Penetration testing is not an hours-billed service. Two engineers can spend the same week on the same scope and find very different things. We price the scope and the depth, not the clock. Fixed price after a free 30-minute scoping call. No surprises mid-engagement, no time-and-materials top-ups.
No tier sheets, no hidden line items. The same logic applies whether the engagement is a single web app or a multi-month red-team operation.
You receive a single number, in writing, before the SOW is signed. No tiered options, no add-on menu. If the scope changes mid-engagement we say so before the price does: a short change order in writing, signed before any extra work starts.
Two pentests with the same headline (“pentest a web app”) can differ by a factor of three or four. The driver is what you actually want tested and how deeply. The clock is our problem, not yours.
Hourly billing rewards slow testing. Every hour is more revenue. Fixed price rewards finding what matters fast, writing it up clearly, and moving on. The work compresses to the depth that's actually needed, not to the budget the contract allows.
Retest, walkthrough call, scoping conversations, kickoff prep, and any out-of-scope criticals we trip over: all included in the fixed price. We don't unbundle and we don't invoice them later as “additional services”.
Every quote is the sum of these. Each one is a question we ask on the scoping call. The answers determine the number. There's no separate pricing matrix.
A single web application is one price. A web app plus its API plus its mobile client plus its underlying cloud infrastructure is another. Each of these extends coverage: number of distinct services or applications, number of user roles or privilege boundaries, number of environments (production, staging, regional clusters), and whether the test reaches into infrastructure, network, AD, or cloud, or stays at the application layer.
Three default depth tiers. Black-box: no prior knowledge, tests what an external attacker would find from the outside in. Fastest and cheapest. Grey-box: limited credentials and architectural context, the default for most engagements. White-box: full source code, design docs, threat-model walkthrough, credentials for every role. Catches the most, costs the most, takes the longest.
Some engagements are scoped to a specific methodology because of an audit or compliance requirement. PTES, OWASP ASVS L1/L2/L3, NIST SP 800-115, and OSSTMM each prescribe coverage that can extend or compress the work. SOC 2 and ISO 27001 typically don't dictate methodology but require third-party-attested findings, which any of the above produce. Tell us if a specific methodology is required and we'll scope to it.
Default reporting ships with every engagement: executive summary, structured findings with severity, working PoCs, remediation roadmap, retest report, walkthrough call. Some engagements need more: board-level summary deck, regulator submission package, supplier-attestation letter, or a redacted public version. These are scoped on the call and folded into the fixed price; no separate “reporting tier” to pick from.
Standard engagements run on the timeline that produces the best test (typically 2–8 weeks of testing depending on scope, plus a week of scoping before kickoff and a week of reporting after). If you need a clean test before a fixed audit window, a launch, or a diligence date, we adjust resourcing, typically pairing two senior testers to cover what one would otherwise do over twice the calendar time. Compressed timelines cost more for that reason.
Most quotes land in one of these. Each shape comes with a typical duration, a typical depth, and a typical deliverable bundle. Your engagement may sit between two, in which case we say so on the call and quote for the actual mix.
One web, mobile, or desktop application, with its API surface and the cloud resources it directly depends on. Authenticated and unauthenticated paths. Typical duration: 2–4 weeks of testing. Default depth: grey-box. Common drivers up: multiple user roles, complex business logic, methodology requirement (PTES or ASVS L2+), white-box source review. Common drivers down: small surface area, single user role, black-box only.
An application plus its supporting infrastructure: APIs, mobile client, cloud architecture, identity provider, supporting services. Tests how findings chain across the stack, not just within one component. Typical duration: 4–6 weeks. Default depth: grey-box across the stack, sometimes white-box on the most critical surface. Common drivers up: multi-region deployments, complex IAM, third-party integrations.
Goal-based adversarial simulation. You pick the crown jewel; we attempt to reach it. Tests people, process, and tooling end-to-end, not just the perimeter. Includes detection-and-response evaluation and a purple-team debrief. Typical duration: 4–8 weeks. Default depth: black-box with limited internal knowledge. Common drivers up: physical-access component, social-engineering scope, multi-objective campaigns, named-actor emulation (APT-style).
Monthly retainer for product and engineering teams. Threat modeling, design reviews, incident triage, architecture review on demand. Answers the question before the breach makes it urgent. Billed monthly. Quantity and depth of work agreed in scoping. Common drivers up: SLA on incident response, named-engineer dedication, regulated-industry context. Common drivers down: async-only, single-team coverage.
Part of every engagement at no separate cost. We don't unbundle them, we don't invoice them later, we don't hold them back as upsell leverage.
Every engagement includes one retest window after you ship fixes. We re-validate each finding, mark it closed or open in the report, and issue a clean retest report your auditor will accept as evidence of closure. The window is typically 4–8 weeks after final report; longer on request. No separate invoice.
