US benchmark, 2026
Average Cost of a Pentest in the United States (2026): $18,300
The 2026 weighted-average penetration test in the United States costs $18,300, based on triangulated pricing data across boutique firms, freelancer rates, PTaaS subscriptions, and Big 4 advisory pricing. The number captures the typical engagement a US mid-market buyer commissions, not the cheapest possible single-app test and not the most expensive enterprise red team. Numbers below break the average down by metro market, by company size, and by test type so a US buyer can place themselves on the curve.
2026 US average
$18,300
All test types, weighted
US median
$14,200
Median sits below average due to high-end tail
Most common scope
Web app + API
$8K - $22K bundle pricing
US average by metro market
Most penetration testing is delivered remotely, so geography matters less for the test itself than for the consultant cost-of-living that underpins day rates. Boutique firms in higher-cost cities pass that cost through. The table below shows where boutique day rates land in different US metros for senior testers in 2026, with the typical resulting engagement total for a mid-market web application scope (5-7 testing days, 1-2 reporting days, one retest included).
| US metro | Senior tester day rate | Web app pentest total | Vs national average |
|---|---|---|---|
| San Francisco / Bay Area | $2,300 - $3,200 | $16,000 - $22,000 | +22% |
| New York Metro | $2,200 - $3,100 | $15,500 - $21,500 | +18% |
| Boston | $2,100 - $2,900 | $15,000 - $20,500 | +14% |
| Washington DC / NoVA | $2,200 - $3,000 | $15,500 - $21,000 | +16% |
| Los Angeles | $2,000 - $2,800 | $14,500 - $20,000 | +10% |
| Seattle | $2,000 - $2,800 | $14,500 - $20,000 | +10% |
| Chicago | $1,800 - $2,500 | $13,000 - $18,000 | +0% |
| Atlanta | $1,700 - $2,400 | $12,500 - $17,500 | -3% |
| Austin | $1,800 - $2,500 | $13,000 - $18,000 | +0% |
| Denver | $1,700 - $2,400 | $12,500 - $17,500 | -3% |
| Dallas / Fort Worth | $1,700 - $2,400 | $12,500 - $17,500 | -3% |
| Smaller markets / fully remote | $1,400 - $2,200 | $10,500 - $16,000 | -12% |
Day rate ranges triangulated from public LinkedIn job postings, Glassdoor consultant compensation data, and direct buyer quotes. Estimated.
US average by company size
Company size drives scope, and scope drives cost. The strongest predictor of a US pentest engagement total is not which firm you choose but how much surface area you ask them to cover. Across our buyer corpus, headcount maps to typical first-year pentest spend as follows.
Under 25 staff
$5,000 - $14,000
Single web app test for SOC 2 readiness or customer-due-diligence ask. Often skipped entirely until a deal demands it.
25 to 100 staff
$10,000 - $25,000
Web app + API scope, sometimes plus AWS configuration review. Often the first formal annual programme cycle.
100 to 500 staff
$25,000 - $60,000
Multi-app or product-suite scope, plus internal network test. Often two separate engagements per year.
500 to 2,000 staff
$60,000 - $150,000
Programmatic testing across applications, network, cloud, and a periodic red team component.
2,000 to 10,000 staff
$150,000 - $400,000
Multiple firms in rotation, PTaaS subscription, full red team annually.
10,000+ staff (enterprise)
$400,000 - $1.5M+
Continuous testing programme, in-house red team, multi-vendor independent testing for regulator credibility.
Federal and state government benchmarks
US public-sector pricing is unusually transparent because it sits on published procurement vehicles. The three most-used vehicles for penetration testing services are GSA Schedule (formerly MAS), SEWP (NASA-led government-wide acquisition contract), and CIO-SP3. Day rates accepted on these vehicles for senior penetration testers in 2025-2026 cluster around $1,800-$2,800, broadly aligned with private-sector mid-market boutique pricing once the higher documentation overhead is factored out.
Where federal pricing diverges from private-sector pricing is on programme totals. A FedRAMP Moderate full-year penetration testing engagement (annual external + internal pentest, plus quarterly authenticated scans, plus annual red team component, plus 3PAO documentation) typically runs $80,000 to $180,000. The comparable private-sector programme at the same scope and tester quality is roughly $50,000 to $110,000. The premium reflects FedRAMP-specific evidence work, NIST 800-53 control mapping, 3PAO Letter of Engagement, and Joint Authorization Board (JAB) reporting overhead, not different testing labour cost.
