Penetration Testing Cost by Type
Web App · Network · Cloud · Mobile · API · Red Team · Social Engineering — with day-rate breakdowns and PTaaS alternatives (2026)
We do not sell penetration testing services. This site is not affiliated with any pentest vendor or security firm. All prices are independently researched from publicly available quotes, industry surveys, and published rate cards.
Day rate basis: All prices below are based on £1,000–£1,800 / $1,200–$2,500 per consultant day at a boutique CREST-accredited firm. Freelancers may be 30–40% lower; Big 4 firms 2–3× higher. If your quote implies less than £800/day ($1,000/day), ask specifically what percentage of the test is manual vs automated. Use the quote evaluator →
🌐 Web Application Penetration Test
5–10 consultant days · OWASP Testing Guide v4.2 · PTES
£4,000–£30,000
£1,000–£1,500/day
What's Covered
Testing web applications against OWASP Top 10 vulnerabilities including SQL injection, XSS, CSRF, authentication flaws, and business logic vulnerabilities. Covers both automated scanning and manual expert analysis.
- ▸Automated vulnerability scanning (Burp Suite Pro, OWASP ZAP)
- ▸Manual exploitation of identified vulnerabilities
- ▸Authentication and session management testing
- ▸Business logic flaw analysis
- ▸API endpoint testing (if in scope)
- ▸CVSS-scored findings report with PoC evidence
- ▸Remediation guidance per finding
- ▸Re-test window (typically 30–60 days)
What Changes The Price
Compliance Use
PTaaS Alternative
Astra Security from $1,499/year · BreachLock from $4,999
Watch for: Web app tests priced below £3,000 almost always represent automated scanning only. A genuine manual test requires minimum 3–5 days for a simple application.
🔌 Network Penetration Test
3–5 consultant days · PTES · NIST SP 800-115
£4,000–£25,000
£1,000–£1,500/day
What's Covered
Assessment of network infrastructure including firewalls, routers, switches, servers, and active directory environments. Identifies exploitable vulnerabilities before attackers do.
- ▸External perimeter scan and vulnerability identification
- ▸Internal network sweep and host enumeration
- ▸Active Directory assessment (privilege escalation, Kerberoasting, LLMNR poisoning)
- ▸Network segmentation validation
- ▸Vulnerability exploitation and impact demonstration
- ▸Lateral movement path identification
- ▸Firewall and ACL rule analysis
- ▸Executive + technical report with CVSS scoring
What Changes The Price
Compliance Use
PTaaS Alternative
Intruder continuous scanning from £2,499/year
Watch for: External-only network tests miss internal threats — the most damaging attacks are often insider or post-breach lateral movement. Budget for both.
☁️ Cloud Infrastructure Penetration Test
5–10 consultant days · CIS Benchmarks · CSA Cloud Controls Matrix · AWS/Azure/GCP Security Frameworks
£5,000–£40,000
£1,000–£1,800/day
What's Covered
Assessment of cloud infrastructure configuration, IAM policies, network security groups, storage permissions, and service-specific security controls across AWS, Azure, or GCP.
- ▸IAM policy review and privilege escalation testing
- ▸Storage bucket / blob configuration review
- ▸Network security group and firewall rule analysis
- ▸Compute instance security review
- ▸Serverless function security assessment
- ▸Container and Kubernetes security review (if applicable)
- ▸Cloud-native logging and monitoring gaps
- ▸Misconfiguration exploitation with PoC evidence
What Changes The Price
Compliance Use
PTaaS Alternative
Wiz continuous CSPM from $15,000/year (validation of findings still requires manual pentest)
Watch for: Cloud pentests require written authorisation from your CSP. AWS, Azure, and GCP all have penetration testing policies — your provider should handle this but confirm before engagement start.
📱 Mobile Application Penetration Test
5–8 consultant days · OWASP MASTG (Mobile Application Security Testing Guide) · OWASP MASVS
£5,000–£28,000
£1,000–£1,500/day
What's Covered
Static and dynamic analysis of iOS and Android applications. Covers data storage, network communication, authentication, session management, and client-side controls.
- ▸Static analysis (reverse engineering, decompilation)
- ▸Dynamic analysis (runtime testing, traffic interception)
- ▸Data storage security review (local databases, shared prefs, keychain)
- ▸Network traffic analysis (certificate pinning, TLS configuration)
- ▸Authentication and session token security
- ▸API endpoint testing from mobile context
- ▸Platform-specific issues (iOS Keychain, Android Intents)
- ▸MASVS compliance report
What Changes The Price
Compliance Use
PTaaS Alternative
BreachLock mobile from $7,999 one-time
Watch for: Ensure your provider has experience with your specific platform version. iOS 17 and Android 14 introduced security changes that require updated tooling and techniques.