A live debrief with your engineers and security leads at the end of the engagement. Q&A on every finding, walkthrough of PoCs in real time, prioritization discussion. Typically 60–90 minutes. Recorded for stakeholders who couldn't join. Included.
The 30-minute scoping call is free and does not require an NDA. The written scope and price you receive after that call also costs nothing: pay only when the SOW is signed. Kickoff itself (rules of engagement, testing windows, blast-radius agreement, escalation paths) is part of the engagement, not a separate billable.
If we trip over a critical or high-severity issue while testing the agreed scope, you get the finding. We don't withhold it for a follow-up SOW or hold it back as upsell leverage. We notify you the same day in writing if it's actively exploitable.
Four stages, usually within two weeks end to end. Faster on request if the timeline is tight.
You describe what you want tested, why, and by when. We ask the questions needed to scope it: surfaces in scope, user roles, environments, methodology requirements, deliverable expectations, timeline constraints. No NDA needed for this call, no slides. Bring the answers from the scoping worksheet below if you have them; if not, we walk through the questions on the call.
A short document with what's in scope, what's out, methodology, deliverables, timeline, payment terms, and a single fixed price. No tiered options, no add-on menu. The right scope at the right price for what you described. If something in the scope or price needs revision, one round of changes is normal; we update and re-send.
Standard SOW or your paper. NDA template available, or sign yours. Standard payment terms net-30; net-15 on request. Procurement-friendly: we've been through Coupa, Ariba, ServiceNow, Workday vendor onboarding before. Insurance certificates (cyber liability, professional liability) available on request, named-additional-insured on request.
Usually within 1–2 weeks of signature, faster on request. We agree rules of engagement, testing windows, blast radius, stop conditions, and escalation paths in writing before any traffic touches your systems. Single point of contact on each side, daily check-ins during testing, same-day disclosure on anything actively exploitable.
Optional but useful: having these answers ready cuts the scoping call from 45 minutes of discovery to 15 minutes of confirmation, and shortens the time to written quote.
Name the systems in scope: application URLs, API endpoints, network ranges, cloud accounts, mobile binaries. Distinguish production from staging. List the user roles or privilege boundaries to be assessed. If a system is out of scope but adjacent (a third-party SSO, a shared cloud tenant), name it explicitly.
Audit deadline, compliance window, post-incident review, pre-launch security signal, M&A diligence, customer requirement, annual cadence. The driver shapes the report format and the timeline. “Because we should” is also a valid answer.
Black-box, grey-box, or white-box (or “whatever makes sense, you tell us”). Methodology requirement if any (PTES, ASVS L2, NIST 800-115, OSSTMM). If there's no methodology requirement, default is grey-box aligned with PTES.
Hard deadline (audit date, launch date, diligence date) vs. preferred timeline. Earliest acceptable kickoff date. Any blackout windows during testing (peak traffic, maintenance, holidays). Time zones for daily check-ins.
Who reads the report: engineering, security leadership, board, auditor, customer's security team. Required deliverable formats (PDF, Markdown, Jira CSV import). Anything beyond the default bundle (board-deck summary, regulator submission, supplier-attestation letter, redacted public version).
What we cannot test (third-party systems we don't have authorization for, regulated data, production systems with no rollback). What triggers an immediate halt (downtime, customer impact, alert thresholds). Escalation contacts on your side, on-call hours, after-hours protocol.
Five questions about price specifically. General engagement questions live on the main FAQ.
Hourly billing rewards slow testing. Fixed price aligns the incentive with finding what matters fast and writing it up clearly. Most enterprise security buyers cannot reliably get a T&M engagement past their CFO in 2026 anyway.
The price doesn't change. If we finish early it means we used the budget efficiently, not that you owe less. The deliverables are what you paid for: report, working PoCs, walkthrough call, and retest.
We say so before the price does. A short change order in writing, signed before any extra work starts. No surprises on the final invoice. If the scope grows just by a small amount, we usually absorb it; if it's a meaningful expansion, we re-quote.
Yes for advisory retainers; the monthly rate reflects committed availability. For multi-pentest contracts (e.g. quarterly tests over a year), we typically reduce per-engagement price in exchange for resourcing predictability. Worth asking on the scoping call.
No. Any firm that does is selling a commodity, not an engagement. The price for a senior-led pentest is determined by what you're testing, how deep, and to what methodology. Two web apps with the same headline can differ by 4× depending on user-role count, business-logic complexity, and the depth of the third-party dependencies. We publish how scope drives price (this page); the number itself comes after the scoping call.
Email with what you want tested and the rough timeline. We reply within one business day with proposed scoping-call slots.