When it comes to strengthening your company’s cyber security, penetration testing is a crucial practice. But how much does Penetration Testing Cost exactly? The answer isn’t as straightforward as you might think, different types of assessments targeting distinct areas such as web applications, APIs, mobile apps, internal networks, or external networks all come with their unique pricing structures. Volume of IP Addresses, endpoints on an API or user-roles on a web application, are all factors when tallying the total price of a penetration test. In this guide, we’ll dissect the factors that determine the cost of penetration testing to help you understand where your investment is going and why.
What goes into pricing a penetration test? What are the factors?
The pricing of a penetration test is not a one-size-fits-all situation. It’s a process influenced by numerous variables including the scope of the test, the complexity of the systems in question and the types of tools and methods required. Other considerations include the size and type of your business, the industry you operate in, the regulatory compliance needs and specific reporting requirements.
Several key factors determine the cost of a penetration test. The expertise needed to conduct the testing is a significant aspect – more experienced and certified professionals will nearly always command a higher rate. The scope of the test also has a significant impact, as it dictates the amount of time and resources required to thoroughly assess the systems. Additionally, the urgency of the test, whether it’s a standard or a highly specialised assessment, and the geographical location (Meaning on-site, remote or hybrid) where the testing will take place, all contribute to the penetration testing price.
A key list of Penetration Testing cost factors has been provided below:
Scope and complexity
The scope is the number 1 pricing factor when assessing the penetration testing cost. This in many ways speaks for itself. The more assets undergoing assessment, the more days usually required to conduct the assessment. The complexity of the environment also influences the price of the assessment. A standard WordPress installation with 3 plugins and 20 pages is going to take considerably less time than a complex enterprise crypto trading application built with web-sockets and so on. More assets = More time.
Some assessments may require more 1-2-1 support with the client. If this is the case, the time spent conversing with the client will also consume more time. Which may also influence the cost. If the client wants a debrief at the end of each day, alongside securely communicated details of high-risk findings. This would almost certainly increase the time spent on the assessment.
Skills, expertise and experience of the provider/consultant.
Businesses’ longevity in the industry can sometimes impact how clients perceive their consultants’ expertise. A company should be cautious when taking this approach. Just because a company has been around longer, it does not mean the tester conducting the assessment will be good. The main element from the Client’s perspective (To get the most value), is the skills and experience of the consultants conducting the assessment. Look for quality certifications, such as OSCP, CREST CPSA, CRT, CCT-APP, CCT-INF and so on. The company itself may also be a CREST registered company, and or has relevant certifications related to their testing standards. These can also influence the cost, a CREST registered company may command a higher day rate than one who does not hold the certification.
The company should follow a defined methodology for each of assessment. This ensures some consistency in the testing standards of the company. Usually this will be some amalgamation of OWASP, NIST, PTES or a less standard methodology. Some companies may also use their own methodology, which is almost certainly going to be some spin-off or variant of a tester standard.
The test perspective (whether the assessment is a black box, grey box or white box assessment) can influence the pricing significantly. This is primarily due to the time it takes for the tester to parse the information given to them. A white box assessment on a web application, in which the tester has full access to the code-base. Will likely take more time to conduct due to being more in-depth assessment.
Whereas a white-box assessment for an internal infrastructure environment, in which the tester has full knowledge of all the systems tested. While take less time, this is because the tester won’t have to probe the assets trying to determine their function within the environment.
Most penetration tests are conducted from the grey box perspective. Which strikes a balance between the two. Black box assessment can be more interesting from the clients perspective, as this is the primary perspective of a would-be attacker. Unless the attacker has compromised a high-value target first, then I guess that is a white-box? 🙂
Commercial factors: Discounts, Bulk days, Additional Value
Most companies will have some unique value proposition that they will bring to the table. Some may offer a discount on the day rate for buying bulk days (For example if the day-rate is usually £1000, and you buy 30 days. You may get a discounted day-rate of £800. Giving an overall reduction of £6,000 to the total value. £800 * 30 = £24,000). Some companies may offer discounts to certain industries (If they specialise in this area, such as IoT or Industrial control systems), or even give a discounted rate to registered charities (We do).
Don’t forget retest requirements when determining the penetration testing cost.
This is a huge factor to consider when determining the true cost of a security assessment. If you have paid for 20 days of penetration testing (10 internal network, 5 external network and 5 days of web application penetration testing) then this could easily run into 3-5 days for retesting the environment (Which would typically be £5000+ for a most penetration testing companies). Always ask the company how they handle retesting on a project, is it something they offer for free (We do) or factored in at the proposal stage? Look for this on the statement of work or proposal. Usually a company will specifically detail if a retest is included with the service or not.
It’s always worth asking the company what unique elements they offer. Determining this at the project proposal stage could be the factor that makes or breaks a deal.
