What does a penetration test cost? Prices and factors

Quick answer: typical price ranges

The cost of a penetration test varies depending on what needs to be tested and how complex the environment is. Here are some approximate price ranges:
‍

• Simpler web application: SEK 30,000–60,000

• Standard scope (web app, API or internal environment of medium complexity): SEK 60,000–150,000

• Extensive infrastructure or red team exercise: SEK 150,000–500,000+

The exact price is always set based on a defined scope — it is the only way to give a price that accurately reflects what the test requires. Use our price calculator for an initial estimate, or request a quote and we will get back to you with a concrete cost.

‍

What are you actually paying for?

Roughly 90 percent of the cost of a penetration test is time. Time for an experienced tester to methodically go through your systems, test logic, chain vulnerabilities and think like an attacker.

That is what separates a penetration test from an automated vulnerability scan. A scan runs a script and gives you a list. A penetration test requires a human to actively try to get in, and that cannot be rushed.

The rest of the price covers tools and licenses, report writing and a debrief with you after delivery. The report is a concrete document your developers and IT team can use directly. It describes every finding with technical detail, risk level and actionable remediation steps, which takes time to write properly.

In short: you are paying for expertise, time and a report that holds up.

‍

Factors that affect the price

The price is influenced by a number of variables. Here are the most important ones:

‍

• Scope — number of assets to be tested: More endpoints, more code, more servers. A web application with ten features takes less time than one with a hundred. This is the single most important factor.
  ‍
• Test type — black box, grey box or white box: Black box testing, where the tester has no access to source code or internal documentation, requires more time for reconnaissance and is therefore more expensive. Grey box, where the tester has limited information, is the most common approach and tends to give the best balance between depth and cost. White box gives the tester full access and is best suited for code review and secure development projects.
  ‍
• Complexity: A simple single-page application costs less than a complex microservice architecture with many interdependencies. The same applies to networks — a flat office network is different from a segmented environment with Active Directory, VPN and cloud services.
  ‍
• Whether exploitation is included: Identifying a vulnerability is one thing. Actually exploiting it and showing how far an attacker could go is another, and it requires more time.
  ‍
• Report format and depth: A shorter executive summary costs less to produce than a full technical report tailored for a security team.
  ‍
• Retest after remediation: If you want Cyloq to verify that you have actually addressed the findings, this incurs an additional cost. See more under frequently asked questions.

‍

Price calculator — estimate the cost yourself

Want a price estimate without booking a meeting? Our price calculator gives you a ballpark based on what needs to be tested, test type and approximate complexity.

The calculator is not a binding quote, but it gives you a realistic picture of what to budget for. If scope is unclear — for example if you are unsure of the actual size of your environment — we are happy to help define it in a scoping meeting.

Try the calculator here.

‍

Fixed prices or hourly billing?

Cyloq works with fixed prices based on a defined scope. There is a reason for that.

Hourly models put the risk on the client. If the test takes longer than expected, because the environment turned out to be more complex, or because the tester found a thread worth following, you end up paying more than you budgeted for. That creates uncertainty and makes planning difficult.

With a fixed price, you know exactly what the test costs before it starts. If the test turns out to require more time than planned, that is our problem to manage, not yours. If the scope needs to be expanded, we discuss it with you in advance.

This requires scope to be well defined from the start, which is exactly why we always begin with a scoping meeting. Think of it as a technical meeting to make sure you are paying for the right thing. ‍

‍

Cheapest is not always best

There are vendors offering penetration tests for SEK 10,000–15,000. In most cases, that is an automated scan with a thin report on the side.

That is not a real penetration test. A scan finds known vulnerabilities in known versions of known software. What it does not find are logic flaws, broken access controls, chained attacks or the types of weaknesses that are actually used in real breaches.

Paying for a test that does not find what matters is not a cheap option, it’s no security at all.

A few things to check before choosing a vendor:

‍

• Certifications. OSCP is the industry standard for offensive security testing. Ask which certifications the testers hold.

• References. Request contact details for previous clients in a similar industry or environment.

• Sample report. Ask for an anonymized example of a previous report. A good report is concrete, technical and actually actionable. A poor report is a list of CVSS scores without context.