Independent research. Not affiliated with Cobalt, HackerOne, Bishop Fox, NCC Group, Trail of Bits, Synack, Bugcrowd, IOActive, or any other vendor named on this site. Prices change. Last verified April 2026.
pentestingcost.com
Menu

Pentest Scope Estimator 2026 — Map Your App to a Realistic Price Band

Input your application profile and get a vendor-anchored price band in under 10 seconds. No sales call needed. The methodology is transparent and cited below.

Estimated price band for your scope
$7,000$24,000
48 test-daysMid-market consultancy or Cobalt Standard
Based on public day-rate data (BSG: $1,500-$3,500/day mid-market, $4,000-$7,000/day boutique). Multipliers cited in cost factors.
Compare 8 vendors at this band →See what's included at this tier →

How This Estimate Is Derived

The estimator uses publicly cited day-rate data and scope-to-day-count ratios from industry benchmarks. It is not a black box.

Day-count methodology
  • Web app base: 4 days per medium scope (Astra, Deepstrike)
  • API: 3 days base (API-specific methodology is narrower)
  • Mobile: 5 days base (platform complexity)
  • Cloud: 6 days base (configuration + service enumeration)
  • Network: 7 days base (broader attack surface)
Multipliers applied
  • Endpoint count: Small x1.0 / Medium x1.5 / Large x2.2 / Enterprise x3.5
  • Auth complexity: Simple x1.0 / OAuth x1.2 / Multi-tenant x1.35 / Complex x1.5
  • Data sensitivity: General x1.0 / PII x1.15 / PCI x1.25 / HIPAA x1.3
  • Day-rate applied: Mid-market $1,500-$3,500 / Boutique $4,000-$7,000 (BSG)

Sources: BSG day-rate data, Astra scope-to-day ratios, Deepstrike engagement benchmarks. Multipliers represent typical market variance, not guarantees. See sources page for full citation list.

Worked Examples

Series A SaaS, SOC 2 trigger
App type:
Web + API
Endpoints:
Medium (16-50)
Auth:
OAuth 2.0
Data:
PII / user data
$12,000-$20,000
6-10 daysMid-market consultancy or Cobalt Standard credit pack
E-commerce web app, PCI in scope
App type:
Web application
Endpoints:
Small (1-15)
Auth:
Simple session
Data:
Payment data (PCI)
$8,000-$14,000
4-7 daysCobalt Essentials or mid-market consultancy with PCI experience
Healthcare SaaS, multi-tenant HIPAA
App type:
Web + API
Endpoints:
Large (51-150)
Auth:
Multi-tenant / RBAC
Data:
Health data (HIPAA)
$25,000-$45,000
12-20 daysBishop Fox, NCC Group, or Synack (managed)
Developer API platform, no sensitive data
App type:
API (REST/GraphQL)
Endpoints:
Medium (16-50)
Auth:
OAuth 2.0
Data:
General business data
$8,000-$15,000
5-9 daysMid-market consultancy or Cobalt API-focused credit pack
Deep dive on cost factorsCompare vendors at your bandWhat's included at your tier