If you have ever tried to figure out how much a penetration test costs, you know the answer you get from most vendors: "It depends." Then they ask you to schedule a call, sit through a demo, fill out a scoping questionnaire, and wait a week for a proposal. By the time you get a number, you still are not sure if it is reasonable because you have nothing to compare it to.
The penetration testing industry has a pricing transparency problem. Most firms treat their rates as proprietary information, which makes it nearly impossible for buyers to make informed decisions. This guide is our attempt to fix that. We are going to break down what pentests actually cost, what drives the price, what you should expect to get for your money, and what red flags to watch for.
Why Pentest Pricing Is Opaque
Before we get into numbers, it is worth understanding why pricing is so hard to find in this industry. There are a few reasons, and not all of them are cynical.
Legitimate reason: Penetration testing is genuinely scoped to each engagement. A web application with 5 endpoints and basic authentication is a very different project than a web application with 200 endpoints, complex role-based access control, API integrations, and a mobile companion app. The cost should reflect the actual scope.
Less legitimate reasons: Many firms keep pricing hidden because they charge based on what they think each client will pay. A startup with limited funding gets one price. An enterprise with a large security budget gets a different price for the same work. Some firms also bundle unnecessary services or add line items that inflate the total. When pricing is hidden, there is no accountability.
The result is that buyers feel like they are negotiating in the dark. And in many cases, they are.
Our position: We believe pentest pricing should be transparent. That is why Lorikeet publishes pricing on our pricing page. Every engagement is scoped based on actual complexity, not based on how much budget we think you have.
What Drives the Cost of a Penetration Test
Regardless of the vendor, the core cost drivers for a penetration test are the same. Understanding these will help you evaluate quotes and understand why prices vary.
1. Scope and Size
The single biggest factor in pentest pricing is scope. How many applications, endpoints, IP addresses, or cloud environments are being tested? A pentest of a single web application with 20 pages is fundamentally less work than a pentest of a SaaS platform with multiple microservices, APIs, and user roles. More scope means more tester hours, which means higher cost.
2. Complexity
Two applications with the same number of endpoints can have wildly different complexity. An informational website is simpler to test than a financial application with multi-factor authentication, payment processing, and complex authorization logic. Applications with heavy API usage, real-time features, WebSocket connections, or custom protocols require more specialized testing.
3. Type of Testing
Different types of penetration tests require different skill sets and tooling. A web application pentest is different from a network infrastructure assessment, which is different from a mobile app test, which is different from a cloud security review. Some types (red team engagements, for example) involve multiple phases and require significantly more time and coordination.
4. Methodology and Depth
There is a difference between a lightweight security assessment and a deep-dive penetration test. Some engagements focus on validating specific OWASP Top 10 vulnerabilities. Others include source code review, custom exploit development, and multi-vector attack simulation. Deeper methodology means more tester time and more expertise, which costs more.
5. Reporting and Deliverables
A pentest report is not just a list of findings. Quality reporting includes executive summaries, detailed technical writeups with proof-of-concept exploits, risk ratings contextualized to your business, actionable remediation guidance, and compliance-mapped results. Firms that invest in quality reporting charge more, and it is usually worth it.
6. Retesting
After you fix the findings, someone needs to verify the fixes work. Some firms include retesting in the original engagement price. Others charge separately. This is an important question to ask upfront, because retesting is not optional if you actually care about security outcomes.
Price Ranges by Pentest Type
Here are realistic price ranges for different types of penetration tests in the current market. These reflect what you should expect to pay for quality, manual testing from a reputable firm. Prices below these ranges should raise questions. Prices well above may indicate you are paying for brand overhead.
| Pentest Type | Typical Price Range | What's Included |
|---|---|---|
| Web Application | $3,000 - $15,000 | OWASP Top 10, business logic, auth testing, API testing, session management, input validation, reporting with PoC |
| Network / Infrastructure | $4,000 - $20,000 | External/internal scanning, service enumeration, vulnerability exploitation, privilege escalation, lateral movement, segmentation testing |
| Mobile Application | $5,000 - $15,000 | Client-side analysis (iOS/Android), API security, data storage review, certificate pinning, binary protections, runtime analysis |
| Cloud Security | $5,000 - $20,000 | IAM review, storage bucket permissions, network configuration, serverless function security, container security, compliance mapping (AWS/GCP/Azure) |
| Red Team | $15,000 - $50,000+ | Multi-phase adversary simulation, social engineering, physical security testing, custom implants, C2 infrastructure, full attack lifecycle |
These ranges are broad because scope varies significantly. A web application pentest for a 10-page marketing site with a contact form is on the low end. A web application pentest for a multi-tenant SaaS platform with complex RBAC and 50 API endpoints is on the high end. Both are "web application pentests," but they are very different engagements.
