How much does a pentest cost? $4,000 to $50,000 depending on scope. (April 2026)
Public vendor pricing, fixed-price packages, and a scope estimator that maps your application to a realistic band — without a sales call.
2 vendors with public pricing (Cobalt, HackerOne) • $5k floor: Cobalt entry • $50k ceiling: HackerOne annual packs • Updated April 2026
8-Vendor Pricing Matrix (April 2026)
Last verified April 2026The only neutral page showing Cobalt vs HackerOne vs Bishop Fox vs NCC vs Trail of Bits in one place with cited sources. “Contact sales” stated honestly when no public pricing exists.
What you actually get at $5k, $10k, $20k, and $50k
Buyers ask this exact question and get scattered answers across vendor blogs. One page, four columns.
- Scope: 1 small web app, ~10 endpoints
- Method: OWASP Top 10, light manual
- Report: Summary report
- Retest: Basic, 30-day window
- Vendors: Cobalt credit pack / Astra
- Scope: 1 mid-size app or API set, ~30 endpoints
- Method: Full OWASP + auth bypass
- Report: Technical + exec report
- Retest: Included, 60-day window
- Vendors: Mid-market consultancy
- Scope: Web + API + light cloud, 50-100 endpoints
- Method: Business-logic depth, attack chains
- Report: Full report + walkthrough
- Retest: Included, 90-day window
- Vendors: BSG / Bright Defense / Cobalt PTaaS
- Scope: Multi-app / cloud / mobile, 100+ endpoints
- Method: Chained exploits, custom methodology
- Report: Executive brief + full technical + walkthrough
- Retest: Multiple retests, extended window
- Vendors: Bishop Fox / NCC / Trail of Bits
Day-Rate Reference (2026)
Day-rate data sourced from BSG, Deepstrike, and Astra. PTaaS blended rate calculated from Cobalt credit pricing.
| Category | Hourly rate | Day rate | Source |
|---|---|---|---|
| Independent contractor | $150-$250 | $1,200-$2,000 | Astra, Software Secured |
| Mid-market consultancy | $200-$350 | $1,500-$3,500 | BSG, Deepstrike |
| Senior boutique / Big-4 | $350-$500 | $4,000-$7,000 | BSG, Bright Defense |
| PTaaS blended (Cobalt) | $200-$280 | ~$1,800/credit | Cobalt.io, Vendr |
PTaaS vs Traditional: 4-Question Filter
Answer the first question that matches your situation.
Traditional SOW. One engagement, retest included, sign off.
PTaaS. Credits consumed as you ship, always current coverage.
Traditional with retest. Need a clean report with methodology attestation.
PTaaS hybrid. Cobalt, Synack, or Bugcrowd extends your existing program.
6 Cost Drivers That Move the Quote
Know these before you talk to a vendor. Each one maps to a multiplier in the scope estimator.
Network pentest takes 2x longer than a web app of similar size. Mobile adds platform complexity.
Sub-linear scaling: 100 endpoints takes ~2.5x the time of 10, not 10x.
Multi-tenant RBAC and SSO flows require separate test accounts and elevated privileges.
Each third-party integration is additional attack surface that needs manual review.
PCI/HIPAA data requires compliance attestation rigor, adding methodology time.
Sub-2-week start requires scheduling premium. Most vendors are 2-4 weeks out.
Why are you getting a pentest?
The answer determines which site helps you most and which vendor profile fits.
You need a pentest report to send to a customer or enterprise prospect. Start with the engagement tiers page to match your budget to what they'll accept.
See engagement tiers→You need a pentest that satisfies a compliance framework. The methodology and frequency requirements are covered on our sister site.
Visit penetrationtestingcost.com→You're shipping continuously and want ongoing coverage. PTaaS is almost certainly the right model over traditional SOW engagements.
PTaaS vs traditional→Common Questions
How much does a pentest cost in 2026?
A pentest costs between $4,000 and $50,000 for most web application and API engagements. Cobalt PTaaS starts at approximately $2,500/month. HackerOne assessment products run $15,000-$50,000 annually. Bishop Fox boutique engagements start at $25,000. Enterprise red-team engagements (Trail of Bits, IOActive) reach $100,000-$200,000+.
Can I negotiate pentest pricing?
Yes. Multi-year commits unlock 20-30% off list pricing. Volume credit packs unlock 15-25%. Competing quotes from Cobalt, HackerOne, and Synack unlock 10-20%. Vendr and Spendflo buyer guides confirm these ranges as standard negotiation outcomes for PTaaS vendors.
What is the difference between a pentest and a vulnerability scan?
A scan is automated and finds known CVEs. A pentest is manual and finds business-logic flaws, authentication bypasses, and chained exploits. Anything labelled 'pentest' under $3,000 is almost certainly the former. Real pentests involve human testers who reason about your specific architecture.
How often should you do a pentest?
Annually at minimum for compliance (PCI 11.3, SOC 2, ISO 27001). After major releases or significant infrastructure changes. Continuously if you're a high-threat-profile company (fintech, healthtech, defence). For compliance-specific frequency guidance, see penetrationtestingcost.com.