How is the penetration testing cost influenced by the type of assessment?
The cost of a penetration test is invariably influenced by the nature of the assessment, which may encompass various domains such as web applications, mobile platforms, network systems, APIs, etc. Each domain demands a unique approach to evaluate the requisite time allocation for the project. To gain a clearer understanding, let us delve into a typical scoping scenario for each service.
Web application testing often requires a blend of automated and manual testing techniques to ensure a comprehensive assessment. In most cases, the web application will be tested manually for the majority of the testing, some fuzzing is also likely. This is due to the fact that testing for every vulnerability on each parameter manually can be incredibly time consuming. Most staged attacks against the web application will be configured manually, and aided by automation for the payload insertion and detection of a given vulnerability.
Cost factors for web application testing
- Complexity of the application.
- How many unique pages (Dynamic and static).
- Data input, does the application have dozens of parameters per request. (I.e. a POST requests with lots of parameters), or is it primarily making GET calls? These factors will be factored in when considering the overall complexity of the web application.
- Usage of WebSockets (Testing an application that implements real-time WebSockets is time consuming and can influence the cost of the assessment)
- User roles within the scope.
- Testing vertical and horizontal access controls on a large enterprise application takes time. The more user roles (Guest, Standard, Admin, Company Admin, SuperAdmin for example), the more days required. This is primarily because the tester will need to assess the access controls at all levels of the application, to ensure no oversights in the authorisation design are present on the system.
- Inclusion of an API
- Most modern web applications are built with a back-end API driving much of the functionality. If the application is relatively small, but has a 500+ endpoint API. This will increase the days required to test the web application considerably. Typically most vendors will test anywhere between 20-30 endpoints per day.
Example scope and cost
A medium sized e-commerce application. Includes dynamic and static pages (Less than 50), user authentication, payment gateway integration. Multiple user roles (customer, admin, vendor). The application utilises WebSockets and a backend API of approximately 70 request methods.
Due to the complexity, this could require around 6-8 days of testing. Assuming a day rate of £1,000, the cost could range from £6,000 to £8,000.
Get a free, no obligation quote from one of our expert staff.
API penetration testing focuses on the points of interaction where apps exchange data. The pricing reflects the complexity of the API, including the number of endpoints to be tested, the extent of documented use cases, and the necessity to understand business logic for effective testing. Just like web application testing, API testing will be a combination of manual and automated testing. Rate limiting, for example, requires the use of automation to verify how the application responds to any attempt to consume large amounts of compute resources.
Cost factors for API Penetration Testing
- Complexity of the API.
- The more endpoints or request methods (PUT, POST, PATCH, DEL, GET). The more days required to test the API.
- An API made up of mostly GET requests will take less time than an API with mostly POST requests (This is because the POST calls often have many more parameters than a GET request).
- User roles within the scope
- Just like with web applications. The more user roles in scope, the more time it will take to test the API instance. It must be stated, however, that testing an API for access control issues can be simpler than a web application. This is usually just swapping out a token (Such as JWT) and replaying the request.
- API Documentation
- Great documentation will help the tester to setup the API calls. Which reduces the time it takes to test the API. (Swagger, Postman Documentation and OpenAPI specifications are all examples of API documentation)
- A badly documented API will take more time to test. This is because the tester will have to configure calls and may require further guidance/assistance from the company.
Example scope and cost
Testing an API with a moderate number of endpoints (around 100). Includes various request methods (GET (50), POST (20), PUT (10), DELETE (20)). Some documentation available (e.g., Swagger or Postman).
This could require around 3-4 days of testing. Assuming a day rate of £1,000, the cost could range from £3,000 to £4,000.
Network penetration testing prices are driven by the size and complexity of the network under review, the number of devices and endpoints included in the scope, and the variety of devices in the network itself (I.e. volume of servers and desktop computers etc)
Cost factors for Network Penetration Testing
- Network segmentation and overall complexity
- The presence of segmented networks increases the complexity of the test. Each segment may require different approaches and tools, significantly impacting the time and resources needed to test the environment. In some cases, a “pentest box” (A machine configured for penetration testing, usually sent by the provider) may need to be moved to separate segments and therefore will equate to more time required.
- Volume of devices
- The more devices (servers, routers, switches, firewalls, etc.) on the network, the more extensive the testing required.
- Another cost factor is whether the test will be conducted on-site (I.e. travelling to the client site, which includes paying for accommodation and general expenses) or off-site and remotely. The chosen vendor could also ship a “Pen Test Box” which is usually a NUC, or a Laptop, which can be connected to the network and operated remotely by the vendor. This is a popular option for many clients.
