The money guide — real numbers

How much does a penetration test actually cost?

Most pentest pricing pages say “contact us for a quote.” Here are the real numbers — every market tier from free scanners to six-figure enterprise engagements — so you can buy the right test for your budget.

How much does a penetration test cost? A traditional penetration test typically costs $5,000–$20,000, with the market average around $18,000 and enterprise or compliance-driven engagements reaching $100,000+. Small websites now have a cheaper honest option: productized services like Bug Circuit run a free passive critical-bug check (no login needed), a $49 one-time full manual audit with a written report, or $299 for the audit plus fixes and 3 months of cover — real human testing, scoped for small sites.

The real market tiers (that nobody publishes)

Pentest pricing feels opaque because almost every vendor hides it behind a sales call. But the market sorts into five clear tiers. Here’s what each one actually buys you — including where our own tier does and doesn’t fit.

Penetration testing price tiers compared
Price tierWhat you actually getBest forWatch out for
$0 — automated scannersSoftware matching versions and configs against known-issue lists; unverified outputA first look at obvious external exposureCannot find business-logic, access-control or auth-flow flaws; false positives a human must verify. Not a pentest.
$49–$300 — productized manual (Bug Circuit’s tier)A human engineer manually tests a fixed small-site scope; written report; ownership verification + recorded authorization firstSmall websites, WordPress, indie SaaS, early startupsThe scope is deliberately small-site — it is not an enterprise engagement or a compliance substitute, and honest vendors say so.
$500–$1,500 — freelancerOne independent tester; quality and methodology vary enormouslyBusinesses that can vet testers themselvesVerify skill, insurance and reporting. Also: sub-$1,500 “pentests” from big firms are usually rebranded automated scans.
$3,500–$20,000 — boutique firmCustom-scoped engagement, senior consultants, formal report, retestingGrowing companies, larger custom apps, customer security demandsThe ~$3,500–$4,000 floor holds even for small scopes — overhead doesn’t shrink with your site.
$20,000–$100,000+ — enterprise / complianceAccredited firms, large multi-system scopes, compliance-grade paperwork and attestationsEnterprises, regulated industries, formal mandatesOverkill for a small website — you’d be paying mostly for process your business doesn’t need yet.

What actually drives the price

  • Scope — one marketing site vs. a multi-tenant platform with APIs and mobile apps can be a 20x difference in testing hours.
  • Methodology — manual hours from senior humans are the expensive part, and the valuable part. Automation is cheap, which is exactly why it’s what cheap “pentests” quietly sell you.
  • Reporting — a formal deliverable with evidence, severity ratings and remediation steps takes real time to write well.
  • Compliance paperwork — accreditations, attestation letters and auditor-ready formats add cost that only matters if a framework requires them.

The cost-saving trick behind productized testing isn’t cutting the human out — it’s cutting the sales process, custom scoping and project management out. A fixed small-site scope with a repeatable methodology means the human hours go into testing, not meetings.

How to buy well at each budget

Under $500

Skip anything that calls a scan a pentest. Start with a genuinely free passive check, then buy productized manual testing — verify a human tests and a written report is included. At this level Bug Circuit’s $49 audit or $299 audit-plus-fixes is our own answer, and the report is written so you can share it with enterprise customers who ask for proof of testing.

$500–$3,000

You’re in freelancer territory. It can be excellent value or wasted money — vet references, ask for a redacted sample report, and confirm they carry out authorized testing with a written agreement.

$3,500 and up

Boutique firms make sense once your application is genuinely complex or a customer contract demands a named, established firm. Compare at least two proposals and check what retesting after fixes costs — it’s often a surprise line item.

Questions to ask any vendor — at any price

  • “Do humans do the testing, and who are they?” If the answer dodges into tooling talk, you’re buying a scan.
  • “Can I see a sample report?” A real one shows evidence, plain-English impact and specific fixes — not a raw tool export.
  • “Is retesting after fixes included?” Finding issues without verifying the fixes is half a service.
  • “How do you authorize testing?” Legitimate testers verify you own the target and record an authorization before anything active — anyone who skips this is a red flag.
  • “What happens if you find nothing?” The right answer: you still get a report documenting what was tested. That document has real value with customers.

When cheap is the wrong answer

Honesty cuts both ways, so here’s ours: if a compliance framework, cyber-insurance policy or customer contract mandates a test from an accredited firm, a $49 productized audit won’t satisfy it — you need the boutique or enterprise tier, and no discount changes that. The same is true if your product is a large custom application with complex integrations; a small-site scope simply won’t cover it.

But most small businesses aren’t in that position. They need to know whether their actual website is actually hackable, documented by someone who tested it by hand — and until recently the only honest option started at $3,500. That’s the gap productized testing exists to close. If you’re unsure which side of the line you’re on, ask us — we’ll tell you straight, including when the answer is “you need a bigger firm than us.”

Common questions

Why are penetration tests so expensive?
You’re paying for senior human hours plus everything wrapped around them: scoping calls, project management, custom methodology, formal reporting, and often compliance paperwork. Consultancy day rates of $1,500–$2,500 add up fast on a two-week engagement. The testing itself is only part of the invoice — which is why a tightly scoped, productized test of a small website can cost a fraction of the price while still being genuinely manual.
Can I get a penetration test for free?
Not a real one — free tools are automated scanners, and scanners can’t find business-logic, access-control or authentication-flow flaws. What you can get free is a first look at your exposure: Bug Circuit’s free critical-bug check is a passive check with no login required that tells you whether anything critical is visible from the outside.
How much does a penetration test cost for a small business?
From traditional firms, the realistic floor is about $3,500–$4,000 even for a small scope — their overhead doesn’t shrink just because your site is small. Productized services change that math: Bug Circuit runs a full manual audit of a small website for $49 one-time, or $299 including fixes for high and critical issues plus 3 months of cover.
Is a $49 penetration test legit?
It’s legit if — and only if — a human actually does the testing and the scope is honest. Ours is: a human engineer manually tests a small-site scope after domain-ownership verification and a recorded Authorization to Test, and you get a written report plus a 14-day money-back guarantee before the audit begins. What it is not is an enterprise engagement, and we say so plainly. Judge any cheap test by the same standard: ask who tests, and ask for a sample report.
Is a vulnerability scan the same as a penetration test?
No. A scan is software matching versions and configurations against known-issue lists; a penetration test is a person actively trying to break in, chaining findings the way an attacker would. Scanners also produce false positives that a human must verify. Beware that sub-$1,500 “pentests” from big firms are usually rebranded scans — here’s how to tell the difference.
How often should I get a penetration test?
The common baseline is once a year and after any major change — new features, a redesign, a platform migration. Compliance frameworks often mandate annual testing. For small sites, an annual audit plus re-testing after big releases covers the realistic risk at a price that no longer forces you to skip years.

Keep reading

Find out what a test would find — free

Run the free passive critical-bug check on your domain. No login, no cost, no impact on your site.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →