How Much Penetration Test Cost? 2026 Pricing Guide for SaaS & Enterprises
Babar Khan Akhunzada
March 5, 2026
The most common question we get before a scoping call is some version of: "just tell me what a penetration test costs."
The honest answer is that it depends on what you're testing and how deeply but the ranges are predictable, the variables are well-understood, and there is a number for every scope. This guide gives you the actual 2026 market rates by test type, explains what drives cost up or down, and tells you what you give up when you buy cheap.
If you're budgeting for compliance SOC 2, ISO 27001, PCI-DSS, HIPAA there's a section specifically for that. If you're a mid-sized SaaS company trying to figure out what to set aside, skip straight to the web app and API pricing section.
- 2026 Penetration Test Cost Ranges by Type
- Web Application & API Penetration Testing
- Network Penetration Testing
- Mobile App Penetration Testing
- Cloud Penetration Testing
- Red Team Engagements
- What Affects the Price
- Budgeting by Compliance Framework
- Why Cheap Pentests Are Dangerous for Audits
- How to Get an Accurate Quote
2026 Penetration Test Cost Ranges by Type
Before getting into the detail, here are the market rates across all common engagement types:
| Engagement Type | Typical Scope | 2026 Price Range | Duration |
|---|---|---|---|
| Web Application | Single web app, authenticated + unauthenticated | $5,000 – $15,000 | 3–7 days |
| API Penetration Test | REST/GraphQL API, authentication flows, business logic | $3,000 – $8,000 | 2–5 days |
| Mobile App (iOS or Android) | Single platform, static + dynamic analysis, API backend | $4,000 – $10,000 | 3–6 days |
| Network / Infrastructure | Internal network, external perimeter, cloud infra | $8,000 – $20,000 | 5–10 days |
| Cloud Penetration Test | AWS / Azure / GCP config review + exploitation testing | $6,000 – $18,000 | 4–8 days |
| Full SaaS Stack (SOC 2 scope) | Web app + API + cloud infra combined | $8,000 – $25,000 | 7–14 days |
| Red Team Engagement | Full adversary simulation — no scope restrictions | $25,000 – $100,000+ | 2 weeks – 3 months |
These are rates for manual, practitioner-led engagements with CVSS-scored findings, exploitation evidence, and remediation guidance — the format compliance auditors expect. Automated scan reports dressed up with a cover page are sold at $500–$2,000 and will not satisfy a SOC 2, ISO 27001, or PCI-DSS auditor. More on that in the cheap pentests section.
Web Application & API Penetration Testing
For a mid-sized SaaS application a customer-facing web app with a REST or GraphQL API, standard authentication flows, and 5–20 user roles expect to pay $5,000–$15,000 for the web app component and $3,000–$8,000 for the API layer tested in isolation. Most SaaS companies run both together as a combined engagement, which typically lands at $8,000–$18,000 depending on complexity.
What puts you at $5,000 vs $15,000 for the same "web app pentest":
Scope size is the primary driver. A single-tenant marketing site with a contact form is not the same as a multi-tenant SaaS platform with customer data isolation, role-based access controls, billing logic, and an admin panel. Testers price based on the number of unique functions, workflows, and authentication states they need to test not just the number of URLs.
Testing depth is the second variable. A grey-box test (where you provide architecture docs and partial credentials) is faster and cheaper than a black-box test starting with zero context. Most compliance engagements use grey-box methodology because it produces better vulnerability coverage within a fixed timeframe.
Report format matters more than most clients realise. A report formatted for an ISO 27001 or SOC 2 auditor with a formal executive summary, findings mapped to controls, CVSS scoring with contextual adjustments, and remediation timelines takes significantly longer to produce than a raw findings dump. The difference between a $5,000 and $12,000 web app pentest is often 30–40% testing time and 60–70% report quality and post-engagement support.
For a detailed breakdown of SOC 2-specific scoping and what auditors actually check, see our guide on SOC 2 penetration testing costs and budgeting.
Network Penetration Testing
Network penetration testing covers your external perimeter (internet-facing IP ranges, VPNs, remote access infrastructure) and/or internal network (Active Directory, lateral movement paths, segmentation validation). Prices run $8,000–$20,000 for a standard mid-enterprise scope.
