Penetration Testing Cost by Type: Network, Web App, Mobile, Cloud, API, and Red Team
Detailed pricing, scope, deliverables, and benchmarks for every type of penetration test. All figures in USD (with GBP equivalents). Use the calculator for a custom estimate.
| Test Type | USD Range | GBP Range | Duration |
|---|---|---|---|
| Network Penetration Test | $10,000 - $50,000 | £8,000 - £40,000 | 5-10 days |
| Web Application Penetration Test | $5,000 - $30,000 | £4,000 - £24,000 | 5-10 days |
| Mobile Application Penetration Test | $10,000 - $25,000 | £8,000 - £20,000 | 5-8 days |
| Cloud Infrastructure Penetration Test | $15,000 - $40,000 | £12,000 - £32,000 | 5-10 days |
| API Penetration Test | $5,000 - $20,000 | £4,000 - £16,000 | 3-6 days |
| Red Team Engagement | $25,000 - $100,000+ | £20,000 - £80,000+ | 2-8 weeks |
| Social Engineering / Phishing Simulation | $5,000 - $15,000 | £4,000 - £12,000 | 1-3 weeks |
| Wireless / IoT Penetration Test | $10,000 - $25,000 | £8,000 - £20,000 | 3-7 days |
Duration to Cost Mapping
Penetration testing is priced by consultant days. Here is how duration maps to total cost at different provider tiers:
| Duration | Freelancer ($800-$1,500/day) | Boutique ($1,200-$2,500/day) | Big 4 ($2,000-$3,500/day) |
|---|---|---|---|
| 3 days | $2,400-$4,500 | $3,600-$7,500 | $6,000-$10,500 |
| 5 days | $4,000-$7,500 | $6,000-$12,500 | $10,000-$17,500 |
| 10 days | $8,000-$15,000 | $12,000-$25,000 | $20,000-$35,000 |
| 20 days | $16,000-$30,000 | $24,000-$50,000 | $40,000-$70,000 |
Network Penetration Test
External and internal infrastructure assessment
$10,000 - $50,000
£8,000 - £40,000 · 5-10 days
Who needs this: Any organisation with on-premises servers, cloud VMs, or a network perimeter exposed to the internet
Simple
$10,000-$18,000
Under 50 IPs, external only, flat network
Moderate
$18,000-$30,000
50-200 IPs, internal and external, some segmentation
Complex
$30,000-$50,000+
200+ IPs, multi-site, AD forest, full segmentation testing
What is Included
- ✓External attack surface enumeration
- ✓Port scanning and service fingerprinting
- ✓Vulnerability identification and exploitation
- ✓Lateral movement and privilege escalation
- ✓Active Directory / domain controller testing
- ✓Network segmentation validation
- ✓CVSS-scored findings report with remediation guidance
- ✓Retest verification included
Not Included
- -Web application testing
- -Social engineering
- -Physical access testing
Pricing Factors
- ↑Number of IP addresses and ranges
- ↑Internal vs external scope (or both)
- ↑Active Directory complexity
- ↑Number of network segments and VLANs
Market Benchmark
A typical SMB network test (50 external IPs, external only) costs $10,000-$18,000. Enterprise scope (500+ IPs, internal plus external with AD) typically runs $25,000-$50,000.
Web Application Penetration Test
OWASP Top 10 and beyond, manual plus automated testing
$5,000 - $30,000
£4,000 - £24,000 · 5-10 days
Who needs this: Any organisation with customer-facing or internal web applications, especially those handling PII or payment data
Simple
$5,000-$10,000
Single app, 1-2 roles, limited functionality
Moderate
$10,000-$20,000
3-5 roles, moderate feature set, API integration
Complex
$20,000-$30,000+
10+ roles, complex workflows, multiple APIs, file uploads
What is Included
- ✓OWASP Top 10 coverage (injection, XSS, CSRF, SSRF)
- ✓Authentication and session management testing
- ✓Authorisation and access control testing
- ✓Business logic vulnerability testing
- ✓API endpoint enumeration and testing
- ✓Proof-of-concept exploits for critical findings
- ✓Developer-ready remediation guidance
- ✓Retest verification included
Not Included
- -Mobile app backend testing (separate scope)
- -Infrastructure-level network testing
Pricing Factors
- ↑Application complexity and feature count
- ↑Number of authenticated user roles
- ↑Single-page app vs multi-page
- ↑Source code review (adds 20-40% cost)
Market Benchmark
A standard SaaS web app with 3 user roles costs $8,000-$15,000. Large enterprise portals with dozens of modules and complex workflows: $20,000-$30,000.
