By SidSecure | 10 June 2026
The most common question we get from first time buyers is some version of: how much does a penetration test cost? The honest answer is that it depends on scope, and scope is something you control. Understanding how testers size an engagement will get you a sharper quote and a better test.
For a web application or API test, effort scales with the amount of functionality a tester must exercise:
For external network tests, the driver is simpler: how many IP addresses, domains and exposed services are in scope. For cloud configuration reviews, it is the number of accounts or subscriptions and the breadth of services deployed.
Unauthenticated black box testing answers one question: what can an anonymous attacker on the internet do to my application? It is useful and it is cheaper, but it cannot tell you whether a logged in customer can read another customer's data, which is the finding that hurts most SaaS businesses. For comprehensive coverage we recommend grey box testing with credentials for each role. Most engagements combine a black box pass with authenticated testing.
Before quoting, expect to be asked: what the application does, the technology stack, how many roles and endpoints, whether credentials and a test environment will be provided, what is driving the test (compliance, a customer request, general assurance), and your timeline. If a provider quotes without asking any of this, the price has padding in it, the test will be shallow, or both.
A report with an executive summary, findings rated by real world risk rather than scanner severity, evidence for each finding, root cause analysis and practical remediation guidance. Then a walkthrough call, and retesting of fixed items. The report is the product; ask to see a sanitised sample before you commit.
Ready to scope yours? Tell us what you need tested and we will come back with a fixed price within 48 hours.