Penetration testing, also known as pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be conducted manually and/or using automated tools and techniques.
The costs of penetration testing services vary significantly depending on many factors. Some key considerations that impact penetration testing pricing include:
Type of Testing
There are several different types of penetration tests that focus on different aspects of an organization’s security posture. More extensive tests that cover more ground tend to be more expensive. Some of the main types of pen tests include:
- Network penetration testing – Targets weaknesses in network infrastructure devices like firewalls, routers, switches etc.
- Web application penetration testing – Targets vulnerabilities in web apps and APIs.
- Mobile app penetration testing – Targets mobile apps on platforms like iOS and Android.
- Social engineering – Tests weaknesses against phishing, vishing, SMSishing, USB drops and other social engineering attack vectors.
- Wireless penetration testing – Targets wifi networks and devices connected to them.
- Physical penetration testing – Attempts to gain physical access to facilities to test physical security controls.
Tests that cover multiple types of assessments generally cost more than single focused tests. For example, a test covering network, web app and social engineering would be more expensive than just a network pen test.
Scope of Testing
The scope and size of what’s included in the penetration test also impacts cost. Testing a single web application will be less expensive than testing an organization’s entire digital footprint across all public facing apps, networks, cloud environments etc. Some key scoping factors include:
- Number of IP addresses/domains/web apps tested
- Whether external-facing, internal or both sides of infrastructure are tested
- For web apps, the size and complexity of the app
- For networks, number of subnets, network segments, VLANs etc.
- Whether production, development, QA and staging environments are included
- Whether cloud infrastructure is included
- Amount of social engineering testing
The more that’s included, the more thorough the test – and the higher the cost. Clearly defining the scope and objectives up front is key.
Duration of Testing
Penetration tests can range from quick one-day “point in time” tests to more thorough assessments conducted over multiple weeks or months. The longer the duration, the more vulnerabilities that can be discovered – and the higher the cost.
Test Frequency
Organizations that conduct penetration testing on an ongoing basis through monthly, quarterly or annual subscriptions can realize some cost savings compared to one-off, ad-hoc tests. When scoping ongoing tests, the initial round is generally more expensive as the pen tester must get familiar with the environment. Subsequent tests focus on changes since the last round, reducing time and costs.
Tester Skill and Experience
The skills and experience level of the penetration tester (or team of testers) also impacts costs. Seasoned testers with cybersecurity certifications like Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), Certified Ethical Hacker (CEH) and others tend to command higher rates. Navigating complex environments and discovering hard-to-identify vulnerabilities requires strong hands-on skills.
Location
Costs vary based on where in the world the penetration testing company is located and does business. In general, services delivered from lower cost regions like India and Eastern Europe will be more competitively priced compared to the US, Western Europe, UK, Canada, Australia etc.
Reporting
The deliverables provided by the pen testing team also impact costs. More detailed reports that not only identify vulnerabilities but provide remediation guidance, risk severity ratings, impact analysis and executive summaries warrant higher costs.
Company Size
Large enterprise organizations with vast environments require more time, testing and resources compared to SMBs, driving prices up. However, larger companies may also receive volume discounts when purchasing ongoing retainer contracts for pen testing services.
Industry
Some highly regulated industries like financial services and healthcare demand more rigorous, extensive security testing which leads to increased costs. Compliance with industry regulations like HIPAA healthcare security/privacy standards, PCI DSS payment card security standards, Gramm-Leach-Biley Act (GLBA) financial data protection standards impact testing requirements and pricing.
Offensive Security Certified Professional (OSCP) Penetration Tester Hourly Rates
The Offensive Security Certified Professional (OSCP) certification is one of the most well-respected and sought-after qualifications in penetration testing. Here are typical hourly rates charged by OSCP certified pen testers based on experience level:
| OSCP Experience Level | Hourly Rate Range |
|---|---|
| 0-2 years | $50 – $150 |
| 2-5 years | $100 – $200 |
| 5-10 years | $150 – $250 |
| 10+ years | $200 – $300+ |
As shown above, OSCP certified testers with over 10 years experience often charge $200 – $300+ per hour. At large reputable penetration testing firms, senior level OSCP testers can charge up to $500 per hour when engaging with Fortune 500 clients and highly complex testing scopes.
Average Penetration Tester Hourly Rates
Here are typical hourly rates charged across penetration testers with varying certifications and experience levels:
| Experience Level | Hourly Rate Range |
|---|---|
| Entry-level / Associate (0-2 years) | $50 – $100 |
| Mid-level / Specialist (2-5 years) | $100 – $150 |
| Senior-level / Expert (5+ years) | $150 – $250+ |
As shown above, at the senior and expert levels, penetration testing consultants often charge between $150 – $250 per hour. However, these rates can go significantly higher at elite boutique cybersecurity firms, especially when working with large enterprise clients.
Factors That Increase Penetration Testing Costs Per Hour
Here are some of the main factors that can drive up penetration testing hourly rates:
- Highly experienced tester or team
- Prestigious certifications like OSCP, CISSP, CEH, GWAPT, GPEN, etc.
- Big name, reputable penetration testing firm
- Engaging with large enterprise clients
- Testing complex, sizable environments
- Testing heavily regulated industry like finance or healthcare
- Testing cutting-edge technology like IoT, blockchain, etc.
- Testing mission-critical systems/applications
- Requiring deep technical reporting and guidance
- Requiring exploits/proof-of-concepts for found vulnerabilities
Factors That Decrease Penetration Testing Costs Per Hour
Here are some factors that can lower the hourly rates for pen testing services:
- Junior or mid-level tester
- Offshore or nearshore tester based in lower cost region
- Testing smaller scope and duration
- Testing non-critical systems
- Basic reporting requirements
- Small or mid-size business client
- Testing less regulated industry like retail, media, etc.
How to Estimate Total Penetration Testing Costs
The overall cost of a penetration test is determined by:
Hourly rate X Total hours = Overall cost
To estimate the total cost, develop assumptions around:
- Scope of testing and environments included
- Types of testing to be performed (network, web, social engineering etc.)
- The duration of testing
- The billing rate per tester(s)
- The number of testers required
- The approximate number of hours for the test based on scope, duration and resources required
Factor in additional costs like travel expenses for onsite testing and add contingency forfuzziness in initial scoping and effort estimates.
Tactics to Reduce Penetration Testing Costs
Here are some tips to help minimize penetration testing costs without sacrificing quality:
- Clearly define scope and objectives upfront to prevent scope creep
- Leverage remote testing rather than onsite to avoid travel costs
- Consider offshore or nearshore testing resources at lower hourly rates
- For web apps, provide testers sandboxed staging environments to reduce overhead
- Limit testing to critical systems and key infrastructure to reduce test size
- Re-use and optimize previous test results where possible to avoid reinventing the wheel each round
- Consider spread testing over multiple months to smooth resource requirements
- Build testing into development lifecycles for continuous evaluation at lower overhead
- Utilize in-house resources to supplement external testing if available
- Ensure testing is meeting its ROI objectives and providing actionable results
Conclusion
Penetration testing hourly rates can range quite significantly based on the experience level of testers, scope and complexity of the engagement, type of testing performed and overall project requirements. At the high-end, highly seasoned penetration testers can charge $200 – $500+ per hour when working with large enterprise clients. More standard rates for mid-level and senior testers typically fall in the $100 – $250 per hour range. There are also ways to control costs around thoughtful scoping, staffing mix, geographic sourcing and project planning.