The two variables that drive network pentest pricing more than any other: IP range size and whether the engagement includes Active Directory attack paths. A 50-host external scan is priced very differently to a 500-host internal engagement targeting AD privilege escalation chains. Most firms quote network pentests on a per-host or per-subnet basis once scope is defined.
External-only network tests (testing what's exposed to the internet) are at the lower end of the range. Internal + external combined particularly for organisations preparing for ISO 27001 certification or a SOC 2 audit with infrastructure scope typically runs $12,000–$20,000.
Mobile App Penetration Testing
Mobile penetration testing covers iOS and Android applications: static analysis (binary, permissions, hardcoded secrets), dynamic analysis (runtime behaviour, traffic interception), and the API backend the app communicates with. Pricing runs $4,000–$10,000 per platform.
Testing both iOS and Android for the same application is not double the price. The API backend is shared, so combined iOS + Android engagements typically run $7,000–$15,000 rather than $8,000–$20,000 for two separate engagements.
The complexity variable specific to mobile: certificate pinning and anti-tampering implementations. Applications with aggressive runtime protections require additional tooling and time to bypass before dynamic testing can begin. If your app has these protections implemented, expect a 20–30% uplift in the quote.
Cloud Penetration Testing
Cloud penetration testing specifically for AWS, Azure, and GCP environments — focuses on misconfiguration exploitation, IAM privilege escalation, exposed storage, cross-account access, and serverless function vulnerabilities. It is distinct from a general network test. Pricing runs $6,000–$18,000 for a defined cloud environment scope.
The key scoping question: are you testing configuration only (a cloud security posture review, sometimes called a CSPM assessment) or are you testing active exploitation of identified misconfigurations? The latter is a penetration test — someone is actually attempting to escalate privileges, access other accounts, and exfiltrate data through the paths they find. CSPM reviews are cheaper ($3,000–$8,000) but do not satisfy most compliance frameworks that require penetration testing evidence.
For a deeper treatment of cloud pentest scoping across AWS, Azure, and GCP, see our cloud penetration testing guide.
Red Team Engagements
Red team engagements are a different product to penetration testing different methodology, different output, different use case. The price range reflects this: $25,000–$100,000+ depending on duration and adversary simulation complexity.
A foundational red team engagement (2–4 weeks, single objective, technical attack paths only) starts at approximately $25,000–$40,000. An advanced APT simulation (6–8 weeks, multi-phase with social engineering and physical access components, full kill chain documentation) runs $60,000–$100,000+.
Red teaming is not the right investment for organisations that haven't completed multiple rounds of penetration testing and built out detection and response capabilities. The ROI on a red team exercise comes from measuring how well your defences detect a sophisticated attacker which requires having defences worth measuring first.
For a detailed comparison of when each is appropriate, see our red team vs penetration testing guide.
What Affects the Price
Across all engagement types, five variables consistently move the price:
1. Scope size and complexity. The number of unique functions, endpoints, hosts, user roles, or attack surfaces being tested. More surface = more time = higher cost. This is the single biggest variable. A well-scoped engagement brief cuts quoting time by 50% and frequently reduces the final price because the tester can exclude out-of-scope components that a generic quote would have to account for.
2. Testing methodology (black-box vs grey-box vs white-box). Black-box testing (no prior knowledge provided) requires more reconnaissance time. Grey-box (architecture docs, partial credentials, user accounts) is faster and produces better vulnerability coverage for compliance purposes. White-box (full source code, complete access) is the most thorough and is standard for SDLC-integrated security reviews.
3. Compliance report requirements. A standard pentest report takes 1–2 days to produce. A report formatted for SOC 2 Type II auditor review, with controls mapping to AICPA Trust Services Criteria, takes 3–4 days. ISO 27001 annex control mapping, PCI-DSS requirement alignment, or HIPAA addressable implementation specification mapping all add time. If you have a specific compliance requirement, say so during scoping it affects the quote.
4. Retesting included or separate. Some providers include a free retest (verifying that identified vulnerabilities have been remediated) within the engagement price. Others quote retesting as a separate line item at $1,000–$3,000. Compliance frameworks that require evidence of remediation verification PCI-DSS and ISO 27001 in particular effectively make retesting mandatory.
5. Turnaround time. Standard delivery is 2–4 weeks from kickoff to final report. Expedited engagements (required within 1–2 weeks) typically carry a 20–30% premium. If you have an audit deadline, book with adequate lead time.
