Independent research. Not affiliated with Cobalt, HackerOne, Bishop Fox, NCC Group, Trail of Bits, Synack, Bugcrowd, IOActive, or any other vendor named on this site. No vendor publishes a list price; dollar figures are buyer-marketplace estimates. Last verified June 2026.
pentestingcost.com
Menu

Pentest Scope Estimator 2026 — Map Your App to a Realistic Price Band

Input your application profile and get a vendor-anchored price band in under 10 seconds. No sales call needed. The methodology is transparent and cited below.

Estimated price band for your scope
$7,000$24,000
48 test-daysMid-market consultancy or Cobalt Standard
Based on public day-rate data (BSG: $1,500-$3,500/day mid-market, $4,000-$7,000/day boutique). Multipliers cited in cost factors.
Compare 8 vendors at this band →See what's included at this tier →

How This Estimate Is Derived

The estimator uses publicly cited day-rate data and scope-to-day-count ratios from industry benchmarks. It is not a black box.

Day-count methodology
  • Web app base: 4 days per medium scope (Astra, Deepstrike)
  • API: 3 days base (API-specific methodology is narrower)
  • Mobile: 5 days base (platform complexity)
  • Cloud: 6 days base (configuration + service enumeration)
  • Network: 7 days base (broader attack surface)
Multipliers applied
  • Endpoint count: Small x1.0 / Medium x1.5 / Large x2.2 / Enterprise x3.5
  • Auth complexity: Simple x1.0 / OAuth x1.2 / Multi-tenant x1.35 / Complex x1.5
  • Data sensitivity: General x1.0 / PII x1.15 / PCI x1.25 / HIPAA x1.3
  • Day-rate applied: Mid-market $1,500-$3,500 / Boutique $4,000-$7,000 (BSG)

Sources: BSG day-rate data, Astra scope-to-day ratios, Deepstrike engagement benchmarks. Multipliers represent typical market variance, not guarantees. See sources page for full citation list.

Worked Examples

Series A SaaS, SOC 2 trigger
App type:
Web + API
Endpoints:
Medium (16-50)
Auth:
OAuth 2.0
Data:
PII / user data
$12,000-$20,000
6-10 daysMid-market consultancy or Cobalt Standard credit pack
E-commerce web app, PCI in scope
App type:
Web application
Endpoints:
Small (1-15)
Auth:
Simple session
Data:
Payment data (PCI)
$8,000-$14,000
4-7 daysCobalt entry credit pack or mid-market consultancy with PCI experience
Healthcare SaaS, multi-tenant HIPAA
App type:
Web + API
Endpoints:
Large (51-150)
Auth:
Multi-tenant / RBAC
Data:
Health data (HIPAA)
$25,000-$45,000
12-20 daysBishop Fox, NCC Group, or Synack (managed)
Developer API platform, no sensitive data
App type:
API (REST/GraphQL)
Endpoints:
Medium (16-50)
Auth:
OAuth 2.0
Data:
General business data
$8,000-$15,000
5-9 daysMid-market consultancy or Cobalt API-focused credit pack
Deep dive on cost factorsCompare vendors at your bandWhat's included at your tier