The Cost of a Pen Test

A question that is often asked is how much should a pen test cost, and in this post we will break down different factors to consider. It is important to understand that there is always a pen test for any budget, but it may be limited in terms of scope coverage.

Important Factors

Below are a list of items to consider that will affect the cost of your pen test:

• Scope Changes
  • The number of live systems
  • The different types of assets: network, web app, cloud, wireless, etc.
  • The amount of days in a test
  • Depth of testing
    • Depending on the need, more time can be added to find more vulnerabilities but at a diminishing return
• Extended Features
  • Add vulnerability scanning
  • Phishing or social engineering
  • Physical pen testing
  • Workstation or Cloud configuration review
  • IAM audit
• The Testers
  • Where they are located
    • US-based testers are more suited when it comes to data storage compliance but can cost more
  • Their credentials and certifications
  • The number of testers involved
    • More testers reduces timeframe but may add cost due to setup time
• Other factors
  • Black vs white-box: Black box requires more time for the same amount of findings
  • Red teaming: stealth often requires more time for the same findings
  • Type of data
    • Sensitive data areas may require additional testing
  • Compliance requirements often add cost
  • Are retests included?
  • Reporting: types of reports needed depending on compliance or customer requests
  • Are there any other perks, such as a platform?

So given all of these details it is important to understand how they work together. 

For example a pen test that is 2 weeks long can either be all network or all web app or 1 week of each without affecting the budget. 

It is important to understand your own priorities and weaknesses to determine which is more important for your situation and business needs.

Another example is that adding 100 IPs may increase the total percentage of systems that have been tested in your network but will also add cost. 

So if it is not possible to test each and every system or app, choose ones that are a good representative sample or are particularly sensitive to the company.

Pen Test Pricing

The cost of a vulnerability scan usually begins at $1,000 for a small external network scan and can cost up to $5,000 if it includes larger network scope and manual validation of the findings.

So that being said, how much does a pen test cost? 

In the US, most penetration tests cost between $7,500-$10,000 per week of testing for one tester. 

If your budget can’t afford that, it may be best to start with a vulnerability scan or a partial pen test, since those can be completed within a $1,000-$5,000 budget.

On average it is recommended that penetration tests last 2 weeks or more to cover the most important assets that need to be tested for security weaknesses and vulnerabilities. 

If your company has 3 distinct web applications with multiple user levels, a cloud environment of dozens of hosts, and an internal network of hundreds of IPs, the total test can easily be over 4 weeks. 

That being said, it can be split into smaller tests throughout the year to ease budget or divided among multiple testers to be done in a shorter time frame.