Independent research. Not affiliated with Cobalt, HackerOne, Bishop Fox, NCC Group, Trail of Bits, Synack, Bugcrowd, IOActive, or any other vendor named on this site. Prices change. Last verified April 2026.
pentestingcost.com
Menu

What’s Actually Included in a Pentest in 2026 (And What’s Not)

A professional pentest is not a vulnerability scan with a PDF wrapper. Here’s exactly what you should expect from a real engagement at each tier, and what you are explicitly not getting.

Standard Inclusions

Scope call + kick-off

Pre-engagement call to confirm targets, test windows, communication channels, and emergency contacts. Typically 30-60 minutes.

Reconnaissance

Passive and active information gathering: DNS enumeration, technology fingerprinting, open-source intelligence on the target application.

Vulnerability identification

Automated scanning supplemented with manual verification. All automated findings are manually validated before inclusion in the report.

Exploitation

Tester attempts to exploit identified vulnerabilities to confirm exploitability and assess impact. Safe-mode exploitation to avoid data loss or downtime.

Post-exploitation (if in scope)

Following a successful exploit, testers assess what an attacker could access from the compromised position. Often requires explicit scope agreement.

Reporting

Technical report with detailed findings, CVSS scores, reproduction steps, and remediation guidance. Plus executive summary for non-technical stakeholders.

Common Exclusions (Often Separate Engagements)

Social engineering

Phishing, vishing, pretexting. Usually a separate engagement or red team add-on.

Physical security testing

Badge cloning, tailgating, physical access. Separate engagement type.

DoS / stress testing

Availability testing usually excluded by default due to downtime risk.

Source code review

White-box code review is a separate service. Pentest is typically black/grey box.

Red team engagement

Full adversary simulation with persistence, lateral movement, exfiltration. Separate service at $50k+.

Third-party systems

Payment gateways, third-party SaaS you don't control. Requires explicit scope addition and third-party authorization.

Deliverables Checklist

A professional pentest should deliver all of the following. If any are missing, ask before signing the SOW.

PDF report: executive summary + full technical findings
CVSS scores for each finding (v3.1 or v4.0)
Reproduction steps (enough to replicate without help)
Remediation guidance for each finding
Raw findings export (CSV/JSON for ticketing systems)
Retest letter / clean-bill-of-health after remediation
Attestation letter (for compliance use)
Findings walkthrough call with the testing team

Pentest vs Vulnerability Scan vs Bug Bounty vs Red Team

TypeManual workExploitability confirmedCost rangeCompliance value
Vulnerability scanNoNo$500-$3,000Low
PentestYesYes$5,000-$200,000High (PCI, SOC 2, ISO)
Bug bountyCrowd-sourcedYes (per finding)$10,000-$500,000+/yrSupplementary
Red teamYes, full adversaryYes + persistence$50,000-$300,000+High (mature programs)

For compliance-driven inclusions (PCI 11.3 pentest scope requirements, SOC 2 pen test section, ISO 27001 Annex A.12.6), see penetrationtestingcost.com.

Engagement tiers by priceCompare vendorsFAQ