Primary target for penetration testing
Level of access and information provided
Compliance-specific testing adds documentation overhead
Larger environments increase scope complexity
Embed This Calculator on Your Website
Add this free calculator to your blog, website, or CMS with a simple copy-paste embed code.
Introduction
A network penetration test at a mid-size company costs $15,000 to $40,000. A web application pentest runs $5,000 to $25,000 per application. Most organizations do not know what drives those numbers -- or how to compare quotes that vary by 300% for what appears to be the same scope. The SANS Institute's State of Penetration Testing and Bishop Fox's industry surveys consistently show that scope definition is the primary driver of cost variance: organizations that provide a clear, documented scope receive quotes clustered within 20% of each other, while vague scope leads to wide ranges that reflect different assumptions about what is included. Penetration testing cost also scales with regulatory requirements -- PCI-DSS requires annual pentests for in-scope environments, SOC 2 Type II assessments require evidence of pentest completion, and HIPAA Security Rule expectations include penetration testing as part of technical safeguard evaluation. Knowing the cost drivers before engaging vendors produces better quotes, better scoped engagements, and more useful outputs.
What This Calculator Does
This calculator estimates penetration testing cost based on test type (network, web application, mobile application, cloud infrastructure, social engineering, red team), engagement scope (number of IP ranges, applications, or users), methodology depth (automated scan with manual review vs. full manual test vs. red team), regulatory requirement (PCI-DSS, SOC 2, HIPAA, ISO 27001), and desired report format. It outputs an estimated cost range, a recommended test type matrix for the organization's profile, and a cost-per-finding benchmark.
The Formula
Penetration testing is priced on a day-rate model: the number of tester-days required multiplied by the daily rate of the testers involved. Day rates for qualified penetration testers range from $1,500 to $3,500 per day depending on experience, certification level (OSCP, GPEN, CRTO), and firm size. Scope units define effort: each /24 network range requires 0.5 to 1 day, each web application requires 2 to 5 days depending on complexity, each mobile application requires 3 to 7 days. Report writing adds 20-30% to test execution time. Compliance-oriented tests add documentation and evidence requirements that increase cost by 15-25%.
Step-by-Step Example
Define the test type and scope
Scope: external network pentest (2 x /24 IP ranges = 512 IPs) plus 3 web applications (2 standard complexity, 1 complex with API). External network: 2 ranges x 1 tester-day each = 2 days. Web apps: 2 standard x 3 days + 1 complex x 5 days = 11 days. Report writing: 20% of 13 days = 2.6 days. Total tester-days: 15.6.
Apply day rate
Mid-tier firm, senior testers (OSCP certified): $2,000/day. 15.6 days x $2,000 = $31,200. Large firm with brand premium: $2,800/day x 15.6 = $43,680. Boutique specialist firm: $1,800/day x 15.6 = $28,080. Quote range for this scope: $28,000-$44,000. This is the expected range for a well-defined mid-market pentest engagement.
Add compliance documentation requirements
PCI-DSS compliance pentest: requires quarterly scanning evidence, annual pentest of CDE, specific reporting format for QSA. Add 15-20% for compliance documentation and QSA-ready report format. $31,200 x 1.18 = $36,816 for PCI-DSS compliant test. SOC 2 evidence package: add $1,500-$2,500 flat for auditor-facing evidence package.
Compare quotes and evaluate scope coverage
Vendor A: $22,000 for the same scope -- likely automated scanning with limited manual validation. Vendor B: $31,500 -- full manual test matching the estimate. Vendor C: $58,000 -- likely includes additional scope or red team components. Evaluate quotes against the estimated tester-day calculation, not against each other in isolation. A $22,000 quote for 15.6 days of work at $1,400/day may reflect undertesting risk.
Real-World Use Cases
Pre-PCI-DSS Assessment Annual Pentest Budgeting
A payment processor must conduct an annual PCI-DSS penetration test of the cardholder data environment. Scope: 3 server segments, 2 applications. Estimated 10 tester-days at $2,200/day plus 15% PCI documentation premium: $25,300. Budgeted annually in security program budget. Previous year's test cost $38,000 -- using this estimator, the team clarifies scope documentation before vendor engagement and saves $12,700.
Pre-SOC 2 Type II Certification Test
A SaaS company preparing for its first SOC 2 Type II certification needs a penetration test to satisfy the availability and security criteria. Scope: 2 production web applications, cloud AWS environment (3 accounts). Estimated tester-days: 12 for apps + 4 for cloud = 16 days at $2,000 = $32,000 plus $2,000 evidence package. Total: $34,000. This figure is included in the SOC 2 readiness budget alongside $12,000 for gap assessment and $18,000 for audit fees.
