Pentest Day Rates and Hourly Rates for 2026 — Mid-Market vs Boutique
Buyers procuring on a day-rate basis (independent contractors, SOW engagements with explicit day pricing) need neutral benchmarks. BSG’s data is the best public anchor; supplemented with Astra, Deepstrike, and PTaaS credit-rate calculations.
Rate Reference Table (April 2026)
| Category | Hourly rate | Day rate | Annual cost (200 days) | Source |
|---|---|---|---|---|
| Independent contractor | $150-$250 | $1,200-$2,000 | $240k-$400k | Astra, Software Secured |
| Mid-market consultancy | $200-$350 | $1,500-$3,500 | $300k-$700k | BSG, Deepstrike |
| Senior boutique / Big-4 | $350-$500 | $4,000-$7,000 | $800k-$1.4M | BSG, Bright Defense |
| PTaaS blended (Cobalt) | $200-$280 | ~$1,800/credit | Platform + credits | Cobalt.io, Vendr, G2 |
What Changes the Rate
OSCP-certified mid-market pentester: $200-$250/hr. OSCE3/eCPTX: $300-$400/hr. Principal researcher (Trail of Bits, Bishop Fox): $400-$600/hr.
Cloud/Kubernetes: +15-20%. Mobile (iOS/Android): +10%. ICS/SCADA: +30-50%. Hardware/embedded: +50-100% over web app baseline.
UK/EMEA: 20-35% lower than equivalent US rates for comparable seniority. APAC: 30-50% lower. Remote-first firms partially arbitrage this.
OSCP adds credibility but not premium rate. CREST (UK/APAC) required for government work. CHECK required for UK government networks. GXPN/GREM add premium.
10+ days: 10-15% discount typical. 30+ days: 20-25%. Multi-year framework: 25-30% off boutique list rate.
Sub-2-week start: +20% scheduling premium. Sub-1-week start: +30-40% at most vendors. PTaaS (Cobalt, HackerOne) has shortest lead time.
Day-Rate vs Project-Fee: Which Costs Less?
At scopes under 10 days, day-rate buying typically costs 10-20% more than a fixed project fee for the same deliverables. The project fee vendor discounts for predictability. At scopes over 20 days, day-rate can be cheaper because project-fee vendors add a 15-25% project management and risk buffer.