How much does a penetration test actually cost?
Most pentest pricing pages say “contact us for a quote.” Here are the real numbers — every market tier from free scanners to six-figure enterprise engagements — so you can buy the right test for your budget.
The real market tiers (that nobody publishes)
Pentest pricing feels opaque because almost every vendor hides it behind a sales call. But the market sorts into five clear tiers. Here’s what each one actually buys you — including where our own tier does and doesn’t fit.
| Price tier | What you actually get | Best for | Watch out for |
|---|---|---|---|
| $0 — automated scanners | Software matching versions and configs against known-issue lists; unverified output | A first look at obvious external exposure | Cannot find business-logic, access-control or auth-flow flaws; false positives a human must verify. Not a pentest. |
| $49–$300 — productized manual (Bug Circuit’s tier) | A human engineer manually tests a fixed small-site scope; written report; ownership verification + recorded authorization first | Small websites, WordPress, indie SaaS, early startups | The scope is deliberately small-site — it is not an enterprise engagement or a compliance substitute, and honest vendors say so. |
| $500–$1,500 — freelancer | One independent tester; quality and methodology vary enormously | Businesses that can vet testers themselves | Verify skill, insurance and reporting. Also: sub-$1,500 “pentests” from big firms are usually rebranded automated scans. |
| $3,500–$20,000 — boutique firm | Custom-scoped engagement, senior consultants, formal report, retesting | Growing companies, larger custom apps, customer security demands | The ~$3,500–$4,000 floor holds even for small scopes — overhead doesn’t shrink with your site. |
| $20,000–$100,000+ — enterprise / compliance | Accredited firms, large multi-system scopes, compliance-grade paperwork and attestations | Enterprises, regulated industries, formal mandates | Overkill for a small website — you’d be paying mostly for process your business doesn’t need yet. |
What actually drives the price
- Scope — one marketing site vs. a multi-tenant platform with APIs and mobile apps can be a 20x difference in testing hours.
- Methodology — manual hours from senior humans are the expensive part, and the valuable part. Automation is cheap, which is exactly why it’s what cheap “pentests” quietly sell you.
- Reporting — a formal deliverable with evidence, severity ratings and remediation steps takes real time to write well.
- Compliance paperwork — accreditations, attestation letters and auditor-ready formats add cost that only matters if a framework requires them.
The cost-saving trick behind productized testing isn’t cutting the human out — it’s cutting the sales process, custom scoping and project management out. A fixed small-site scope with a repeatable methodology means the human hours go into testing, not meetings.
How to buy well at each budget
Under $500
Skip anything that calls a scan a pentest. Start with a genuinely free passive check, then buy productized manual testing — verify a human tests and a written report is included. At this level Bug Circuit’s $49 audit or $299 audit-plus-fixes is our own answer, and the report is written so you can share it with enterprise customers who ask for proof of testing.
$500–$3,000
You’re in freelancer territory. It can be excellent value or wasted money — vet references, ask for a redacted sample report, and confirm they carry out authorized testing with a written agreement.
$3,500 and up
Boutique firms make sense once your application is genuinely complex or a customer contract demands a named, established firm. Compare at least two proposals and check what retesting after fixes costs — it’s often a surprise line item.
Questions to ask any vendor — at any price
- “Do humans do the testing, and who are they?” If the answer dodges into tooling talk, you’re buying a scan.
- “Can I see a sample report?” A real one shows evidence, plain-English impact and specific fixes — not a raw tool export.
- “Is retesting after fixes included?” Finding issues without verifying the fixes is half a service.
- “How do you authorize testing?” Legitimate testers verify you own the target and record an authorization before anything active — anyone who skips this is a red flag.
- “What happens if you find nothing?” The right answer: you still get a report documenting what was tested. That document has real value with customers.
When cheap is the wrong answer
Honesty cuts both ways, so here’s ours: if a compliance framework, cyber-insurance policy or customer contract mandates a test from an accredited firm, a $49 productized audit won’t satisfy it — you need the boutique or enterprise tier, and no discount changes that. The same is true if your product is a large custom application with complex integrations; a small-site scope simply won’t cover it.
But most small businesses aren’t in that position. They need to know whether their actual website is actually hackable, documented by someone who tested it by hand — and until recently the only honest option started at $3,500. That’s the gap productized testing exists to close. If you’re unsure which side of the line you’re on, ask us — we’ll tell you straight, including when the answer is “you need a bigger firm than us.”
Common questions
Why are penetration tests so expensive?
Can I get a penetration test for free?
How much does a penetration test cost for a small business?
Is a $49 penetration test legit?
Is a vulnerability scan the same as a penetration test?
How often should I get a penetration test?
Keep reading
Find out what a test would find — free
Run the free passive critical-bug check on your domain. No login, no cost, no impact on your site.