Independent research. Not affiliated with Cobalt, HackerOne, Bishop Fox, NCC Group, Trail of Bits, Synack, Bugcrowd, IOActive, or any other vendor named on this site. No vendor publishes a list price; dollar figures are buyer-marketplace estimates. Last verified June 2026.
pentestingcost.com
Menu

Sources and Methodology — pentestingcost.com

Every pricing figure on this site traces to a public URL listed below. “Contact sales” is stated honestly when no public source exists. Numbers marked as estimates are triangulated from multiple sources and clearly labelled.

Data Collection Methodology

Primary sources: Vendor pricing pages, vendor documentation, vendor-published blog posts with pricing information.

Marketplace data: Vendr (vendr.com) and Spendflo (spendflo.com) publish buyer-side pricing benchmarks for SaaS tools including security vendors, drawn from their negotiated-deal data. We treat these as estimates: they are not list prices published by the vendors, and we label them as such throughout the site.

Review platform data: G2 (g2.com) verified customer reviews that include pricing disclosure. G2 tags these as verified.

Analyst / competitive data: Astra (getastra.com/blog/penetration-testing/cost), Deepstrike (deepstrike.io/blog/penetration-testing-cost), BSG (bsg.tech), Bright Defense, Software Secured — these are vendor blogs with competitive research. We use their day-rate and range data, noting the vendor-bias caveat.

Freshness: Vendor pricing models re-verified live June 2026 (Cobalt and HackerOne pricing pages confirmed contact-sales with no published list prices). Prices change. Contact vendors directly for current pricing before making purchasing decisions.

Not fabricated: If a number is not publicly available and cannot be triangulated from multiple sources, we say “contact sales” and do not invent a figure.

Cobalt

Cobalt pricing pageAccessed April 2026

Tier structure (Standard/Premium/Enterprise) and credit model (1 credit = 8 hrs); no list prices published, all contact-sales

Vendr - Cobalt marketplaceAccessed April 2026

Estimated annual contract values $15k-$50k, credit pack data

G2 - Cobalt pricingAccessed April 2026

Customer-reported pricing estimates

HackerOne

HackerOne pentest productAccessed April 2026

Product structure only; no published prices (routes to contact sales)

Spendflo - HackerOne pricing guideAccessed April 2026

Estimated annual programme pricing $15k-$50k

Vendr - HackerOneAccessed April 2026

Enterprise ACV data

Day rate benchmarks (all traditional vendors)

BSG cybersecurity day ratesAccessed April 2026

Mid-market $1,500-$3,500/day; boutique $4,000-$7,000/day

Deepstrike - pentest cost blogAccessed April 2026

Engagement cost ranges, day-rate data

Astra - penetration testing costAccessed April 2026

Tier breakdowns, scope-to-cost ranges

PTaaS credit model

Cobalt - what is a credit?Accessed April 2026

1 credit = 8 hours of tester time

Vendr - Cobalt ACV dataAccessed April 2026

Blended hourly equivalent ~$225/hr

Retest pricing

Vendr buyer guides (general)Accessed April 2026

15-30% retest add-on as standard negotiation outcome

Astra - pentest costAccessed April 2026

Retest cost percentages

Engagement tier inclusions

Astra - what's included in a pentestAccessed April 2026

Tier inclusion lists

Bright Defense - pentest pricingAccessed April 2026

Entry-tier scope definitions

Software Secured - pentest costAccessed April 2026

Methodology depth by tier

Corrections

If you spot a pricing figure that is incorrect or has changed, please contact us. We update the site when vendor pricing changes and will credit corrections.

Back to vendor comparisonHomepage