You got a pentest quote.
Is the number fair?
Pentest quotes vary 3-5x for the same scope of work depending on the provider tier and how the engagement is sized. Without context, every quote looks reasonable. This benchmarker drops your quote onto the modelled market band for your configuration and returns a verdict: BELOW MARKET, FAIR (LOW / MID / HIGH), or OVERPRICED — plus the critical inclusions you should verify before signing.
your vendor quote
Quoted price (USD)
Test type
5-10 days · per application
Scope count
Number of applications
Company size
Provider tier
What the quote includes
Quote is at the top of the modelled band.
Within range but premium-priced. Worth asking for itemised hours, tester resumes, and a sample of an executive readout from a prior engagement. If the vendor justifies the premium with manual depth, certified testers, and named-individual continuity, the price can be reasonable.
Your quote
$35,000
vs band
Mid
$20,250
modelled midpoint
Quote − Mid
+$14,750
above mid
1 critical inclusion not confirmed
The quote at $35,000 is at-band, but these items are typically standard in a credible pentest engagement. Ask the vendor to confirm each in writing before signing:
- • Free retest after remediation
Band = base [low, mid, high] for the test type × company-size multiplier (1x) × provider-tier multiplier (1x) × scope multiplier (1.35x). Verdict bands: <70% of band low = below market · band low to mid+5% = fair · mid+5% to band high = fair-high · >band high = overpriced.
The five verdict bands
Each band reflects a different conversation with the vendor. Read the verdict for what to do next, not just as a green-or-red indicator.
Less than 70% of band low
Usually means automated scan + PDF, scope creep waiting, or freelancer overcommitment. Verify methodology, tester credentials (OSCP / OSWE / GPEN), and ask for a sample report from a prior engagement.
Band low up to midpoint
Reasonable. Check inclusions — particularly retest and manual-testing — because a low-end-fair quote that excludes retest is effectively below-market once you add the retest.
Within ±5% of band mid
Strong indication of a credible provider. Negotiate on inclusions (retest, exec readout, remediation window) rather than headline price — at mid that is usually a more productive lever.
Mid+5% to band high
Within range but premium. Ask for itemised hours, named-tester resumes, and a sample executive readout. If justified by manual depth and senior-only staffing, the premium can be reasonable.
More than band high + 5%
Almost always Big 4 markup or over-scoped engagement. Get at least two competitive quotes from boutique or PTaaS before signing. If procurement requires Big 4, the overhead is strategic not market.
Methodology
The benchmarker derives the band from a four-factor model:
- Test type base. Each test type has a published low/mid/high range (web app $5K/$15K/$30K, network $10K/$22K/$50K, cloud $15K/$25K/$40K, red team $25K/$55K/$100K, etc.). Updated against vendor pricing pages and procurement-survey data.
- Company size multiplier. Startup 0.7x · SMB 1.0x · Mid-market 1.5x · Enterprise 2.5x. Reflects scope complexity, asset count, and regulatory exposure that scale with size.
- Provider tier multiplier. Freelancer 0.6x · Boutique 1.0x · Big 4 2.2x · PTaaS 0.75x. Boutique is the baseline; Big 4 commands premium for brand and procurement-band fit.
- Scope count multiplier. 1 + 0.35 × (count − 1). Diminishing returns past one unit because the second app/IP range/cloud account shares setup overhead with the first.
Verdict thresholds: below 70% of band low = BELOW MARKET · band low to midpoint = FAIR-LOW · midpoint ±5% = FAIR-MID · midpoint+5% to band high = FAIR-HIGH · >band high + 5% = OVERPRICED. Use the benchmark as one data point alongside named-tester credentials, vendor reference checks, and the inclusions list. Treat it as a sanity check, not a substitute for due diligence on the actual engagement quality. Last calibration: April 2026.