API security testing, 2026
API Penetration Test Cost (2026): REST and GraphQL, $5K to $20K
API pentests have become the fastest-growing pentest category through 2025-2026 because almost every modern web application is now backed by an API surface that is increasingly the actual attack target. A standard 2026 REST API pentest runs $8,000-$14,000 for an SMB scope, with GraphQL adding 15-25% on top of equivalent REST pricing. This page covers what is in scope, why GraphQL costs more, and the endpoint-count economics that drive most quote variance.
REST API typical
$5K - $20K
50-200 endpoints
GraphQL premium
+15% to +25%
Vs equivalent REST scope
Typical duration
3-6 days
Plus 1-2 reporting days
API pentest pricing by endpoint count
Endpoint count is the cleanest predictor of API pentest cost. The relationship is roughly logarithmic rather than linear, because once a tester has built up familiarity with the auth model and common business objects, additional endpoints test faster. The table below covers the 2026 ranges for REST and GraphQL.
| Endpoint band | REST 2026 USD | GraphQL 2026 USD | Testing days |
|---|---|---|---|
| Under 25 endpoints | $5,000 - $7,000 | $6,000 - $8,500 | 3 days |
| 25-75 endpoints | $7,000 - $11,000 | $8,500 - $13,500 | 3-5 days |
| 75-150 endpoints | $11,000 - $14,000 | $13,500 - $17,000 | 5-6 days |
| 150-300 endpoints | $14,000 - $18,000 | $17,000 - $22,000 | 6-8 days |
| 300+ endpoints (microservice) | $18,000 - $25,000 | $22,000 - $30,000 | 8-12 days |
OWASP API Security Top 10 coverage
The OWASP API Security Top 10 (2023 edition) is the baseline methodology that any reputable API pentest in 2026 should explicitly cover. The Top 10 is intentionally API-focused (different from the OWASP Top 10 for web apps) and reflects the API-specific attack patterns that have grown most rapidly.
API1:2023 Broken Object Level Authorisation (BOLA)
Endpoints that fail to verify the requesting user owns the requested object. Most prevalent and highest-impact API flaw.
API2:2023 Broken Authentication
Token storage flaws, JWT mishandling, OAuth implementation errors, weak password reset.
API3:2023 Broken Object Property Level Authorisation
Mass assignment and excessive data exposure where individual properties of an object lack authorisation checks.
API4:2023 Unrestricted Resource Consumption
Missing rate limits, no quota controls, expensive endpoints exploitable for cost-of-service attacks.
API5:2023 Broken Function Level Authorisation (BFLA)
Admin endpoints accessible to non-admin users; horizontal and vertical privilege escalation.
API6:2023 Unrestricted Access to Sensitive Business Flows
Workflow abuse: bulk-buying limited inventory, automated account creation, comment spam.
API7:2023 Server Side Request Forgery
API endpoints that fetch URLs without restriction, exposing internal services.
API8:2023 Security Misconfiguration
Default credentials, verbose error responses, debug endpoints in production, missing security headers.
API9:2023 Improper Inventory Management
Forgotten endpoints, deprecated versions still live, undocumented endpoints discoverable via spec leaks.
API10:2023 Unsafe Consumption of APIs
Trust failures when your API consumes third-party APIs without validating their responses.
Why GraphQL adds cost
GraphQL pentest cost runs 15-25% above equivalent REST scope because GraphQL introduces categories of attack that simply do not exist in REST. The most cost-relevant additional testing areas are introspection query exposure (whether the schema is queryable in production), depth and complexity attacks (deeply nested queries that exhaust server resources), alias-based resource exhaustion (the same resolver invoked many times in a single query via aliasing), batch query abuse, field-level authorisation gaps (resolvers that authorise the parent type but not nested fields), and resolver-level data leakage through query fragmentation.
Some of these categories require purpose-built tooling that adds setup time. A boutique firm running its first GraphQL pentest will quote higher than its 20th GraphQL pentest because methodology automation matures with practice. Ask how many GraphQL engagements the firm has delivered.
Authentication flow complexity
The second-largest cost driver after endpoint count is authentication complexity. A simple API-key authenticated API tests fast. An OAuth 2.0 + OpenID Connect API with multiple grant types, refresh token rotation, and PKCE adds testing days because each authentication flow needs independent validation. Multi-tenant APIs with tenant-scoped tokens add yet more time because authorisation testing has to cover cross-tenant access in addition to same-tenant horizontal privilege escalation.
The most expensive authentication architectures we see in practice are mutual TLS (mTLS) with client certificate authentication, multi-issuer JWT validation, and signature-based message authentication schemes (e.g. AWS SigV4). Each of these adds 0.5-1 testing day to the engagement.
What to provide for the most cost-effective engagement
The cheapest way to lower an API pentest quote without compromising coverage is to provide better documentation upfront. Firms add discovery time to quotes when documentation is missing or incomplete.
- OpenAPI 3.x specification for REST APIs, ideally generated from code rather than hand-written.
- GraphQL schema export from your production server.
- Postman collection as an alternative if no formal spec exists.
- Test accounts for each user role with documented capabilities and a fresh password.
- A network diagram showing the API surface and any reverse proxies or API gateways in front.
- A list of business-critical endpoints the firm should focus on if time runs short.
Frequently asked questions
How much does an API penetration test cost in 2026?v
An API penetration test in 2026 costs $5,000 to $20,000. A standard REST API with 50-100 documented endpoints typically runs $8,000-$14,000. GraphQL APIs cost 15-25% more than equivalent REST due to introspection and query complexity testing. Microservice meshes with 200+ endpoints push toward $14,000-$20,000.
Why does GraphQL cost more to pentest than REST?v
GraphQL APIs require additional testing categories that REST does not: introspection query exposure, depth and complexity attacks, alias-based resource exhaustion, batch query abuse, field-level authorisation, and resolver-level data leakage through nested queries. Most boutique firms add 15-25% to the engagement price for GraphQL versus equivalent REST scope.
What does an API pentest actually cover?v
Reputable 2026 API pentests cover the OWASP API Security Top 10: broken object level authorisation (BOLA), broken authentication, broken object property level authorisation, unrestricted resource consumption, broken function level authorisation (BFLA), unrestricted access to sensitive business flows, server-side request forgery, security misconfiguration, improper inventory management, and unsafe consumption of APIs. Plus injection, mass assignment, and rate limiting validation.
Do I need to provide API documentation?v
Yes, ideally. An OpenAPI/Swagger specification or GraphQL schema lets the tester focus on actual security testing rather than spending days reverse-engineering the endpoint surface. Engagements without documentation typically cost 20-30% more because of the additional discovery time. Postman collections work as an alternative if you do not have a formal spec.
How does endpoint count affect cost?v
Endpoint count is the dominant cost driver for API pentests, scaling roughly logarithmically. Under 50 endpoints typically runs $5,000-$8,000. 50-150 endpoints runs $8,000-$14,000. 150+ endpoints runs $14,000-$20,000. Microservice meshes are priced by total exposed endpoint surface, not by service count.
Web App Pentest
Compare to web pricing
Mobile Pentest
Mobile-context API testing
All Test Types
8 test categories
Cost Calculator
Estimate your scope