How Much Does a Penetration Test Cost? A Realistic Breakdown

How much does a penetration test cost? It is the question every company asks before requesting an assessment. The honest answer is it depends - but not in the vague sales sense. It depends on specific and quantifiable factors, and understanding them helps you evaluate whether a quote is reasonable or whether you are about to pay too much (or too little, which is worse).

The factors that determine cost

Scope (breadth): a pentest on a single web application costs less than a pentest on an entire network infrastructure with 200 hosts. Depth: a black-box test (no information) requires more time than a grey-box (credentials provided). Complexity: an application with multi-role authentication, APIs, and external integrations requires more work than a brochure site. Compliance: if the report must meet specific requirements (PCI-DSS, ISO 27001), the format and level of detail change.

Realistic price ranges in 2025-2026

For the Italian market, the ranges I regularly see are: web application pentest (single app): 3,000-8,000 euros. Network pentest (medium infrastructure, 50-200 hosts): 5,000-15,000 euros. Full pentest (web + network + social engineering): 10,000-30,000 euros. Red team engagement (advanced multi-vector simulation): 20,000-50,000+ euros. If someone offers you a "complete pentest" for 1,000 euros, you are buying an automated scan with a generated report, not a penetration test.

The cost reflects the time of a qualified professional. A serious pentest on a web application requires 5-10 days of manual work: reconnaissance, mapping, testing every feature, exploit attempts, detailed documentation with proof-of-concept and remediation recommendations. It is not an automatable process - the added value of a human pentester lies in lateral thinking, in the ability to chain minor vulnerabilities into critical attack scenarios.

My advice: do not choose based on price. Ask for the tester's CV, sample reports (sanitized), methodology used (OWASP, PTES, OSSTMM), and what is included in the re-test. A good pentest is an investment in your company's security, not an expense to minimize.