The short answer, up front
A typical web application penetration test costs roughly $5,000 to $35,000+ in 2026, per the published cost guides from DeepStrike, Blaze Infosec, Intruder, and Astra. Our price is $2,499, fixed, for a web and API penetration test: one real engineer plus 75 AI scanner modules, OWASP and NIST methodology, an executive PDF in 5 to 7 days, a free re-test after fixes, and a signed attestation letter.
That is the whole answer. The rest of this guide is the working: what the market actually charges by test type, the seven variables behind every quote, the four pricing models and who each suits, and the hidden fees to ask any vendor about, including us.
PENTEST COST IN NUMBERS (2026)
$5,000 to $35,000+ typical web-app range, per published guides
$1,000 to $3,000/day tester day rates, per Intruder's guide
4 to 6 weeks typical market engagement, scoping to report
$2,499 fixed our web + API test, report in 5 to 7 days
Not ready to spend anything? Run the free Ghost Scan first: a surface scan across 9 categories, no card, no signup. It tells you whether a full test is worth budgeting for.
What the market charges by test type
Published 2026 guides converge on one range for web applications and go quiet on almost everything else. Where no consensus range exists, vendors fall back to day rates. These are published market figures, not our measurements:
| Test type | Published 2026 figure | Source |
|---|---|---|
| Web application | $5,000 to $35,000+ | 2026 cost guides: DeepStrike, Blaze Infosec, Intruder, Astra |
| API | Usually bundled with the web app; standalone tests price by the day at $1,000 to $3,000/day | Intruder's published day rates |
| Mobile application | No consensus range published; day-rate priced | Intruder's published day rates |
| Internal network | Day-rate priced; scales with host count | Intruder's published day rates |
| Our web + API test | $2,499 fixed | Ghost Protocol published price |
One more market number worth knowing: a typical engagement runs 4 to 6 weeks end to end, from scoping call to delivered report. Budget the calendar, not just the invoice.
The 7 real cost drivers behind every quote
Every pentest quote is a function of seven variables. When two quotes for the same app differ by $20,000, the difference is hiding in one of these:
01Scope
The number of applications, environments, and subdomains in the engagement letter. Doubling scope roughly doubles tester-days, and tester-days are the unit everything else is priced in.
02User roles
Every role (anonymous, user, admin, tenant admin) multiplies the authorization test matrix. Broken-access-control testing is role-pair by role-pair work, and it is where real findings live.
03Endpoint count
A 20-endpoint API and a 300-endpoint API are different jobs. Vendors count pages, forms, and API routes when they estimate days, which is why quotes need your sitemap.
04Methodology depth
An automated scan with a human glance costs less than manual business-logic testing and chained exploitation. Depth is where quotes quietly differ the most, and the report rarely tells you which one you bought.
05Tester seniority
Intruder's guide cites day rates of $1,000 to $3,000. The spread is seniority: a senior tester finds the chain a junior misses, and bills accordingly.
06Compliance reporting
Attestation letters, framework mapping, and auditor Q&A add hours after the testing is done. Some vendors bill this separately, so a $6,000 test becomes an $8,000 line item.
07Retest
Verifying your fixes is a second pass. Included at some vendors, a fresh invoice at others. It can change the true cost of the engagement by thousands.
Driver 04 deserves its own reading: the gap between an automated scan and a real penetration test is the single most misunderstood thing buyers pay for. We wrote it up in penetration testing vs vulnerability scanning.
The 4 pricing models, compared
Vendors price penetration tests four ways: by the day, by the asset, by subscription, or by fixed price. Each fits a different buyer:
Day rate
Intruder's 2026 guide cites $1,000 to $3,000 per tester-day.
Suits: Bespoke scopes: complex estates, internal networks, anything that needs custom scoping.
Watch for: The total is unknown until scoping ends, and mid-test re-scoping means change orders.
Per-asset
Priced per app, per IP, or per endpoint block. No consensus figure is published.
Suits: Portfolios of similar assets, like ten near-identical brand sites.
Watch for: The definition of an asset gets argued. Multi-tenant apps blur the lines fast.
PTaaS subscription
Astra publishes Pentest Basic at $1,999/yr and Pentest Plus at $5,999/yr per target.
Suits: Teams that ship weekly and want continuous coverage wired into the dev workflow.