🔗 API Penetration Test
3–6 consultant days · OWASP API Security Top 10 · REST/GraphQL/gRPC testing methodologies
£3,500–£22,000
£1,000–£1,500/day
What's Covered
Dedicated testing of REST, GraphQL, or gRPC APIs. Covers authentication, authorisation, injection attacks, rate limiting, mass assignment, and business logic flaws specific to API contexts.
- ▸Authentication mechanism testing (JWT, OAuth 2.0, API keys)
- ▸Broken Object Level Authorization (BOLA/IDOR) testing
- ▸Mass assignment vulnerability assessment
- ▸Rate limiting and resource exhaustion testing
- ▸Injection testing (SQLi, NoSQLi, command injection via API)
- ▸GraphQL introspection and batching attacks (if GraphQL)
- ▸Business logic flaw analysis
- ▸API documentation gap analysis
What Changes The Price
Compliance Use
PTaaS Alternative
Often most cost-effective as add-on to web app test — ask for combined pricing
Watch for: API tests without an OpenAPI/Swagger specification take significantly longer to complete. Provide API documentation at scoping to avoid scope creep and cost overruns.
🎯 Red Team Engagement
2–8 weeks · TIBER-EU · CBEST · MITRE ATT&CK · PTES
£15,000–£100,000+
£1,200–£3,500+/day
What's Covered
Adversary simulation targeting specific 'crown jewel' systems. Multi-operator teams using custom tooling, tradecraft, and TTPs to emulate specific threat actor profiles. Fundamentally different from a pentest — the goal is stealth, persistence, and reaching defined objectives, not finding all vulnerabilities.
- ▸Threat actor profiling and objective definition
- ▸Custom C2 infrastructure and implant development
- ▸OSINT and reconnaissance phase
- ▸Initial access via multiple vectors (phishing, external vulnerabilities, physical)
- ▸Post-exploitation, privilege escalation, and lateral movement
- ▸Persistence and data exfiltration simulation
- ▸Blue team detection assessment
- ▸Purple team debrief session
- ▸Adversary simulation report with ATT&CK TTP mapping
What Changes The Price
Compliance Use
PTaaS Alternative
No PTaaS equivalent — red team engagements require human operators and cannot be automated
Watch for: Red team engagements are not suitable as a first security test. Your organisation needs mature vulnerability management, an incident response plan, and a blue team before red teaming delivers value.
🤖 AI / LLM Penetration Testing
EMERGING CATEGORYPricing not yet standardised — own this keyword early
£5,000–£30,000 (est.)
An emerging category covering adversarial testing of AI systems: LLM prompt injection, model inversion attacks, training data extraction, jailbreaking, and AI-assisted decision system manipulation.
- ▸Prompt injection and jailbreak testing for LLM-integrated applications
- ▸Training data extraction and membership inference
- ▸Model inversion and attribute inference attacks
- ▸AI decision system manipulation (fraud detection bypass, content moderation bypass)
- ▸Adversarial input generation for computer vision systems
Pricing is not yet standardised — few firms have published rate cards for this category. Expect boutique AI-focused security firms to charge 20–40% above standard web app rates due to specialist expertise.
Duration: 3–8 consultant days
PTaaS Platform Comparison (Pentest-as-a-Service)
| Platform | Pricing | Coverage | Compliance | Link |
|---|---|---|---|---|
| Astra Security | $999–$3,999/year | Continuous scanning + annual pentest certificate | SOC 2, GDPR | Visit |
| Intruder | £2,499–£9,999/year | Continuous vulnerability scanning + manual tests | SOC 2, ISO 27001 | Visit |
| BreachLock | From $4,999/year | PTaaS + compliance reporting dashboard | SOC 2, PCI DSS, ISO 27001 | Visit |
| Cobalt | From $4,900/year | Crowd-sourced pentesting via Cobalt Core | SOC 2, PCI DSS | Visit |
| HackerOne | Custom pricing | Bug bounty + pentest programmes | SOC 2, PCI DSS, ISO 27001 | Visit |
PTaaS platforms trade depth for continuity. Appropriate for startups needing SOC 2 evidence. For PCI DSS or DORA, a traditional bespoke engagement is required. Full PTaaS evaluation →
Already have a quote?
Use our day-rate calculator to check if the price you've been quoted is fair.
🎣 Social Engineering & Phishing Simulation
1–3 weeks · PTES Social Engineering · NIST SP 800-115
£2,500–£18,000
£800–£1,400/day
What's Covered
Simulated phishing campaigns, vishing (voice phishing) scenarios, and pretexting exercises to assess human vulnerability across the organisation. Measures click rates, credential submission, and escalation behaviour.
What Changes The Price
Compliance Use
PTaaS Alternative
Dedicated platforms: KnowBe4 from £2,000/year · Proofpoint Security Awareness from £3,000/year
Watch for: Phishing simulations must be disclosed to your legal and HR teams before launch. Staff disciplinary action based on simulation results alone is a legal and ethical minefield — use data for training, not punishment.