Pentest Cost FAQ — Procurement Answers for 2026

A pentest costs between $4,000 and $50,000 for most web application and API engagements. Cobalt PTaaS starts at approximately $2,500/month platform fee with credits at $1,800 each. HackerOne assessment products run $15,000-$50,000 annually. Bishop Fox boutique engagements start at $25,000. Enterprise red-team engagements reach $100,000-$200,000+. The exact price depends on application type, endpoint count, authentication complexity, and data sensitivity.

$5,000-$15,000 for a first-time SOC 2-driven web app pentest at a Series A-B startup. A single small web app (1-15 endpoints) with OWASP Top 10 coverage costs $5,000-$8,000 via Cobalt Essentials or a mid-market consultancy. Web + API coverage: $8,000-$15,000. Anything under $3,000 labelled 'pentest' is almost certainly automated scanning.

A $5,000 pentest covers a single small web application with up to 15 endpoints, OWASP Top 10 checks, light manual testing beyond automated scanning, a 5-15 page summary report, and basic retest within 30 days for critical findings. It will not include deep business-logic testing, authentication bypass chaining, or API depth beyond surface-level.

PTaaS (Pentest as a Service) is a subscription model where you buy credits redeemable for tester hours via a platform. Cobalt charges ~$2,500/month plus ~$1,800/credit (8 hours). At the same annual spend, PTaaS provides continuous coverage but shallower individual tests; traditional SOW provides depth once. PTaaS wins if you ship code continuously; SOW wins if you need a single compliance attestation.

Cobalt has partial public pricing. Essentials starts at approximately $2,500/month. Credit pricing is approximately $1,800 per credit (8 hours) per Vendr and G2 marketplace data. Annual contract values of $15,000-$50,000 are confirmed via Vendr. Custom enterprise pricing is contact-sales only.

A typical web application pentest takes 1-3 weeks of test execution plus 1-2 weeks for report production. PTaaS rolling tests (Cobalt, HackerOne): 2-3 weeks per credit pack. Time-to-quote varies: Cobalt 1-2 days; Bishop Fox 5-10 days; Trail of Bits 7-14 days. Time-to-first-test after PO signed: PTaaS within 1 week; traditional consultancies 2-5 weeks.

Retests typically cost 15-30% of the original engagement fee, bounded by a 30-90 day window. On a $20,000 engagement: $3,000-$6,000 for a retest. Some PTaaS vendors (Synack, Bugcrowd via bounty) include continuous retesting. Cobalt charges per additional credit. Bishop Fox and NCC Group typically include one retest in the original SOW.

Yes. Multi-year commits unlock 20-30% off list pricing. Volume credit packs unlock 15-25% at PTaaS vendors. Competing quotes from Cobalt, HackerOne, and Synack unlock 10-20%. Negotiating retest inclusion upfront (rather than adding it later) saves $3,000-$8,000 per engagement. Vendr and Spendflo buyer guides confirm these ranges as standard negotiation outcomes.

A vulnerability scan is automated and finds known CVEs against a signature database. A pentest is manual and finds business-logic flaws, authentication bypasses, and chained exploits that automated tools miss. Anything labelled 'pentest' under $3,000 is almost certainly the former. Real pentests require human testers who reason about your specific architecture, authentication design, and data flows.

Annually at minimum for compliance requirements (PCI 11.3, SOC 2, ISO 27001 Annex A). After major releases or significant infrastructure changes. Continuously if you're a high-threat-profile company via PTaaS. For compliance-specific frequency guidance by framework, see penetrationtestingcost.com.

Define: (1) application type (web, API, mobile, cloud, network), (2) endpoint count, (3) authentication model (simple session, OAuth, multi-tenant), (4) data sensitivity (PII, PCI, HIPAA), (5) test type (black/grey/white box). Use the scope estimator on this site to map these inputs to a price band before your first vendor call.

$1,500-$3,500/day for mid-market consultancies (BSG, Deepstrike data). $4,000-$7,000/day for senior boutique / Big-4 firms. Independent contractors: $1,200-$2,000/day. PTaaS blended equivalent: approximately $225/hr for Cobalt credits (8 hours at ~$1,800). UK/EMEA rates are 20-35% lower for equivalent seniority.

Cobalt Essentials is the lowest entry point among the 8 named vendors at approximately $2,500/month plus ~$1,800/credit. HackerOne assessment starts at $15,000. For a single small app, mid-market consultancies (not included in the 8-vendor matrix) can deliver OWASP-level testing at $5,000-$8,000. Below $3,000, you are buying automated scanning, not a manual pentest.

Both are contact-sales only with comparable ranges. Bishop Fox typically starts at $25,000+. NCC Group can start lower ($15,000-$20,000) for simpler engagements, particularly in the UK/EMEA market where their day rates are lower. Bishop Fox is generally more expensive in the US market. For the same scope, get quotes from both and use the competing-offer negotiation to unlock 10-20% off.

Both are PTaaS/assessment platforms. Cobalt is more self-serve with explicit credit pricing (~$1,800/credit). HackerOne has a larger hacker community and stronger bug bounty platform alongside its assessment products. Cobalt is cheaper for one-off testing. HackerOne is better if you want to run a concurrent bug bounty program. Both have similar SOC 2 / ISO 27001 attestation depth.