The honest answer: it depends. But that's not helpful when you're trying to budget, so here's a realistic breakdown of penetration testing costs and what drives them.
Quick Reference: Typical Price Ranges
| Test Type | Small Business | Mid-Market | Enterprise |
|---|---|---|---|
| External Pentest | $2,500 - $6,000 | $5,000 - $15,000 | $15,000 - $40,000+ |
| Internal Pentest | $4,000 - $10,000 | $8,000 - $25,000 | $20,000 - $60,000+ |
| Web Application | $3,000 - $8,000 | $6,000 - $20,000 | $15,000 - $50,000+ |
| Wireless | $2,000 - $5,000 | $4,000 - $10,000 | $8,000 - $20,000+ |
These ranges are broad because scope varies significantly. A small business with 10 external IPs and one web application is very different from one with 100 IPs and five complex applications.
What Drives the Cost
1. Scope and Size
The biggest cost driver is simply how much there is to test: number of IP addresses or hosts, number and complexity of web applications, size of internal network, and number of locations (for on-site testing). More systems = more time = higher cost.
2. Complexity
A simple marketing website costs less to test than a complex web application with user authentication, payment processing, and API integrations. Custom applications take longer than standard configurations.
3. Test Type
External testing is typically less expensive than internal testing because it can be done entirely remotely. Internal testing may require on-site work or VPN setup, adding time and potentially travel costs.
4. Methodology and Depth
A basic "check the boxes" test costs less than a thorough assessment that includes manual exploitation, privilege escalation, and lateral movement. You get what you pay for.
5. Reporting Requirements
Standard deliverables are usually included. Custom reporting formats, executive presentations, or compliance-specific documentation may add cost.
6. Retesting
Some providers include one retest to verify remediation. Others charge separately. Clarify this upfront.
Red Flags: When the Price is Too Low
If you're quoted significantly below market rates, ask questions:
"Penetration testing" that's actually vulnerability scanning. Some vendors run automated scans and call it a pentest. Real penetration testing requires human effort—if the price suggests only a few hours of work, that's not a pentest.
Junior testers or offshore teams. Nothing inherently wrong with either, but you should know who's actually doing the work.
Limited scope buried in fine print. A low headline price might cover only a fraction of your environment.
No methodology or sample report available. Professional testers can explain their approach and show you what the deliverable looks like.
A $1,500 "penetration test" is almost certainly not what you think it is.
Red Flags: When the Price is Too High
Enterprise-focused consultancies often quote $50,000+ for work that a qualified independent tester could do for a fraction of that. You're paying for brand name overhead, sales team commissions, multiple layers of project management, and fancy offices and marketing.
None of that makes the actual testing better. For small and mid-sized businesses, boutique firms and independent consultants often provide better value.
How to Get an Accurate Quote
To get a realistic estimate, be prepared to share:
- External footprint: How many public IPs, domains, and subdomains?
- Web applications: How many? What's the complexity?
- Internal network: Approximate number of hosts, subnets, locations
- Special requirements: Compliance frameworks, OT/ICS systems, specific concerns
- Timeline: Rush jobs cost more
The more detail you provide, the more accurate the estimate.
What's Included (and What's Not)
Typically included: Testing within defined scope, detailed technical report, executive summary, remediation recommendations, findings walkthrough call.
Sometimes included: One retest of remediated findings, letter of attestation for compliance, raw tool output/evidence files.
Usually extra: Multiple retests, on-site testing (travel costs), expedited timelines, custom reporting formats, ongoing support or consulting.
Get these details in writing before signing.
Cost vs. Value
A penetration test that costs $5,000 and prevents a breach that would cost $150,000+ is a good investment. A $500 scan that gives you false confidence and misses real vulnerabilities is expensive at any price.
The average cost of a data breach for small businesses exceeds $150,000 when you factor in incident response and forensics, legal and regulatory costs, customer notification, business disruption, and reputation damage.
Compare that to the cost of finding and fixing vulnerabilities before an attacker does.
Budget Recommendations by Business Size
Very small business (under 20 employees): Start with external testing. Budget $3,000-$5,000 annually.
Small business (20-100 employees): External + web application testing. Budget $5,000-$12,000 annually.
Mid-market (100-500 employees): External + internal + web application testing. Budget $15,000-$30,000 annually.
Scale up based on complexity, compliance requirements, and risk tolerance.
St. John Cybersecurity provides transparent, fixed-price penetration testing for small and mid-sized businesses. No hidden fees, no enterprise markup. Contact us for a quote.