"How much does a penetration test cost?" It's the first question most business owners ask, and the answer they usually get is frustrating: "It depends." That's technically true, but it's not helpful. So here's the honest version, with real numbers, based on what companies are actually paying in 2026.
The Short Answer
Most small and mid-sized businesses spend between $5,000 and $20,000 on a penetration test. A focused external network test for a simple environment might come in under $5,000. A comprehensive engagement that covers internal networks, web applications, and cloud infrastructure can run $30,000 or more. The global penetration testing market hit $2.74 billion in 2025 according to Fortune Business Insights, and it's projected to nearly triple by 2034. That growth is being driven by companies like yours realizing that a pentest isn't a luxury anymore.
What You'll Actually Pay, by Test Type
Penetration testing isn't one thing. The type of test you need depends on your environment, your compliance requirements, and where your real risk lives. Here's what each type typically costs in 2026:
| Test Type | Low End | Typical | High End |
|---|---|---|---|
| External Network | $3,000 | $8,000–$12,000 | $20,000 |
| Internal Network | $5,000 | $10,000–$15,000 | $30,000 |
| Web Application | $5,000 | $10,000–$15,000 | $30,000 |
| Wireless Network | $3,000 | $5,000–$8,000 | $10,000 |
| Social Engineering | $3,000 | $6,000–$10,000 | $15,000 |
| Cloud Infrastructure | $10,000 | $12,000–$20,000 | $50,000 |
| Full Red Team | $20,000 | $40,000–$60,000 | $120,000+ |
These numbers come from aggregated industry data published by firms like Blaze InfoSec, TCM Security, and Cobalt. The ranges are wide because pricing depends heavily on scope, but they give you a realistic framework for budgeting.
That said, where a firm falls within those ranges has a lot to do with how they operate. A firm that's performed hundreds of engagements and invested in building custom tooling and automation around the repetitive phases of testing, reconnaissance, enumeration, evidence collection, report generation, can deliver a thorough engagement faster than a firm that's still doing everything manually. That efficiency doesn't mean cutting corners. It means the tester spends more of their hours on the work that actually matters: creative exploitation, lateral movement, and business logic testing. The time savings on the operational side translates directly into cost savings for the client.
For most small businesses, the sweet spot is an internal and external network assessment. That's where we find the most critical issues, and it's what insurance carriers and compliance frameworks most commonly require. A combined internal/external engagement typically runs $10,000 to $20,000 for a company with 50 to 200 employees, though firms with mature, modular platforms can often come in toward the lower end of that range without sacrificing depth.
What Drives the Price Up (and Down)
The single biggest factor in pentest pricing is scope. But "scope" is really several things bundled together:
Network size and complexity
A 20-person office with a flat network and one server is a fundamentally different engagement than a 200-person company with multiple VLANs, remote sites, and a hybrid cloud environment. More IP addresses, more subnets, and more applications all mean more time, and time is what you're really paying for. Senior penetration testers bill between $200 and $500 per hour depending on certifications and experience.
Compliance requirements
If you need your pentest to satisfy PCI DSS, HIPAA, SOC 2, or CMMC requirements, expect to pay more. Not because the testing itself is dramatically different, but because the reporting, documentation, and methodology need to meet specific standards. A compliance-driven report requires more detail, more precise scoping documentation, and often a specific testing framework.
Testing approach
Black box testing (no information provided) takes longer because the tester starts from zero. Gray box testing (some access or documentation provided) is more efficient and often more thorough, because the tester spends less time on reconnaissance and more time on actually finding vulnerabilities. We typically recommend gray box for most SMB engagements because it delivers the best value.
Retesting
Many firms include a focused retest in their pricing. Others charge it as an add-on, typically $1,000 to $3,000. A retest validates that you actually fixed the issues found in the initial assessment, which is increasingly important for insurance renewals and compliance audits.
The Hidden Cost of Going Cheap
You can find pentest quotes for $1,500 or $2,000. They exist. But here's what you need to understand about what you're getting at that price point: it's almost certainly an automated vulnerability scan with a cover page.
There's an important distinction between cheap and efficient. A $2,000 "pentest" that's really just a Nessus scan with a logo on it is cheap. A firm that comes in below market rate because they've built automation around the mechanical parts of the engagement after doing this hundreds of times, that's efficient. The difference is what happens between the scan and the report. Efficient firms automate the scaffolding so their testers can focus on the adversarial thinking that actually finds your vulnerabilities. Cheap firms automate the thinking out of the process entirely.
A legitimate penetration test involves a skilled human systematically attempting to compromise your systems. That person is analyzing your specific environment, chaining vulnerabilities together, testing business logic, and attempting lateral movement. An automated scanner can't do any of that. It checks a list of known CVEs against your exposed services and generates a report.
According to Cobalt's 2025 State of Pentesting report, based on over 5,000 annual engagements, only 48% of all vulnerabilities found in penetration tests ever get resolved. For critical findings, the resolution rate is better at 69%, but that still means nearly a third of serious vulnerabilities go unpatched. The companies that skip real testing in favor of a cheap scan don't even get to that starting point. They never find the vulnerabilities in the first place.
We've seen it firsthand: a company hands us a "clean" vulnerability scan report from another vendor, and within hours of actual testing, we're pulling domain admin credentials off their network. The scan didn't miss a vulnerability. It missed the entire attack chain.
