How much does a pentest cost for a startup?

$5,000-$15,000 for a first-time SOC 2-driven web app pentest. For a single small app: $5,000-$8,000 via Cobalt Essentials or a mid-market consultancy. For a small app + API: $8,000-$15,000. Below $3,000, you are almost certainly buying automated scanning, not manual penetration testing.

What is included in a $5,000 pentest?

A $5,000 pentest covers a single small web application (1-15 endpoints), OWASP Top 10 vulnerability checks, light manual testing, a summary report of 5-15 pages, and basic retest within 30 days for critical findings. This is the correct tier for a first pentest on a simple app or a customer security questionnaire requirement.

What You Actually Get at $5k, $10k, $20k, and $50k Pentest Engagements (2026)

Buyers ask this exact question and get scattered partial answers from vendor blog posts. One page, four tiers, what’s actually in scope at each band.

Inclusion lists cited from Astra, Deepstrike, Bright Defense, BSG, Cobalt, and Software Secured. Last verified April 2026.

Below $3,000 warning: Anything labelled “pentest” under $3,000 is almost certainly automated scanning only — no manual exploitation, no business-logic testing, no chained attack paths. Astra, Deepstrike, and Software Secured all note this threshold explicitly. A $2,500 “pentest” buys you a vulnerability scan with a pentest-shaped report wrapped around it.

$5,000

Entry tier

Scope: Single small web application, 1-15 endpoints
Methodology: OWASP Top 10, automated + light manual. Basic authentication testing. No business-logic chaining.
Deliverables: Summary report (5-15 pages), vulnerability list with CVSS scores, basic remediation guidance
Retest: Basic retest within 30 days, limited to critical/high findings only
Timeline: 2-3 weeks from scope call to report
Vendor profile: Cobalt Essentials credit pack, Astra, mid-range PTaaS entry

At this tier, you get a credible OWASP scan with light manual validation. Acceptable for a customer security questionnaire or a first pentest on a simple app.

$10,000

Mid-market

Scope: Single mid-size application or API set, 16-50 endpoints
Methodology: Full OWASP + authentication bypass, session management, API auth chains. Custom test cases for business-critical flows.
Deliverables: Technical + executive report (20-35 pages), raw findings CSV, executive summary for board
Retest: Included, all severity levels, 60-day retest window
Timeline: 2-3 weeks test execution, 1-2 weeks report
Vendor profile: Mid-market consultancy (BSG-tier, $1,500-$3,500/day), Cobalt Standard

Most common price point for SOC 2-driven web app pentests at Series A-B startups. Covers a realistic app with API integrations.

$20,000

Standard

Scope: Web + API + light cloud infrastructure, 51-100 endpoints
Methodology: Business-logic depth, attack-chain testing, privilege escalation, cloud configuration review
Deliverables: Full technical report + executive briefing + findings walkthrough call
Retest: Included for all findings, 90-day retest window, retest sign-off letter
Timeline: 3-4 weeks test execution, 1-2 weeks report
Vendor profile: BSG/Bright Defense tier, senior mid-market consultancy, Cobalt PTaaS (continuous)

The coverage floor for companies with meaningful data (PII, payment adjacent) or a large API surface. Suitable for SOC 2 Type II audits with broad scope.

$50,000

Enterprise

Scope: Multi-application / multi-cloud / mobile + web + API, 100+ endpoints
Methodology: Custom methodology, chained exploits, privilege escalation across systems, lateral movement simulation
Deliverables: Executive briefing + full technical report + code-level findings + walkthrough sessions
Retest: Multiple retest rounds, extended 120-180 day window, retest on all severity levels
Timeline: 4-8 weeks engagement, 2-3 weeks deliverable production
Vendor profile: Bishop Fox, NCC Group, Trail of Bits boutique engagement

This is where you get methodology depth and seniority of testers. Suitable for regulated companies, complex microservices architectures, or red team adjacent engagements.

Above $50,000 — What You’re Really Buying

At $50,000+, you transition from a pentest to a red team engagement or a full-stack security assessment. Key differences:

6-12 week timelines for full engagement + report + remediation
Social engineering scope may be included (phishing, vishing, physical)
Custom tooling developed for your specific environment
Attack path simulations across multiple systems and trust boundaries
Board-level threat briefing as a standalone deliverable

Trail of Bits, IOActive, and Bishop Fox operate in this band. NCC Group also for regulated sectors.

If your trigger is SOC 2, PCI DSS, or ISO 27001 compliance, the tier maps to a different methodology footprint — compliance frameworks have specific requirements for scope, frequency, and attestation depth. See penetrationtestingcost.com for the full compliance methodology breakdown.

Scope estimator →Compare 8 vendors →What's included →Sources →