Mobile Application Penetration Test
iOS and Android static analysis, dynamic testing, and API review
$10,000 - $25,000
£8,000 - £20,000 · 5-8 days
Who needs this: Companies shipping iOS or Android apps that handle sensitive data, payments, or authentication tokens
Simple
$10,000-$14,000
Single platform, basic features, read-only data
Moderate
$14,000-$20,000
Single platform, payments, biometrics, moderate API
Complex
$20,000-$25,000+
Both platforms, complex auth, offline mode, financial data
What is Included
- ✓Static analysis (decompilation, obfuscation review)
- ✓Dynamic analysis (runtime behaviour, traffic interception)
- ✓Certificate pinning and TLS configuration checks
- ✓Local data storage review (Keychain, SharedPreferences)
- ✓API backend testing from mobile context
- ✓Authentication and token handling review
- ✓OWASP Mobile Top 10 coverage
- ✓Retest verification included
Not Included
- -Web admin portal testing (separate web app scope)
- -Backend server infrastructure testing
Pricing Factors
- ↑Single platform (iOS or Android) vs both
- ↑Payment processing or biometric features
- ↑API complexity and number of endpoints
- ↑Jailbreak and root detection bypass requirements
Market Benchmark
A single-platform consumer app costs $10,000-$16,000. Dual-platform (iOS plus Android) with payment features: $18,000-$25,000.
Cloud Infrastructure Penetration Test
AWS, Azure, GCP: IAM misconfigurations, lateral movement, data exposure
$15,000 - $40,000
£12,000 - £32,000 · 5-10 days
Who needs this: Organisations running production workloads on AWS, Azure, or GCP, especially those with public-facing cloud resources
Simple
$15,000-$22,000
Single cloud account, standard services, no Kubernetes
Moderate
$22,000-$32,000
2-5 accounts, some containerised workloads, multi-region
Complex
$32,000-$40,000+
Multi-cloud, complex Kubernetes, 5+ accounts, serverless
What is Included
- ✓IAM misconfiguration review and privilege escalation testing
- ✓S3/Blob/GCS public exposure checks
- ✓Network security group and firewall rule review
- ✓Lambda/serverless function security review
- ✓Container security (ECS, EKS, AKS, GKE)
- ✓Secrets management and credential rotation review
- ✓Logging and monitoring gap analysis
- ✓Retest verification included
Not Included
- -On-premises network infrastructure
- -Application-layer testing (separate web app test)
Pricing Factors
- ↑Number of cloud accounts and subscriptions
- ↑Multi-cloud vs single provider
- ↑Kubernetes cluster complexity
- ↑Assumed-breach vs external-only approach
Market Benchmark
A single AWS account assessment costs $15,000-$22,000. Multi-account organisation with EKS workloads: $25,000-$40,000.
API Penetration Test
REST, GraphQL, SOAP: authentication, authorisation, injection testing
$5,000 - $20,000
£4,000 - £16,000 · 3-6 days
Who needs this: Companies with internal or public APIs, especially those handling financial data, PII, or serving as microservice backends
Simple
$5,000-$8,000
Under 50 endpoints, documented API, simple auth
Moderate
$8,000-$14,000
50-150 endpoints, OAuth flows, moderate business logic
Complex
$14,000-$20,000+
150+ endpoints, GraphQL, microservices, complex auth
What is Included
- ✓Authentication testing (JWT, OAuth 2.0, API keys)
- ✓BOLA (Broken Object Level Authorisation) testing
- ✓BFLA (Broken Function Level Authorisation) testing
- ✓Rate limiting and brute force testing
- ✓Injection testing (SQLi, XXE, SSRF)
- ✓Mass assignment and excessive data exposure
- ✓OpenAPI/Swagger specification review
- ✓Retest verification included
Not Included
- -Full web application testing
- -Mobile client testing
Pricing Factors
- ↑Number of endpoints
- ↑Authentication complexity (multi-tenant, OAuth flows)
- ↑GraphQL vs REST (GraphQL adds complexity)
- ↑Availability of API documentation
Market Benchmark
A standard REST API with 50-100 endpoints costs $8,000-$14,000. Complex GraphQL APIs or microservice meshes with 200+ endpoints: $14,000-$20,000.
