Verified May 2026

How we source penetration testing cost figures

Cost bands on this site triangulate three input streams: standards-body and accreditation-body guidance (OWASP, NIST, CREST, PCI Council), public day-rate and engagement-pricing guidance from named pentest firms, and practitioner panels. No single source anchors a single figure; bands reflect the cross-source spread.

Primary sources

OWASP Web Security Testing Guide (WSTG v4.2)
https://owasp.org/www-project-web-security-testing-guide/
Annual review (WSTG v4.2 cycle)

Source for web application pentest scope taxonomy. The OWASP Top 10 (2021 release) + WSTG categories drive the web app test boundaries (injection, authentication, session management, authorisation, business logic, API endpoint enumeration) reflected in the by-type page web-app test definition.

NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
https://csrc.nist.gov/publications/detail/sp/800-115/final
Stable reference (last revised Sept 2008, still authoritative for federal/FedRAMP scoping)

Source for the four-phase pentest methodology (planning, discovery, attack, reporting) underpinning the engagement-day count and the simple/moderate/complex scope-tier multipliers. FedRAMP cost figures on the /compliance page anchor to the SP 800-115 four-phase model.

CREST OVS / CBEST published guidance
https://www.crest-approved.org/
Annual review against the CREST register

Source for accredited-firm day-rate context (UK and international) and the procurement-grade tester credential framework. CREST Registered Tester (CRT), CREST Certified Tester (CCT), and CREST Certified Simulated Attack Manager (CCSAM) are the credentials whose published rates inform the boutique vs Big 4 tier bands on /providers.

PCI Council ASV programme + PCI DSS v4.0 Requirement 11.4
https://www.pcisecuritystandards.org/
Annual review aligned to PCI DSS v4.0 enforcement cycle

Source for compliance-driven pentest cadence (annual + after significant change to the cardholder data environment) and the PCI ASV scan vs full pentest scope distinction. PCI ASV scans (~$2K-$4K/quarter) do not satisfy Requirement 11.4 on their own; the /compliance page distinguishes the two.

Named pentest firm public day-rate guidance (tier bands only)
multiple public sources (tier-band aggregation, not per-firm pricing)
Quarterly cross-check of public pricing pages

Tier bands - not per-firm pricing. Named firms whose published rate cards, RFP responses, and engagement-pricing pages informed the bands: Trustwave SpiderLabs, Rapid7, Schellman, NCC Group, Cobalt, HackerOne, Bishop Fox, NetSPI, Coalfire, Secureworks. The site publishes the cross-firm spread (boutique $1,200-$2,500/day, mid-tier $1,500-$2,800/day, Big 4 $2,000-$3,500/day, freelancer $800-$1,500/day) - not which firm charges what.

Practitioner panels and contractor day-rate data
https://www.itjobswatch.co.uk/jobs/uk/penetration%20tester.do
Monthly check against IT Jobs Watch trailing-3-month median

UK pentest contractor day-rate panels (IT Jobs Watch), r/cybersecurity practitioner write-ups, SANS Internet Storm Center practitioner panels. These inform the contractor/freelancer end of the rate spread independently from firm-published guidance.

In scope

  • Engagement-level cost bands by test type (network, web app, mobile, cloud, API, red team, social engineering, wireless/IoT)
  • Day-rate bands by provider tier (freelancer, boutique, mid-tier, Big 4, PTaaS subscription)
  • Annual programme cost by company size (startup, SMB, mid-market, enterprise)
  • Compliance-driven cadence by framework (PCI DSS, SOC 2, ISO 27001, HIPAA, FedRAMP, CMMC)
  • Scope multiplier handling (IP / app count, role complexity, white-box vs black-box test economics)
  • PTaaS subscription vs traditional engagement break-even math (Cobalt, Synack, HackerOne reference points)

Out of scope

  • Per-firm rate cards (the site publishes the band, not the named-firm specific quote)
  • Per-customer engagement values (specific contract values are described in band terms only)
  • Side-by-side firm capability grids (pentest firm specialisations shift year-on-year; static grids go stale)
  • Vendor-specific marketing claims (claims of breach prevention, time-to-finding, etc. are not endorsed)
  • Region-by-region day-rate breakdowns beyond the UK/US axis (insufficient public data for accuracy)
  • Internal SOC, GRC, or other security-programme costs not directly tied to pentest scope

Calculation framework

The calculator on the home page and the engagement-cost bands across the sub-pages are built on six mechanical components. None of these are vendor-specific; all reflect the cross-firm public-data spread.