Watch for: Depth per test varies, and unused credits are still billed at renewal.
Fixed price
Our web + API penetration test is $2,499, published.
Suits: Startups, first pentests, and compliance deadlines with a fixed budget line.
Watch for: Only works when the scope is genuinely standard. If a vendor fixed-prices an unbounded scope, the depth flexes instead of the price.
Why most vendors will not publish a price
Most vendors do not publish prices because scope genuinely varies, and because unpublished prices let them quote per buyer. Both things are true at once.
The fair part first: for a mixed estate (internal network plus cloud plus mobile plus a red team exercise), “it depends” is simply correct. Nobody can price that from a web form, and a firm that tried would either overcharge you or under-deliver. The scoping call exists for a reason.
The less fair part: unpublished pricing also lets a vendor charge an enterprise and a seed-stage startup different numbers for similar work, and the sales call doubles as lead qualification. Rational for them. Opaque for you.
Here is the thing, though: a standard external test of one web app and its API, which is what most startups actually need, is standardizable. The scope can be defined once and priced once. That is the slice we fixed at $2,499, and it is why this page can name a number while the rest of the results page cannot.
What our $2,499 actually buys
The fixed price covers the full engagement, line by line:
One real engineer end to end: the scoping call, finding verification, and the walkthrough. Not scan-and-send.
75 scanner modules run by PhantomDragon, our in-house engine (50 modules, 17-phase pipeline), with every finding human-verified before it reaches the report.
OWASP and NIST 800-115 methodology, with each finding mapped to the frameworks your auditor reads.
Executive PDF in 5 to 7 days, plus developer JSON and SARIF output for your CI pipeline.
Free re-test after you fix: we re-run the engagement and issue an updated report at no charge.
Signed attestation letter you can hand to auditors, enterprise customers, or VCs.
Expedited 72-hour delivery available for $1,000 extra, published, not discovered on the invoice.
Want to see the deliverable before you spend anything? The sample pentest report walks through the exact format, finding by finding.
Part of why the price can be fixed is how the work is delivered. The 2026 market has converged on hybrid human-plus-AI testing (XBOW, Horizon3.ai NodeZero, Synack, and PentestGPT each ship a version of it). Automation collects; the engineer verifies and chains. We wrote up the split in AI vs manual penetration testing.
For context, the full ladder, so you can start below $2,499 or continue past it:
| Tier | Price | What it is |
|---|---|---|
| Ghost Scan | Free | Surface scan across 9 categories. No card, no signup. |
| Deep Security Scan | $499 one-time | 75+ scanner modules, OWASP Top 10, executive PDF in ~48h, CSV export. |
| Penetration Test | $2,499 fixed | The engagement this guide describes. Web + API, engineer + 75 scanners. |
| Security Retainer | $2,999/mo | Quarterly pentest plus ongoing monitoring. |
What it does not cover, and when you need a bigger engagement
We test web applications and APIs. We do not test mobile apps, internal corporate networks, physical security, or run red team exercises. If your requirement includes any of those, we are not the right fit, and you should hire a firm that does them.
Budget expectations for those larger engagements, from published figures: at Intruder's cited day rates of $1,000 to $3,000, a two-week internal network engagement is $10,000 to $30,000 in tester-days alone (that is arithmetic on their published rate, not a quote). Fractional CISO's ranking piece prices quality engagements at $15,000 to $30,000, which matches.
PCI DSS buyers, read this before booking anyone: our engagement covers only the external application-layer slice of requirement 11.4, meaning 11.4.3 external application testing and the 11.4.4 retest loop. We do not perform internal penetration testing or segmentation testing, which PCI also requires. You will need a second vendor for those pieces.
Hidden costs to ask any vendor about
The quoted price and the invoiced price diverge in predictable places. Six questions to ask before signing, including with us:
Is the retest included, and within what window?
Many vendors bill it as a second engagement. Ours is free after fixes.
Are report revisions billed?
Auditors sometimes want the scope statement reworded. Ask whether that edit costs money.
What happens to the price when scope creeps?
A subdomain discovered mid-test can trigger a change order on day-rate contracts. Fixed price means fixed.
Is the findings walkthrough included?
Some firms charge for the call where they explain their own report. Ours is included.
What is the rush fee?
