How Much Does a Penetration Test Cost?

Diese Seite ist auch auf Deutsch verfügbar.
“What does a pentest cost?” is the question I get asked the most, and the honest answer is always “it depends.” That’s not a dodge. A pentest is billed by effort, not sold as a fixed product, so the real question underneath it is what decides how much effort a given project actually needs. This post explains exactly that.
“It Depends” Is the Honest Answer, Not a Dodge
Any provider who quotes you a fixed price before understanding your environment is not doing this seriously. A penetration test is a service, not a product off a shelf, and the price has to reflect the work a specific target actually requires.
That doesn’t mean the pricing has to be vague. It means the price is derived from a small set of concrete factors, and once you know what they are, you can estimate your own ballpark before you ever get on a call.
A Pentest Is a Timebox, Not a Guarantee
Here’s the model: you’re buying a fixed amount of tester time, not a guarantee that every vulnerability will be found. Within that time, the tester works to uncover and demonstrate as many exploitable issues as possible, starting with the ones that matter most.
This is why price and time are directly the same thing in this model. More budget doesn’t mean the same test with a markup. It means more hours actually spent looking, which means more coverage and more depth.
The Actual Math: Day Rate Times Days
VidraSec prices every engagement with a day rate and a planned number of testing days, multiplied out into a fixed total. That total is the number in the contract, and it’s the number on the invoice.
The price quoted is the price charged, in both directions. If the work runs a little over, a few extra hours here or there, that time is absorbed rather than turned into a change order. If it becomes clear early on that a project would run substantially longer than planned, the scope gets trimmed to fit the original budget instead of the price quietly growing. You should never be surprised by the final invoice either way.
What Actually Decides the Number of Days
Three factors set the time budget, roughly in the order I weigh them:
- Security maturity of the target. This one surprises people: a company that has never had a pentest usually needs less time, not more. Testing an unmanaged environment for the first time tends to surface serious issues quickly. A mature organization that has already fixed the obvious problems needs a tester to dig much deeper to find anything that still matters, and that costs more days.
- Number and complexity of systems. A handful of internet-facing services scopes very differently from a sprawling application landscape with dozens of components. More surface area means more days.
- What you’re actually trying to learn. A broad check for anything seriously wrong needs less depth than a focused assessment of one specific, critical component. Tell me the goal, and the day count follows from it.
There’s real leeway in this. If you have a fixed budget, we can shrink the scope to fit it rather than walk away from the conversation. What I won’t do is quote a day count that doesn’t match the goal you’ve described.
Blackbox vs. Greybox: Same Days, More Value
For a standard penetration test, the tester is not a real attacker. They’re a consultant working inside a fixed timebox. A real attacker has unlimited time and, hopefully, zero cooperation from the internal IT team. A pentester should get the opposite: credentials where appropriate, information about internal systems, a firewall rule opened when it’s blocking legitimate testing. That’s time spent on hard security problems instead of on rediscovering the URL the application already lives at.
This is why, outside specific edge cases, I don’t recommend blackbox testing (no credentials, no information, straight from the internet). It sounds like the most realistic simulation of an attack, but in practice it rarely is. Almost every real intrusion starts from a compromised account or a compromised device, which is exactly the starting point of a greybox test. Greybox gets closer to a real attack and produces more usable findings for the same number of days, which is the actual definition of a good price-to-value ratio. The Penetration Testing Buyer’s Guide covers blackbox, greybox, and whitebox testing in more depth if you want the full picture.
This logic is specific to a standard pentest. A cyber attack simulation or red team engagement is built on the opposite principle on purpose: the point is to test whether your team detects and responds to an attacker it doesn’t know is coming, so tipping them off with cooperation or credentials would defeat the exercise. That’s a different service with its own pricing logic, not a variation of this one.
What This Actually Costs
Concrete numbers, based on how VidraSec scopes real projects:
- A narrow scope, such as a handful of internet-facing systems, can start around €4,200.
- A pentest broad enough to be genuinely useful usually starts closer to €6,000, and that’s a reasonable rule of thumb for the sensible minimum.
- Most projects land between €6,000 and €15,000.
- Larger engagements, including red team simulations, can run higher.
There’s no hard ceiling above that, but more days only make sense while they keep producing value. A good scoping conversation caps a project when another day stops being worth it, not when the invoice feels big enough.
Get a Number, Not a Guess
The fastest way to get an actual figure for your environment is a short scoping conversation, not a form that spits out a quote. If you’re evaluating providers in general, the Pentest Provider Checklist has the questions worth asking beyond price.
Want an actual number for your environment? Get in touch.
Related Services
- Active Directory Security Audit
- Internal IT Infrastructure Penetration Test
- Cloud Infrastructure Security Audit
- Entra ID Security Audit
- External IT Infrastructure Penetration Test
- Web Application Penetration Test
Related Blog Posts
- Pentest Provider Checklist for DACH SMBs
- Boutique Single-Operator Pentest vs. Large Firm vs. PTaaS: How to Choose
- What a NIS2-Ready Pentest Looks Like for a 50 to 500 Person Company
- The Penetration Testing Buyer's Guide: Scope Right, Spend Smart
martin@vidrasec.com | +43 670 3081275 | +43 670 3081275 | Book appointment |