Day-rate tier bands

Boutique firm $1,200-$2,500/day. Mid-tier $1,500-$2,800/day. Big 4 $2,000-$3,500/day. Freelancer/independent $800-$1,500/day. PTaaS subscription $20K-$50K/year (annualised, not per-day). Bands reflect the cross-firm spread across the named providers listed above; no firm-specific values are published.

Engagement-day count (NIST SP 800-115 four-phase model)

Standard web app pentest: 5-10 days. Network test: 5-10 days. Mobile test: 5-8 days. Cloud test: 7-12 days. API test: 3-7 days. Red team: 10-40 days (2-8 weeks, 2-4 operators). Reporting and retest typically add 20-30 percent on top of the active engagement count.

Scope multipliers

Simple (single app, 1-2 user roles): baseline. Moderate (3-5 roles, API integration, moderate feature set): 1.5-2.0x. Complex (10+ roles, multiple APIs, file uploads, complex workflows): 2.5-4.0x. White-box source-code review adds 20-40 percent. Black-box reduces by 10-15 percent but limits depth. Grey-box is the practitioner default and the baseline assumption on this site.

Retest scoping

Retest of Critical and High findings included upfront: typically +10-15 percent on the original engagement. Retest added after the engagement closes: 20-30 percent of original (the provider must re-familiarise with the environment). The /reduce-costs page recommends bundling retest into the original SOW for the saving.

Credential premium

CREST CRT, OSCP, OSEP, CRTL credentials carry a day-rate premium of 10-25 percent over uncertified testers in the same firm tier. Big 4 firms staff certified-only by default; boutiques typically offer a mix. The /providers page surfaces the credential question for procurement.

PTaaS pricing model translation

PTaaS subscriptions (Cobalt, Synack, HackerOne, NetSPI Resolve) annualise differently from traditional engagements. Cobalt and equivalents typically price $20K-$50K/year per scope (1-2 apps + supporting infrastructure). Synack and HackerOne enterprise tiers run $50K-$150K+/year. The site annualises traditional engagements at expected cadence (typically annual + change-driven) for like-for-like comparison.

Refresh cadence

Day-rate bands and engagement-cost figures are re-verified against public sources on the first business week of each month. The current verified label reads May 2026. The verification date is held in a single TypeScript constant (LAST_VERIFIED_DATE) imported by every page. Footer text, Article schema dateModified, and visible page headings all read from that single source, so date drift across pages is structurally impossible.

Out-of-cycle refresh triggers:

  • Material movement (10 percent or more) in published pentest firm day rates across the named-firm panel over a 12-month sample.
  • CREST or NCSC CHECK scheme guidance change affecting tester credentials or accreditation scope.
  • PCI Council enforcement update affecting Requirement 11.4 scope or cadence.
  • Major NIST SP 800-115 revision or successor publication.
  • Material shift in published PTaaS subscription pricing (Cobalt, Synack, HackerOne enterprise tier disclosures).

Cosmetic date bumps are not made. The label moves only when a substantive review has happened.

Limitations

Pentest pricing is one of the most opaque corners of the security market. Many firms decline to publish day rates in writing; others publish day rates that are negotiable down 20-30 percent in practice. Bands on this site reflect the cross-source published spread, not the negotiated-floor private market. Engagement scoping conversations routinely move quotes 30-50 percent in either direction from the band midpoint depending on white-box access, retest inclusion, environment readiness, and procurement leverage.

The /reduce-costs page documents the controllable levers; the /scoping-guide page documents how to push a quote toward the band lower bound without compromising the engagement.

Editorial position

This site is operated by Digital Signet, an independent AI-development studio. Digital Signet does not run a penetration testing practice, does not act as a CREST or NCSC CHECK assessor, does not sell pentest services, and does not accept paid placements from any pentest firm or PTaaS platform. Editorial direction is set by the Digital Signet editorial team. Drafts are produced via Digital Signet's autonomous AI development methodology and reviewed against the editorial framework before publication. See /about for the operator and the wider Digital Signet network.

Corrections process

For methodology questions, corrections, or scenarios that don't fit cleanly: oliver@digitalsignet.com. Corrections to published bands receive a five-business-day acknowledgement. Substantive corrections (band shifts of 10 percent or more) update the visible LAST_VERIFIED_DATE on publication.

Digital Signet is not affiliated with OWASP, NIST, the CREST organisation, the NCSC CHECK scheme, the PCI Security Standards Council, or any of the named pentest firms or PTaaS platforms cited on this page.

Updated May 2026