If expedited delivery is not published, it is negotiated when you are desperate. Ours is $1,000, published.
Is the attestation letter an add-on?
The letter is often the entire reason you bought the test. Confirm it is in the quote.
Cost of testing vs cost of a breach
The comparison that matters is not $2,499 against $15,000. It is $2,499 against what an incident costs: downtime, forensics, customer notification, lost deals, and in the worst case the business itself. We walked the full arithmetic, including the widely cited $4.88 million industry average, in the real cost of a data breach for small businesses. A small business does not pay the average; it pays a smaller number it often cannot survive.
Framed that way, a pentest is the cheapest line in the security budget. Even at the market's $35,000 ceiling it prices well below one incident. At $2,499, the question inverts: what justifies not testing?
Budgeting for compliance-driven testing
If an auditor is the reason you are buying, budget for the report artifact and its timing, not just the test itself.
SOC 2 does not explicitly require a penetration test, but auditors expect one as monitoring and control evidence, most commonly mapped to CC4.1. Timing matters more than most buyers realize: for a Type II report, the test should land inside the observation window, not before it. Our SOC 2 penetration testing page covers the scheduling in detail.
ISO 27001:2022 handles it through controls: A.8.8 (technical vulnerability management) lists periodic penetration testing among the vulnerability-identification methods, and A.8.29 covers security testing in development and change. The ISO 27001 penetration testing page maps our report to both.
On budget: Fractional CISO's ranking piece prices compliance-grade pentests around $5,000, with quality engagements at $15,000 to $30,000. Our $2,499 sits under that floor because the scope is fixed and the delivery is hybrid, and the attestation letter is the same artifact the auditor asks for.
First time through this process? Start with our first-pentest guide for startups.
A note for Sri Lanka buyers
Sri Lankan companies pay the same fixed price. For orientation only: at an indicative rate of roughly LKR 300 to the US dollar, $2,499 is in the region of LKR 750,000. That conversion is illustrative, we invoice in USD, and this is the only place we quote LKR.
On the regulatory side: the Personal Data Protection Act No. 9 of 2022 requires security safeguards and a Data Protection Management Programme but does not explicitly mandate penetration tests. Sri Lanka CERT|CC recommends periodic security assessments (at least annual) and published Web Application Security Guidelines for government organizations in 2022.
The full local picture, including who needs what and when, is in our VAPT in Sri Lanka guide, and the service itself is described on the penetration testing Sri Lanka page.
Penetration testing cost FAQ
How much does a penetration test cost in 2026?
Published 2026 cost guides from DeepStrike, Blaze Infosec, Intruder, and Astra put a typical web application penetration test at $5,000 to $35,000+. Ghost Protocol charges a fixed $2,499 for a web and API penetration test, including a free re-test after fixes.
Why is your penetration test $2,499 when most quotes start at $5,000?
Three reasons. We are a senior team based in Colombo, Sri Lanka, so engineering costs less than US rates. The scope is fixed (one web app plus API), so there is no scoping overhead. And our PhantomDragon engine runs 75 scanner modules, so the engineer spends time verifying and chaining findings instead of collecting them. The scope is narrower than a $30,000 engagement, and we say so plainly.
How long does a penetration test take?
A typical market engagement runs 4 to 6 weeks end to end, from scoping to report. Our fixed-scope engagement delivers the executive PDF in 5 to 7 days, with 72-hour expedited delivery available for $1,000 extra.
Will a $2,499 penetration test satisfy a SOC 2 audit?
SOC 2 does not explicitly require a penetration test, but auditors expect one as monitoring evidence, commonly mapped to CC4.1. Our report follows OWASP and NIST methodology and ships with a signed attestation letter, which is the artifact auditors ask for. Time the test so the report lands inside your audit window, especially for a Type II observation period.
Is the re-test included in the price?
Yes. After you fix the findings, we re-run the test and issue an updated report at no extra charge. Many vendors bill the retest as a second engagement, so ask any vendor this question before signing.
What is not included in the $2,499 engagement?
Mobile apps, internal networks, physical intrusion, social engineering, and red team exercises. For PCI DSS we cover only the external application-layer slice of requirement 11.4 (11.4.3 and the 11.4.4 retest loop), not internal or segmentation testing. If you need those, you need a larger engagement.