- Presence of Active Directory (Very common, obviously)
- Testing environments with complex Active Directory setups, including multiple domains or intricate trust relationships, requires more in-depth analysis to complete a comprehensive assessment, thereby increasing the effort and cost of the test.
- Virtualisation and Cloud Services
- Networks that make heavy use of virtualisation or cloud services may become more complex, especially if evaluations of cloud setups and virtual machine connections are required.
- Presence of wireless networks
- Including wireless security assessments (Wi-Fi, Bluetooth, etc.) adds another layer of complexity, requiring additional time for testing and analysis. Testing access points extensively usually requires an additional day.
Example scope and cost
Internal network testing for a small business with 50 employees. Includes servers, desktops, routers, and firewalls. Presence of Active Directory and basic network segmentation.
Likely to require 4-6 days of testing. With a day rate of £1,000, the estimated cost could be £4,000 to £6,000.
Mobile application penetration testing cost takes into account the unique app ecosystems of iOS and Android, the multiple versions of the app that may require testing. User roles, APIs, and third party integrations will all be taken into account.
Cost factors for Mobile Application Penetration Testing
- Platform Diversity & Complexity
- Testing applications across different platforms (iOS, Android etc) increases complexity, as each platform has unique security features and vulnerabilities. Scoping a mobile assessment usually involves testing each of platforms independently.
- Overall complexity
- Complex mobile applications with a plethora of features, functions etc require more extensive testing. Which affects the overall cost.
- Presence of an API (Very common)
- If the mobile application utilises a backend API. This will likely need to be tested using normal API testing methods. When scoping a mobile application penetration test, the volume of API methods/endpoints will increase the time taken for the test.
- Third party libraries and SDKs
- Mobile applications that make use of several third-party libraries or SDKS will need additional testing. This is because the security of the dependencies will be taken into account.
- Use roles and authentication mechanisms
- Just like with API and Web testing. The presence of multiple user roles will increase the access control testing requirements. Various authentication mechanisms may be utilised (OAuth etc). Which will increase the scope of the testing.
Example scope and cost
Testing for a cross-platform mobile application (iOS and Android). Includes user authentication, third-party integrations, and backend API testing (50 endpoints). Multiple versions of the app.
Due to the complexity, this could require around 6-8 days of testing due to platform diversity and complexity. Assuming a day rate of £1,000, the cost could be in the range of £6,000 to £8,000.
How can the penetration test cost be reduced on a limited budget?
For organisations with budget constraints, there are ways to reduce the cost of penetration testing without compromising on essential security needs. It must be stated, however, reducing the scope and depth of the test can come with it’s own security risks. Which in turn can negate efforts to secure the environment.
- Asset prioritisation
- Identifying and focusing on critical infrastructure, assets and applications can reduce the days required for a penetration test. A targeted approach will ensure that only the most essential areas are thoroughly examined.
- Preparing for the assessment
- As discussed earlier. Proper documentation and test readiness can reduce the scope and days required. Conducting internal vulnerability scans and addressing the “low hanging fruit” prior to the test commencement can meaningfully decrease the attack surface and volume of vulnerabilities that a tester would usually discover. This would need to be addresses at the scoping stage of the assessment, and properly detailed to the chosen vendor.
- Defining objectives and scope
- Be clear on the objectives of the assessment and make meaningful steps to reduce scope creep. Give an exact scope to the testing company and ensure that this scope does not change throughout the test.
- Negotiate on price
- It’s not unreasonable to negotiate with chosen providers on the price of the assessment. The proposed quote is usually determined based on the scoping call prior to the assessment. Based on the factors discussed in this post. If the price is too high, or the scope is too broad. Discuss this with the providers.
- Project phasing
- It’s not out of question to assume that the most critical assets should take the priority. Phasing the assessment and determining the most critical assets to test first can be a great step to reducing the cost of security assessments. Aim to prioritise the most critical assets in the initial phases, then plan subsequent assessments as your budget allows throughout the year.
- Establishing vendor/customer relationships
- It goes without saying that establishing a good relationship with a provider can reduce your costs in the long run. If the work is being conducted by the same provider, the value of the relationship is mutually beneficial and the costs will likely be reduced in the long run. A company may become more familiar with your environment and it’s requirements the more they see it.
Let’s wrap things up. Thank you for reading if you have got this far. We have discussed extensively the numerous factors that can be factored in to pricing an assessment. It should be clear that the primary determinants include the scope and complexity of the test, the testing perspective and many commercial factors that should be considered.
Organisations should understanding that while costs may vary based on these factors. The value of a thorough and expert penetration test is undeniable in safeguarding digital assets. The increase in cyber crime is undeniable and the cost of an assessment can far outweigh the costs of a potential security breach.
Ultimately a penetration test should be viewed as an investment for an organisation and a fundamental component of a modern digital business.