How do I know if my pentest quote is reasonable?

Calculate the implied day rate: total quote divided by estimated engagement days. UK fair market rates: £1,000–£1,500/day for boutique firms, £1,800–£3,500/day for enterprise. If the implied rate is below £800/day, ask what percentage of testing is manual vs automated. Below £600/day is almost certainly an automated scan with a cover page.

What should be included in a penetration test proposal?

A good pentest proposal includes: a scoping call, defined scope document, rules of engagement, named tester with certifications, professional indemnity insurance confirmation, NDA, executive summary, technical findings with CVSS scores, PoC evidence, remediation guidance, and a re-test window. Red flags include: delivery promised in under 48 hours without a scoping call, no methodology mentioned, and re-test priced separately at full rate.

BUYER'S TOOL

How to Evaluate a Penetration Testing Quote

A buyer's framework for 2026. Calculate implied day rate, check for red flags, and verify your proposal covers the right deliverables.

We do not sell penetration testing services. This site is not affiliated with any pentest vendor or security firm. All prices are independently researched from publicly available quotes, industry surveys, and published rate cards.

Day Rate Calculator

Total Quote Price (£)

Estimated Engagement Days

Ask your vendor if not stated. Web app: 5–10 days typical.

Enter quote total and estimated days to calculate implied day rate

Below £800/day

Automated scan territory

£800–£1,200/day

Verify certifications

£1,200–£1,800/day

Fair market rate

£1,800+/day

Enterprise / Big 4

Red Flag Checklist

Check any of these that apply to your quote. Each tick warrants a follow-up question before signing.

What a Good Proposal Includes

Before engagement

During engagement

Deliverables

RFP Template

For organisations running a formal procurement process. Copy and adapt.

rfp-pentest-template.txt

PENETRATION TESTING REQUEST FOR PROPOSAL
Organisation: [Your organisation name]
Date: [Date]
Response required by: [Date]

1. SCOPE
   Test type: [Web application / Network / Cloud / Mobile / API / Red Team]
   Environment: [Brief description - production / staging / both]
   Assets in scope: [URLs, IP ranges, application count]

2. ENGAGEMENT MODEL
   Testing approach: [Black-box / Grey-box / White-box]
   Compliance requirement: [PCI DSS / SOC 2 / ISO 27001 / None]
   On-site requirement: [Yes / No / Partial]

3. COMPLIANCE AND CERTIFICATION REQUIREMENTS
   Required certifications: [CREST / CHECK / OSCP minimum]
   Report format: [Standard / PCI DSS audit-ready / SOC 2 evidence package]
   Regulator: [QSA name if PCI DSS / Auditor firm if SOC 2]

4. REPORTING REQUIREMENTS
   Executive summary: Required
   Technical findings with CVSS scoring: Required
   Remediation guidance: Required per finding
   Re-test window: Minimum 30 days post-report delivery

5. TIMELINE
   Preferred start date: [Date]
   Report delivery deadline: [Date]
   Re-test completion: [Date]

6. COMMERCIAL REQUIREMENTS
   Budget range: [If disclosable]
   Engagement model: Fixed price preferred
   Payment terms: [30 days / 60 days]

7. MANDATORY QUESTIONS
   a. What methodology does your team follow for this test type?
   b. What percentage of testing hours are manual vs automated?
   c. Who will conduct the engagement? Please provide their certifications.
   d. Can you provide a redacted sample report?
   e. What is your critical finding escalation procedure?
   f. What professional indemnity insurance do you carry?
   g. Is re-test included? What is the scope of the re-test?

Provider selection guide Benchmark by test type