Network scope comparison, 2026
Internal vs External Penetration Test Cost (2026)
The internal vs external distinction is one of the most fundamental scope decisions in pentest planning, and it has direct cost implications. External-only pentests run $10,000-$25,000 in 2026. Internal-only pentests run $15,000-$35,000. Combined engagements (which most compliance frameworks expect) run $20,000-$50,000. This page covers what each scope tests, why internal commonly costs more, and the right combination for your compliance and threat-model context.
External only
$10K - $25K
Internet-facing surface
Internal only
$15K - $35K
Assumed-breach inside network
Combined (most common)
$20K - $50K
Both scopes, single engagement
What external pentests cover
An external pentest treats your internet-facing perimeter as the target. The tester operates from outside your network, with only the agreed scope (IP ranges, domains, hostnames) and a Letter of Authorisation. The methodology aligns with NIST SP 800-115 and covers external attack surface enumeration, vulnerability identification through scanners and manual review, exploitation of identified weaknesses, and limited post-exploitation if a successful breach demonstrates impact.
Common external pentest findings include: VPN misconfigurations that allow brute-force or credential replay, exposed admin interfaces (RDP, SSH, internal web admin panels), default credentials on internet-exposed appliances, unpatched CVE-grade vulnerabilities on internet-facing systems, and information disclosure through verbose error messages or directory listing.
External pentests are easier to scope and cheaper to deliver than internal pentests because the surface is bounded (you have a finite list of internet-exposed hosts) and the testing does not require any coordination with internal IT to provide network access. Most external engagements complete in 5-7 testing days for an SMB scope.
What internal pentests cover
An internal pentest is structurally different because the tester starts inside the perimeter. The most common modern variant is assumed-breach: the tester is given low-privileged credentials and access to a typical user workstation (or a jump-box on the network), simulating an attacker who gained initial access through phishing, malware, or supply chain compromise.
Internal pentest activities typically include: Active Directory enumeration with BloodHound or similar tooling, Kerberos-based attacks (Kerberoasting, AS-REP roasting, Golden Ticket detection), lateral movement across hosts via SMB, WMI, and remote protocols, privilege escalation on individual systems, sensitive data discovery on file shares and databases, and persistence simulation. The mission objective is usually to demonstrate Domain Admin acquisition or equivalent within the engagement window.
Internal pentests cost more than external because the attack surface is larger (every internal host is potentially in scope), Active Directory testing is labour-intensive, and the tester needs more time to map the environment before targeted exploitation.
Cost matrix: scope combinations
| Scope combination | 2026 USD price | Days | Best for |
|---|---|---|---|
| External only, small (under 50 IPs) | $10,000 - $15,000 | 5-7 days | Cloud-native SaaS, minimal on-premises |
| External only, mid-sized (50-200 IPs) | $14,000 - $22,000 | 7-10 days | Mid-market with public-facing services |
| External only, large (200-500 IPs) | $20,000 - $30,000 | 10-14 days | Enterprise with significant external footprint |
| Internal only, single AD, less than 200 IPs | $15,000 - $25,000 | 8-12 days | Already passed external test, focusing on insider risk |
| Internal only, multi-domain AD, 500+ IPs | $25,000 - $35,000+ | 14-20 days | Mature security programmes evaluating lateral-movement controls |
| Combined external + internal, SMB | $22,000 - $32,000 | 10-15 days | Annual SOC 2 / ISO 27001 cycle |
| Combined, mid-market with PCI | $30,000 - $42,000 | 15-20 days | PCI DSS annual evidence |
| Combined, enterprise multi-site | $38,000 - $50,000+ | 18-25 days | Enterprise programmes with multiple sites |
Why internal commonly produces more findings
Across our buyer corpus, internal pentests consistently produce 3-5x more high and critical findings than external-only equivalents on the same target organisation. The pattern reflects the modern breach landscape: most successful real-world breaches reach impact through lateral movement after initial access, not through perimeter compromise alone.
Common internal-only findings include: weak Active Directory password policies that allow easy Kerberoasting success, over-privileged service accounts (Domain Admin equivalents on local servers), unpatched internal systems running CVE-grade vulnerabilities, lateral movement paths through forgotten jump-boxes and admin tools, sensitive data exposure on file shares accessible to all users, and privileged group memberships that violate least-privilege intent.
These findings rarely appear in external-only pentests because they are not reachable from the public internet. An organisation that only commissions external testing has limited visibility into the internal-attack-path component of its risk.
Compliance framework requirements
Most compliance frameworks expect both internal and external testing. The specific requirements differ by framework.
- PCI DSS v4.0.1: Both required annually (Req 11.4.2 external, 11.4.3 internal). Plus segmentation testing if applicable.
- SOC 2 Type II: Not formally required, but auditors usually expect both. External alone is increasingly seen as insufficient.
- ISO 27001: Annex A 8.8 requires technical vulnerability management evidence; both internal and external testing satisfies this.
- HIPAA: Risk analysis and risk management requirements imply both internal and external; auditors increasingly expect both.
- FedRAMP Moderate: Both required as part of the annual assessment. Internal testing must include all in-scope systems.
- CMMC Level 2: Internal testing required for in-scope systems. External recommended for organisations with internet-facing components.
Frequently asked questions
What is the difference between internal and external penetration testing?v
An external pentest targets your internet-facing infrastructure (web servers, VPN endpoints, mail servers, cloud-exposed services) from outside your network perimeter. An internal pentest assumes a foothold inside the network (often called assumed-breach) and tests how far an attacker could move once inside. Both are needed for a complete security picture; most compliance frameworks require both.
Which costs more: internal or external?v
Internal pentests typically cost more than equivalent external scope because the attack surface inside a network is usually broader and Active Directory testing is labour-intensive. A typical external-only pentest in 2026 costs $10,000-$25,000. A typical internal-only pentest costs $15,000-$35,000. Combined engagements (most common) run $20,000-$50,000.
Does PCI DSS require both internal and external?v
Yes. PCI DSS v4.0.1 Requirement 11.4.2 mandates external penetration testing at least annually and after any significant change. Requirement 11.4.3 mandates internal penetration testing on the same cadence. The Cardholder Data Environment must be tested both from outside the perimeter and from inside the network. Both tests are required to complete the annual evidence package.
Can I skip internal testing if my environment is fully cloud?v
Not really. Even cloud-only environments have an internal-equivalent attack surface: the cloud control plane (IAM roles, service accounts, cross-service trust), Kubernetes namespaces, internal-only API gateways, and any private subnet workloads. The labels change but the assumed-breach concept still applies. A cloud-native internal pentest tests cloud-IAM lateral movement and workload segmentation rather than Active Directory.
What is assumed-breach and why does it matter?v
Assumed-breach is an internal pentest approach where the tester starts with low-privileged credentials or a foothold on a single host, simulating an attacker who has gained initial access via phishing or supply chain compromise. This is realistic threat modelling for 2026 because most successful breaches start with initial access rather than perimeter compromise. Assumed-breach pentests typically produce 3-5x more high-impact findings than external-only equivalents.
Network Pentest
Full network pricing
Methodology Cost
Black-box vs white-box
PCI DSS Pentest
Compliance scope
Cost Calculator
Estimate your scope