several dozen days and more.
Other factors beyond scope push the price up too: a rush timeline, work at odd hours, on-site testing, or non-standard reporting requirements. So you will only get a reliable number once the Statement of Work is defined. Instead of an off-the-shelf price list, ask for a quote matched to your environment and your risk.
The bottom line
The price of a pentest reflects the time, knowledge, tools, and responsibility you have to put into it. The cheapest bid usually means a shallower test and a report that tells you little. Rather than going by the number alone, set the scope, check the provider, and compare real value. A well-planned test costs far less than the incident it prevents.
Book a free consultation. Together with a consultant, we will set the scope and a quote for a penetration test matched to your company's real risk.