The Real ROI Calculation
IBM's 2025 Cost of a Data Breach report puts the average U.S. breach cost at $10.22 million, an all-time high and a 9% increase over the prior year. For businesses under 500 employees, the average is $3.31 million. The average time to identify and contain a breach is 241 days.
Run the math on even a conservative scenario. A $15,000 penetration test that identifies a critical vulnerability, one that an attacker could have used to deploy ransomware or exfiltrate customer data, provides a return that's almost absurd. Against the SMB average breach cost, that's a 220-to-1 return. Against the overall U.S. average, it's over 680-to-1.
And that's before you factor in the indirect costs: lost customers, regulatory fines, legal exposure, operational downtime, and reputational damage that doesn't show up in the initial breach cost calculation. IBM also found that breaches involving shadow AI (unauthorized AI tools processing company data) add an average of $670,000 to the total cost. These are exactly the kinds of risks that a thorough pentest helps identify.
Hiring In-House vs. Outsourcing
Some companies consider building an internal penetration testing capability. For large enterprises, this can make sense. For SMBs, the economics rarely work out:
- One senior penetration tester costs roughly $197,000 per year when you factor in salary, benefits, tools, training, and certifications.
- An outsourced annual program with multiple engagements typically runs $15,000 to $50,000 per year for a small business.
- Tool costs alone for a proper in-house capability (Burp Suite Pro, Cobalt Strike or similar, vulnerability scanners, lab infrastructure) run $10,000 to $30,000 annually.
Beyond the cost, there's the objectivity problem. Internal testers develop blind spots over time. They know the network, they know the workarounds, and they unconsciously avoid the areas they built or maintain. An outside team sees your environment the way an attacker does: fresh, with no assumptions, and no incentive to minimize findings.
How We Keep Our Pricing Lower
This is something we get asked about a lot, and we're happy to explain it. Our pricing consistently comes in below the industry averages listed above, and it's not because we're cutting corners. It's because we've invested heavily in building a platform that makes us faster.
After performing hundreds of penetration tests, we started seeing the same patterns in the operational side of every engagement. Reconnaissance, enumeration, evidence collection, report assembly — these phases follow a repeatable structure. So we built custom automation around them. Our platform handles the mechanical work so our testers can spend their hours on what actually matters: creative exploitation, lateral movement, and testing the business logic that's unique to your environment.
The result is a modular approach. Instead of billing for a monolithic engagement where every phase is built from scratch, we have pre-built components that snap together based on your scope. You get a thorough, professional-grade assessment with full CVE mapping, CVSS scoring, exploitation evidence, and prioritized remediation — but you're not paying for us to reinvent the wheel on the parts of the process we solved a long time ago.
Over hundreds of engagements, those efficiencies compound significantly. We pass those savings through to our clients rather than pocketing wider margins. It's the same reason a contractor who's framed 500 houses can give you a better price than one who's framed 10 — not because the house is worse, but because they've figured out how to build it smarter.
How to Budget for It
If you've never had a penetration test, here's a practical approach to budgeting:
- Start with your compliance requirements. If you need a pentest for PCI, HIPAA, SOC 2, cyber insurance, or Ohio's new cybersecurity law (effective July 2026), that defines your minimum scope.
- Get your numbers ready. How many employees? How many locations? How many servers, workstations, and cloud services? How many web applications? These are the first questions any honest pentest firm will ask you.
- Budget $10,000 to $15,000 for a first engagement. That covers a combined internal/external network assessment for most small businesses with under 200 employees. If you need web application testing on top of that, add another $5,000 to $10,000.
- Plan for annual testing. One-time pentests satisfy today's requirement but don't build a security posture. Annual testing lets you measure progress, satisfy ongoing compliance, and keep your insurance carrier happy.
Questions to Ask Before You Sign
Not all pentest firms are equal. Before you commit, ask these questions:
- Who is doing the testing? You want to know the qualifications of the actual humans who will be on your network. Look for OSCP, PNPT, GPEN, or CREST certifications. If they can't name the testers, that's a red flag.
- What methodology do you follow? PTES, OWASP, NIST SP 800-115, or a documented internal methodology are all acceptable answers. "We run Nessus" is not.
- What does the report include? You need CVE mapping, CVSS scoring, evidence of exploitation (screenshots, command output), and prioritized remediation steps. If the report is just a scanner export, you're paying for a vulnerability scan, not a pentest.
- Is retesting included? Some firms include a focused retest 30 to 60 days after the initial engagement. Others charge extra. Either is fine, but know what you're getting.
- Can you provide references in my industry? A firm that's tested environments like yours will scope more accurately and deliver more relevant findings.
The Bottom Line
A penetration test is one of the highest-ROI security investments a small business can make. The cost is real but manageable: most SMBs spend $10,000 to $20,000 for a thorough assessment that identifies vulnerabilities an attacker would actually exploit. Compare that to the $3.31 million average breach cost for businesses your size, and the math speaks for itself.
The companies that treat pentesting as an annual investment rather than a one-time checkbox are the ones building real security postures. They're getting better insurance terms, meeting compliance requirements before the deadline, and sleeping better knowing their network has been tested by professionals who think like attackers.
Don't know where to start? That's what the initial scoping call is for. A good firm will help you figure out exactly what you need, nothing more and nothing less.
Find Out Exactly What Your Pentest Should Cost
We'll scope your environment, recommend the right type of test, and give you a straightforward quote. No surprises, no upsells.
Get a Free Quote