Skip to content
PRICING

Transparent pricing

Fixed prices, no hidden fees, no scope creep. Start free with a Ghost Scan, book the $2,499 fixed-price penetration test, or run Wyrm free on your own machine. Every number on this page is the same one you'll see on the product pages.

COST

What a penetration test costs

The honest answer to the penetration testing cost question is that the market is wide: 2026 cost guides from DeepStrike, Blaze Infosec, Intruder, and Astra put a typical web-and-API engagement at roughly $5,000 to $35,000+ once scoping, hours, and change orders are added up. That range is why penetration testing pricing is so hard to compare, you rarely know the number until the invoice arrives.

We price the penetration test at a flat $2,499 for the whole engagement: no hourly billing, no scope creep, one number quoted and held. Expedited 72-hour delivery is $1,000 extra. For teams that ship every week, the $2,999/month retainer turns the one-off engagement into continuous penetration testing: a fresh pentest every quarter with monitoring in between.

PRICING 04

Transparent Pricing. Real Results.

Security services with clear pricing: no hidden fees, no scope creep. Every pentest includes fix-it guidance and a free re-test.

Security Scan

AI-powered deep scan of your site or app

Best for: Small businesses launching a site or app

  • PhantomDragon AI runs 75+ scanner modules against your surface
  • Covers the OWASP Top 10: the most common web security gaps
  • Executive PDF report readable without a security background + CSV export for your developers
  • Delivered in 48 hours
FLAGSHIP

Penetration Test

A real engineer attempts to break into your system

Best for: Startups before a launch or fundraise

  • Everything in Security Scan: the AI sweep runs first, so engineer hours go where tools can't
  • Manual exploitation: auth bypass, session flaws, chained attacks
  • Business-logic testing (can someone skip payment? see another user's data?)
  • Fix-it guidance + a free re-test after you patch

Security Retainer

Ongoing protection for your team

Best for: Growing companies with regular code changes

  • Penetration test every quarter
  • Continuous monitoring: alerts when something looks off, not after the damage
  • Priority incident response when something breaks
  • Dedicated security engineer + monthly summary report + 24/7 hotline

Custom / Enterprise

Scoped to your specific needs

Best for: Regulated industries, mergers, or large platforms

  • Audits across multiple connected systems
  • SOC 2 / ISO 27001 preparation: the certifications enterprise buyers ask for
  • Dedicated engineering team + contractual SLAs

Flexible billing // PO-ready

Quotes on WhatsApp · +94 71 055 5055
QUESTIONS

Pricing questions

Straight answers on what costs what, what's free, and what's included.

How much does a penetration test cost?

+
Ghost Protocol's penetration test is a fixed $2,499, the whole web-and-API VAPT engagement, not an hourly estimate. For comparison, published 2026 cost guides (DeepStrike, Blaze Infosec, Intruder, Astra) put an equivalent engagement from a traditional firm at $5,000 to $35,000 once scoping, hours, and change orders are counted. We quote one number and hold it: no hourly billing, no scope creep. Expedited 72-hour delivery is $1,000 extra, and the ongoing security retainer is $2,999/month. Read the full penetration testing cost guide for the market math and how to compare quotes.

What does the $2,499 penetration test include?

+
A fixed-price engagement where a real engineer plus 75 AI-powered scanners try to break into your web app or API. You get an executive-readable PDF report, developer JSON + SARIF, reproducible proof-of-concept for each high-severity finding, a free re-test after you patch, a 30-day Q&A inbox, and a signed attestation letter for auditors. Delivery is 5–7 days. No hourly billing and no scope creep.

What's free?

+
The Ghost Scan at ghosts.lk/scan is free forever, no signup, no credit card. It's an automated surface-level check of publicly visible configuration, results are generated in real time and not stored on our servers. Wyrm is also free to use locally with no limits, and a free 15-minute consult is available before any paid engagement.

How is the Ghost Scan different from the penetration test?

+
The free Ghost Scan is an automated check of publicly visible configuration. The $2,499 penetration test is a manual deep-dive: a real engineer actively tries to exploit your application logic, authentication, and infrastructure, then hands you a report an auditor will accept. The free scan tells you if anything obvious is exposed; the pentest tells you whether someone can actually break in.

Do you offer retainers?

+
Yes. The security retainer is $2,999/month and works as continuous penetration testing: a fresh pentest every quarter, continuous monitoring between engagements, priority incident response, a dedicated security engineer assigned to your account, a monthly summary report, and a 24/7 emergency hotline. It gives growing companies that ship code regularly a quarterly engagement instead of a single point-in-time test.

Can I expedite the pentest, and what does it cost?

+
Yes. Standard delivery is 5–7 calendar days. Expedited 72-hour delivery is available for an extra $1,000. Most engagements don't need it: SOC 2 auditors are comfortable with the standard 5–7 day turnaround.

How does Wyrm licensing work?

+
The free tier is free to use with no usage limits, install it via npm (wyrm-mcp), run `wyrm login` (free account), and add it to your MCP config in under 60 seconds. Wyrm is proprietary software (the Wyrm Terms of Service apply); your memory stays local on your machine. Paid plans add cloud and team features: Pro is $29/month (cloud sync, AES-256 encryption), Team is $199/month (shared memory, up to 25 seats), and Enterprise is $499/month (SSO/SAML, custom SLA, on-premise option).

How much does DragonScale cost?

+
DragonScale is a self-hosted commerce platform with no monthly fees and no per-order commissions, you own your data and infrastructure. It's deployed in Starter, Business, and Enterprise tiers scoped to your needs, so pricing depends on locations, customization, and support level. Contact us for a tailored quote.

Why is the pentest cheaper than the big firms?

+
We're a small senior team based in Sri Lanka, so engineering overhead runs roughly a fifth of US bay-area rates and we pass that on. The work follows OWASP / NIST methodology and the report is built to be accepted by auditors and enterprise customers; only the overhead is lower, not the caliber.

Will the report be accepted by my auditor or enterprise customer?

+
Yes. Every report follows OWASP / NIST methodology and includes a scope statement, severity-ranked findings, an executive summary, remediation guidance, and a signed-and-dated attestation letter. The Pentest tier covers the technical-testing requirement for SOC 2, ISO 27001, and PCI-DSS. Anonymized sample reports are available under NDA before you commit.

Start free. Pay a fixed price when you're ready.

Run a free Ghost Scan in seconds, or book the fixed-price penetration test, one price, five to seven days, a report you can hand to an auditor.