Red Team Engagement
Full adversary simulation, no rules, realistic threat modelling
$25,000 - $100,000+
£20,000 - £80,000+ · 2-8 weeks
Who needs this: Mature security programmes that have already addressed basic vulnerabilities and want to test detection and response capability
Simple
$25,000-$40,000
2-week engagement, digital only, 2 operators
Moderate
$40,000-$70,000
4-week engagement, phishing plus network, 2-3 operators
Complex
$70,000-$100,000+
6-8 weeks, physical access, APT simulation, 3-4 operators
What is Included
- ✓Custom threat intelligence and target profiling
- ✓Phishing and social engineering campaigns
- ✓Physical premises access attempts (if in scope)
- ✓Network and application exploitation
- ✓Lateral movement, persistence, and C2 infrastructure
- ✓Active Directory and domain takeover attempts
- ✓Data exfiltration simulation
- ✓Purple team debrief and blue team improvement plan
Not Included
- -Standard vulnerability report format (red team reports are narrative-based)
- -Formal retest (separate follow-up engagement)
Pricing Factors
- ↑Engagement duration (weeks, not days)
- ↑Number of operators (typically 2-4)
- ↑Physical component inclusion
- ↑Threat actor profile specificity (APT simulation)
Market Benchmark
A 4-week red team with 2 operators costs $35,000-$60,000. Extended 8-week engagements with physical component: $60,000-$100,000+.
Wireless / IoT Penetration Test
WiFi networks, Bluetooth, IoT devices, SCADA/OT systems
$10,000 - $25,000
£8,000 - £20,000 · 3-7 days
Who needs this: Organisations with corporate WiFi, guest networks, IoT deployments, or OT/SCADA environments
Simple
$10,000-$14,000
Single site, WiFi only, no IoT devices
Moderate
$14,000-$20,000
Single site, WiFi plus IoT devices, guest network
Complex
$20,000-$25,000+
Multi-site, OT/SCADA, complex IoT deployment
What is Included
- ✓Wireless network discovery and rogue AP detection
- ✓WPA2/WPA3 security assessment
- ✓Guest network segmentation testing
- ✓IoT device firmware analysis
- ✓Bluetooth and BLE protocol testing
- ✓Network traffic analysis and credential capture
- ✓Physical proximity testing (on-site required)
- ✓Retest verification included
Not Included
- -Full internal network pentest
- -Web application testing
- -Red team engagement
Pricing Factors
- ↑Number of physical sites
- ↑Number and variety of IoT devices
- ↑OT/SCADA environment complexity
- ↑On-site travel requirements
Market Benchmark
A single-site wireless assessment costs $10,000-$15,000. Multi-site with IoT device testing: $18,000-$25,000.
Combined Testing Packages
Most organisations need multiple test types. Bundling tests with a single provider typically saves 15-25% compared to commissioning each separately.
Starter Bundle
Web App + API
$8,000-$18,000
15% savingsSaaS startups with a web app and API
SMB Security Review
Network + Web App + Cloud
$22,000-$55,000
20% savingsSMBs with cloud-hosted web applications
Enterprise Programme
Network + Web App + Mobile + Cloud + Red Team
$55,000-$150,000
25% savingsEnterprise organisations requiring comprehensive coverage
Social Engineering / Phishing Simulation
People testing: phishing, vishing, pretexting campaigns
$5,000 - $15,000
£4,000 - £12,000 · 1-3 weeks
Who needs this: Any organisation running security awareness training that needs baseline measurements or post-training validation
Simple
$5,000-$7,000
Under 200 employees, 1-2 email scenarios, no vishing
Moderate
$7,000-$11,000
200-500 employees, 3-4 scenarios, some vishing
Complex
$11,000-$15,000+
500+ employees, 5+ scenarios, vishing, physical pretexting
What is Included
Not Included
Pricing Factors
Market Benchmark
A phishing campaign for 200 employees with 2 scenarios costs $5,000-$8,000. Comprehensive programme including vishing for 1,000+ staff: $10,000-$15,000.