Budgeting by Compliance Framework
The compliance framework you're targeting determines scope, methodology, and report format which directly affects cost.
| Framework | Typical Scope | Budget Range | Key Requirement |
|---|---|---|---|
| SOC 2 Type II | Web app + API + cloud infra | $8,000 – $25,000 | Annual. Report must map to AICPA TSC controls (CC4.1, CC7.1). |
| ISO 27001 | Scope of ISMS — varies widely | $6,000 – $20,000 | Annex A control A.8.8. Auditors expect annual cycle evidence. |
| PCI-DSS v4.0 | Cardholder data environment + segmentation validation | $10,000 – $30,000 | Requirement 11.3. Annual internal + external. Segmentation testing required if out-of-scope systems exist. |
| HIPAA | Systems handling ePHI | $5,000 – $15,000 | §164.308(a)(8). "Periodic" — annual is the practical standard. Must cover ePHI systems scope. |
| SAMA CSF (Saudi Arabia) | Regulated financial services environment | $12,000 – $35,000 | Domain 3 — annual minimum. Remediation evidence required alongside the test report. |
Why Cheap Pentests Are Dangerous for Audits
A $500–$2,000 "penetration test" exists. It typically consists of running a Nessus or OpenVAS scan, auto-generating a report, and adding a cover page. Some providers add a brief manual review of the automated findings. The report looks like a penetration test report to someone who hasn't read many of them.
The problem isn't that these reports are useless they find real vulnerabilities. The problem is that they fail audits, and they fail in ways that are expensive to recover from.
SOC 2 auditors are specifically trained to identify scan-report substitutes. Under CC4.1 and CC7.1, the auditor is evaluating whether the organisation has performed an assessment of technical controls. A report that shows only automated findings with no evidence of manual exploitation attempts, no business logic testing, no authenticated testing, and no exploitation evidence will typically result in a qualified opinion or a control failure finding. That means restarting the engagement with a qualified provider — and restarting the audit timeline.
PCI-DSS v4.0 Requirement 11.3 explicitly requires that penetration testing be performed by a qualified internal resource or qualified external third party, with organisational independence. It also requires that methodology include both network-layer and application-layer tests. An automated scan report does not satisfy the application-layer requirement, and a QSA will note the deficiency.
Beyond compliance, the deeper problem is exploitability evidence. Automated scanners flag potential vulnerabilities based on version numbers and configuration signatures. A skilled manual tester verifies which findings are actually exploitable in your specific environment, chains vulnerabilities across components to demonstrate real-world impact, and identifies business logic flaws that no automated tool can find. A $1,500 scan report tells you what might be vulnerable. A $10,000 manual engagement tells you what an attacker can actually do.
The practical guidance: if a pentest quote comes in at less than $3,000 for anything beyond a very small single-application scope, ask specifically how many hours of manual testing are included, who will perform it, and what their certifications are. If the answer is vague or the manual hours are below 8–10, you are buying a scan report.
How to Get an Accurate Quote
The fastest way to get an accurate penetration test quote is to arrive with a clear scope description. Providers can quote quickly when they know: the application type (web, API, mobile, network, cloud), approximate size (number of endpoints, hosts, or user roles), compliance framework if applicable, preferred methodology (black/grey/white-box), timeline requirement, and whether retesting is needed.
Without that information, a provider either quotes high to cover unknowns or quotes low and finds reasons to expand scope mid-engagement. Neither outcome benefits you.
SecurityWall provides scoped recommendations within 24 hours based on a brief description of your environment. Every engagement is led by OSCP, CISM, CISSP, or CREST-certified practitioners not automated scan tooling with a manual review layer.
Related reading:
- SOC 2 Penetration Testing: Cost, Scope & What Auditors Check
- SOC 2 Penetration Testing Requirements
- Web Application Penetration Testing Guide 2026
- Red Team vs Penetration Testing: What's the Difference?
- Cloud Penetration Testing: AWS, Azure & GCP Guide
- Mobile App Penetration Testing Guide 2026
- HIPAA Penetration Testing Requirements
Tags
About Babar Khan Akhunzada
Babar Khan Akhunzada is Founder of SecurityWall. He leads security strategy, offensive operations. Babar has been featured in 25-Under-25 and has been to BlackHat, OWASP, BSides premiere conferences as a speaker.