Pentest Cost FAQ — Procurement Answers for 2026

A pentest costs between $4,000 and $50,000 for most web application and API engagements. No major vendor publishes a list price; all are contact-sales. Buyer-marketplace estimates put Cobalt PTaaS around $2,500/month plus credits (about $1,800 each), HackerOne assessments at $15,000-$50,000 annually, and Bishop Fox boutique engagements from about $25,000. Enterprise red-team engagements reach $100,000-$200,000+. The exact price depends on application type, endpoint count, authentication complexity, and data sensitivity.

$5,000-$15,000 for a first-time SOC 2-driven web app pentest at a Series A-B startup. A single small web app (1-15 endpoints) with OWASP Top 10 coverage costs $5,000-$8,000 via an entry Cobalt credit pack or a mid-market consultancy. Web + API coverage: $8,000-$15,000. Anything under $3,000 labelled 'pentest' is almost certainly automated scanning.

A $5,000 pentest covers a single small web application with up to 15 endpoints, OWASP Top 10 checks, light manual testing beyond automated scanning, a 5-15 page summary report, and basic retest within 30 days for critical findings. It will not include deep business-logic testing, authentication bypass chaining, or API depth beyond surface-level.

PTaaS (Pentest as a Service) is a subscription model where you buy credits redeemable for tester hours via a platform. Cobalt publishes its credit model (1 credit = 8 hours) but not prices; buyer-marketplace data estimates roughly $2,500/month plus ~$1,800/credit. At the same annual spend, PTaaS provides continuous coverage but shallower individual tests; traditional SOW provides depth once. PTaaS wins if you ship code continuously; SOW wins if you need a single compliance attestation.

Not list prices. Cobalt publishes its credit model and three tiers (Standard, Premium, Enterprise) on its pricing page, but every tier routes to a quote, so no dollar figure is published. Buyer-marketplace data (Vendr, G2) estimates an entry platform fee around $2,500/month, credits around $1,800 each (8 hours), and annual contract values of $15,000-$50,000. These are third-party estimates, not Cobalt-published prices.

A typical web application pentest takes 1-3 weeks of test execution plus 1-2 weeks for report production. PTaaS rolling tests (Cobalt, HackerOne): 2-3 weeks per credit pack. Time-to-quote varies: Cobalt 1-2 days; Bishop Fox 5-10 days; Trail of Bits 7-14 days. Time-to-first-test after PO signed: PTaaS within 1 week; traditional consultancies 2-5 weeks.

Retests typically cost 15-30% of the original engagement fee, bounded by a 30-90 day window. On a $20,000 engagement: $3,000-$6,000 for a retest. Some PTaaS vendors (Synack, Bugcrowd via bounty) include continuous retesting. Cobalt charges per additional credit. Bishop Fox and NCC Group typically include one retest in the original SOW.

Yes. Multi-year commits unlock 20-30% off list pricing. Volume credit packs unlock 15-25% at PTaaS vendors. Competing quotes from Cobalt, HackerOne, and Synack unlock 10-20%. Negotiating retest inclusion upfront (rather than adding it later) saves $3,000-$8,000 per engagement. Vendr and Spendflo buyer guides confirm these ranges as standard negotiation outcomes.

A vulnerability scan is automated and finds known CVEs against a signature database. A pentest is manual and finds business-logic flaws, authentication bypasses, and chained exploits that automated tools miss. Anything labelled 'pentest' under $3,000 is almost certainly the former. Real pentests require human testers who reason about your specific architecture, authentication design, and data flows.

Annually at minimum for compliance requirements (PCI 11.3, SOC 2, ISO 27001 Annex A). After major releases or significant infrastructure changes. Continuously if you're a high-threat-profile company via PTaaS. For compliance-specific frequency guidance by framework, see penetrationtestingcost.com.

Define: (1) application type (web, API, mobile, cloud, network), (2) endpoint count, (3) authentication model (simple session, OAuth, multi-tenant), (4) data sensitivity (PII, PCI, HIPAA), (5) test type (black/grey/white box). Use the scope estimator on this site to map these inputs to a price band before your first vendor call.

$1,500-$3,500/day for mid-market consultancies (BSG, Deepstrike data). $4,000-$7,000/day for senior boutique / Big-4 firms. Independent contractors: $1,200-$2,000/day. PTaaS blended equivalent: approximately $225/hr for Cobalt credits (8 hours at an estimated ~$1,800/credit from buyer-marketplace data). UK/EMEA rates are 20-35% lower for equivalent seniority.

Cobalt's entry credit pack is the lowest entry point among the 8 named vendors, estimated at roughly $2,500/month plus ~$1,800/credit (buyer-marketplace data, not vendor-published). HackerOne assessments are estimated from about $15,000. For a single small app, mid-market consultancies (not included in the 8-vendor matrix) can deliver OWASP-level testing at $5,000-$8,000. Below $3,000, you are buying automated scanning, not a manual pentest.

Both are contact-sales only with comparable ranges. Bishop Fox typically starts at $25,000+. NCC Group can start lower ($15,000-$20,000) for simpler engagements, particularly in the UK/EMEA market where their day rates are lower. Bishop Fox is generally more expensive in the US market. For the same scope, get quotes from both and use the competing-offer negotiation to unlock 10-20% off.

Both are PTaaS/assessment platforms. Cobalt is more self-serve with a published credit model (estimated ~$1,800/credit from buyer-marketplace data; Cobalt itself does not publish prices). HackerOne has a larger hacker community and stronger bug bounty platform alongside its assessment products. Cobalt is cheaper for one-off testing. HackerOne is better if you want to run a concurrent bug bounty program. Both have similar SOC 2 / ISO 27001 attestation depth.