Red Team Engagement for Financial Institution
A regional bank wants a red team assessment to test detection and response capabilities against an advanced persistent threat scenario. Scope: full attack simulation against corporate network and internet-facing assets, 30-day engagement. Red team engagements run $30,000 to $150,000 depending on scope. This engagement: 25 tester-days at $3,000/day (specialized red team skills) = $75,000. Justified by FAIR analysis showing adversarial simulation reduces expected annual ransomware loss by $240,000 -- 3.2x ROI.
Comparison
| Test Type | Typical Cost Range | Tester-Days (typical) | Regulatory Driver | Output |
|---|---|---|---|---|
| External Network Pentest | $5,000-$20,000 | 3-10 days | PCI-DSS, SOC 2 | Findings report + remediation guidance |
| Internal Network Pentest | $8,000-$25,000 | 5-12 days | HIPAA, SOC 2 | Lateral movement paths, AD attacks |
| Web App Pentest | $5,000-$25,000 per app | 3-8 days/app | PCI-DSS, SOC 2, OWASP | OWASP Top 10 findings + custom |
| Mobile App Pentest | $8,000-$30,000 | 5-10 days | Varies | Client/server, storage, transport |
| Cloud Config Review | $10,000-$35,000 | 5-12 days | ISO 27001, SOC 2 | Misconfiguration findings |
| Red Team Assessment | $30,000-$150,000 | 15-50 days | Regulatory readiness | Attack path narrative + gaps |
Common Mistakes to Avoid
Selecting the cheapest vendor without evaluating methodology. An automated vulnerability scan dressed as a penetration test may cost $3,000-$8,000 and produce a lengthy report with zero manually validated findings. This is not a penetration test -- it is a vulnerability assessment. The distinction matters for compliance: PCI-DSS Requirement 11.4 requires penetration testing that includes manual exploitation, not just automated scanning.
Scoping too broadly in the initial statement of work. 'Test our entire infrastructure' results in either a padded quote or an undertested engagement where testers spread effort thinly across a large surface. Define the crown jewel assets -- the systems that, if compromised, would cause material harm -- and scope the test around those. A focused 8-day test of critical systems is more valuable than a 20-day survey of everything.
Not including retesting in the engagement contract. A pentest that finds critical findings and closes with a report is only half an engagement. Remediation retesting -- verifying that identified vulnerabilities were actually fixed -- should be included in the original contract. Ad hoc retesting quoted after findings are delivered typically costs $2,000-$5,000 more than building it into the original engagement.
Frequently Asked Questions
Accuracy and Disclaimer
Penetration testing cost estimates are based on 2026 market data from Bishop Fox, SANS Institute, and vendor rate surveys. Actual costs depend on scope definition, tester qualifications, methodology depth, and market conditions. Compliance testing requirements are based on PCI-DSS v4.0, SOC 2 criteria, and HIPAA Security Rule guidance current as of 2026. This calculator is for planning and budgeting purposes only and does not constitute professional security or compliance advice.
Conclusion
Penetration testing cost is only half the equation. To determine whether a pentest investment is financially justified relative to the risk it assesses, use our Risk Quantification Calculator to quantify the annual loss expectancy for the scenarios the test covers. For organizations sizing cyber coverage after a pentest uncovers material findings, our Cyber Insurance Premium Estimator models how control improvements affect premium costs.
Related Cybersecurity & Compliance Calculators
Data Breach Cost Estimator
Estimate total data breach costs using IBM/Ponemon 2026 methodology. Calculate per-record costs, response expenses, regulatory fines, and business disruption based on industry, breach size, and containment speed. Average global breach cost: $4.88M.
Use CalculatorCybersecurity & ComplianceCyber Insurance Premium Estimator
Estimate annual cyber insurance premiums based on coverage amount, company revenue, industry risk factors, security maturity, and claims history. Calculate cost for $1M-$10M+ coverage limits with deductible options for 2026.
Use CalculatorCybersecurity & ComplianceGDPR/CCPA Fine Exposure Calculator
Calculate maximum regulatory fine exposure under GDPR (€20M or 4% revenue) and CCPA ($2,663-$7,988 per violation). Model fines based on violation type, data volume, revenue, and aggravating factors for 2026 enforcement rates.
Use CalculatorCybersecurity & ComplianceRisk Quantification Calculator (FAIR Model)
Calculate Annual Loss Expectancy (ALE) using FAIR methodology. Input threat event frequency, vulnerability probability, and asset value to quantify cyber risk financially. Model loss event frequency and magnitude for risk prioritization.
Use CalculatorYou May Also Find Useful
Tax Calculator
Estimate your 2026 federal income tax based on filing status, gross income, deductions, and current tax brackets. See your marginal and effective tax rates instantly.
Use CalculatorFinance & AccountingSalary to Hourly Calculator
Convert your annual salary to an hourly wage instantly. Adjust for hours per week, weeks per year, and overtime to find your true hourly rate.
Use CalculatorFinance & AccountingCommission Calculator
Determine sales commissions based on revenue, rate tiers, and bonus structures.
Use Calculator