What You Should Get for the Money
Price matters, but what you get for the price matters more. Here is what a quality penetration test engagement should include, regardless of vendor:
- Clear scoping and rules of engagement. Before testing starts, you should have a signed document that defines exactly what will be tested, how, and what is out of scope. No ambiguity
- Manual, human-driven testing. Automated scanning is part of the methodology, but the core value of a pentest is the human analysis. If you are paying pentest prices for what is essentially an automated scan, you are getting ripped off
- Recognized methodology. Testing should follow established frameworks: OWASP Testing Guide, PTES, NIST SP 800-115, or equivalent. This matters for reproducibility and for your auditors
- Timely findings delivery. At minimum, critical findings should be communicated during testing, not weeks later. Ideally, all findings should be delivered in real-time through a portal
- Proof-of-concept for every finding. Every vulnerability should include evidence that it was actually exploited, not just theoretically possible. Screenshots, HTTP requests, code snippets, whatever demonstrates the issue
- Actionable remediation guidance. Not generic advice like "implement input validation." Specific guidance tied to your technology stack that your engineers can act on
- Retesting. After you fix the findings, the vendor should verify that the fixes are effective. This should be included or clearly priced upfront
- Compliance-ready report. The final report should satisfy the requirements of whatever framework you are working toward: SOC 2, ISO 27001, PCI-DSS, HIPAA, etc.
Red Flags in Pentest Pricing
Not all pentest vendors deliver the same quality. Here are pricing-related red flags that should make you ask harder questions:
Too Cheap: The Automated Scan Disguised as a Pentest
If someone offers you a "penetration test" for $500 to $1,500, you are almost certainly buying an automated vulnerability scan with a fancy report template. There is nothing wrong with vulnerability scanning, but it is not a penetration test, and it should not be priced like one. A real pentest requires hours of skilled human labor, and that has a cost floor that automated tools do not.
Too Expensive: Paying for Brand, Not Quality
On the other end, some large consulting firms charge $50,000+ for a standard web application pentest because they can. Their brand name commands a premium, and large enterprise procurement teams do not question it. But the actual testing is often performed by the same caliber of professional you would find at a smaller, specialized firm. You are paying for the logo on the report, not for better findings.
No Scoping Methodology
If a vendor quotes you a flat price without asking detailed questions about your environment, that is a red flag. Good scoping requires understanding the number of targets, application complexity, user roles, technology stack, and testing objectives. A vendor that skips this step is either going to under-deliver or pad the quote with buffer.
Vague Deliverables
"You will receive a comprehensive report." What does that mean? How many findings can you expect? Will there be proof-of-concept exploits? Is retesting included? If the proposal is vague about what you are getting, the engagement will likely be vague too.
Retesting as an Upsell
Some firms charge significant additional fees for retesting. While it is reasonable to scope retesting separately, it should be discussed and priced upfront, not presented as a surprise add-on after you have already committed to the engagement. A vendor that does not include retesting in their standard offering is not aligned with your actual goal, which is to fix the vulnerabilities, not just find them.
A useful litmus test: Ask the vendor to explain their methodology in detail. If they cannot clearly articulate what they will test, how they will test it, and what specific deliverables you will receive, keep shopping. Good firms are proud of their methodology and happy to explain it.
How Lorikeet Prices Penetration Testing
We built Lorikeet Security with transparent pricing as a core principle because we were frustrated by the same opacity that frustrates our clients. Here is how we approach it:
- Published pricing. Our rates are listed on our pricing page. You can see starting prices for every service type before you ever talk to us
- Scoped to actual complexity. We ask detailed questions about your environment, then scope the engagement based on what you actually need tested. We do not inflate quotes and we do not charge based on your perceived budget
- No hidden fees. The price we quote is the price you pay. Project management, retesting, and reporting are included, not line items that get tacked on later
- Real-time delivery. Findings appear in your client portal as they are discovered. You get both the real-time experience and a formal compliance-ready report at the end
- Bundled options. If you need a pentest plus continuous monitoring, or a pentest plus a SOC 2 audit, we offer bundled packages through our compliance partnerships that reduce total cost
We price our services competitively because we believe quality security testing should not require a Fortune 500 budget. Our overhead is lower than large consulting firms because we do not have layers of account management and sales infrastructure. That savings gets passed to you.
How to Compare Pentest Quotes
When you are evaluating proposals from multiple vendors, here is a framework for making an apples-to-apples comparison:
- Confirm the scope is identical. Are all vendors testing the same targets with the same depth? A lower price might just mean a smaller scope
- Check what is included. Is retesting included? What about the report? Real-time findings? Make sure you are comparing total cost, not just the testing fee
- Ask about methodology. What frameworks do they follow? How many tester hours are allocated? What percentage is manual vs. automated?
- Look at the team. Who will actually perform the testing? What are their qualifications? Will you have direct access to them?
- Evaluate the deliverables. Ask for a sample report. The quality of reporting varies enormously across firms and is a strong indicator of overall engagement quality
- Consider the timeline. How quickly can they start? How long will testing take? When will you receive results? Faster is not always better, but waiting six weeks to start is usually a sign of poor capacity management
The Bottom Line on Pentest Pricing
Penetration testing is a skilled, labor-intensive service. It costs money because it requires experienced security professionals to spend hours manually testing your systems. There is no shortcut that preserves quality.
That said, you should know what you are paying for, and you should be able to compare options without sitting through three sales calls first. The industry is slowly moving toward more transparency, and we believe that benefits everyone: clients get better value, and firms that do quality work get recognized for it.
If you are shopping for a pentest, start with our pricing page to see what things cost. If you want to talk about scoping, book a consultation and we will give you a straightforward answer. And if you need more than just a pentest, explore our full service offerings including attack surface management, web application testing, and compliance packages.
Get a transparent pentest quote in minutes
No sales pitch. No mystery pricing. Tell us what you need tested and we will give you a clear scope and price. Check our published rates or book a quick scoping call.