State and local government tends to under-price relative to federal, often using the equivalent of GSA day rates without the documentation surcharge. Many state CISOs commission $30,000-$60,000 per-application pentests through cooperative purchasing vehicles such as NASPO ValuePoint.
How US buyers commonly underestimate cost
The most common cost-estimation mistake we see in US first-time buyers is anchoring on the boutique day rate ($1,800/day, say) and multiplying by an under-counted number of testing days. Real engagement totals inflate from this anchor for predictable reasons:
- Reporting time is not testing time. A 5-day test usually books another 1-2 days of report writing, peer review, and client walk-through. That is 20-30% on top of the quoted testing day count.
- Project management overhead is real. Boutique firms typically charge 10-15% for PM. A $15,000 testing-and-reporting engagement turns into $16,500-$17,250 with PM.
- Retests count as testing. A retest after remediation runs another 1-2 days. Some firms include it; many do not.
- Scope expands during scoping calls. A "single web app" pentest often expands to web app plus customer-facing API plus admin panel during pre-engagement scoping. The initial $8,000 quote turns into $14,000.
- Travel costs apply for on-site work. Wireless, physical, and social-engineering tests usually need on-site presence; expect $1,500-$4,000 per testing-week of travel costs added.
How to know if your US quote is fair
The single most useful sanity check on a US pentest quote is to back-calculate the implied day rate. Ask the firm how many testing days, how many reporting days, and what their PM percentage is, then divide. A boutique firm quoting an implied day rate over $3,000 in 2026 is at the top of the market; under $1,200 they are either freelancer-tier or short-staffing the engagement. Either is fine if you understand which you are buying.
The second sanity check is to ask for the names and OSCP / CREST / GPEN certifications of the actual testers who will run the engagement. Reputable firms answer this directly. Vague answers ("we will assign a senior consultant") usually correlate with quotes priced for a senior tester but delivered by a junior.
The third check is the cost calculator: plug in your scope and provider tier, and use the output as a benchmark to negotiate against.
Frequently asked questions
What is the average cost of a pentest in the United States in 2026?v
The 2026 average penetration test in the United States costs approximately $18,300 per engagement, weighted across all common test types and provider tiers. Web application tests average around $11,500, network tests around $22,000, and red team engagements around $55,000. The headline number is most representative of mid-market boutique-firm pricing.
Is the average cost of a pentest different in different US metros?v
Yes. New York, Boston, San Francisco, Washington DC, and Los Angeles trend 10-25% higher than the national average due to higher consultant cost-of-living. Atlanta, Austin, Denver, and Chicago run close to the national average. Smaller markets and remote-delivery boutique firms run 5-15% below the national average. Most testing is delivered remotely, so geography matters less than buyer assumes.
How does US pentest pricing compare to UK or EU pricing?v
Headline US pricing in dollars typically runs 15-25% higher than UK pricing in pounds for equivalent scope. UK CREST-accredited boutique firms remain among the most cost-competitive in the global market. EU pricing varies by country: Germany and Switzerland sit at or above US levels, while Spain, Portugal, and Eastern Europe run 30-50% below US pricing for the same scope and tester credentials.
What does the federal government pay for a pentest?v
Federal pentest pricing is generally observable via GSA Schedule contracts and SEWP procurement records. Day rates accepted on GSA Schedule for senior penetration testers in 2025-2026 cluster around $1,800-$2,800. A typical FedRAMP Moderate full-year pentest engagement runs $80,000-$180,000, well above private-sector pricing because of the additional documentation, NIST 800-53 mapping, and 3PAO oversight requirements.
Why is there such a wide range in US pentest pricing?v
Three factors drive variance: scope (a 50-IP external network test is genuinely different from a multi-cloud red team), provider tier (a freelancer at $1,000/day produces a different deliverable than a Big 4 firm at $3,000/day), and engagement model (one-off PDF report vs continuous PTaaS subscription with retesting). Two quotes can both be fair while differing by 3x because they assume different scopes.
2026 Benchmarks
Year-over-year movement
By Company Size
Startup to enterprise
2026 Day Rates
Provider tier breakouts
Cost Calculator
60-second estimate