Skeleton from Sancto CS. Full breakdown with sample SOW and report excerpts coming soon.
What you're actually paying for
A pentest is two things: senior time (someone with a CV that's spent a decade breaking things) and a report (something your customer or auditor can read). Tools are 5% of the cost. Most of the bill is the human hours and the writing.
Tier 1: Web app pentest · $5k–$15k
1 application, 1–2 weeks of testing, automated + manual. OWASP Top 10 + business-logic flaws. Suitable for: most SaaS startups who need a checkmark.
- Typical: 40–80 hours of work
- Deliverable: PDF report with executive summary, findings, severity, remediation
- Retest after fixes: usually included or +$2k
Tier 2: Cloud + API pentest · $15k–$35k
Web app + AWS/GCP infrastructure + APIs. 2–4 weeks. Suitable for: companies past Series A, handling sensitive data, going through SOC 2 Type II.
- Adds: IAM review, S3 misconfigurations, network segmentation, API auth edge cases
- Deliverable: full report + remediation calls with engineering
Tier 3: Red team / full assessment · $35k–$120k+
Multi-week, multi-vector. Tries to actually breach you using any means short of breaking the law. Includes social engineering, physical (if applicable), full network. Suitable for: regulated industries, post-IPO, anyone selling to enterprise that's been breached recently.
- Typical: 4–8 weeks
- Deliverable: report + executive briefing + tabletop exercise
What to skip when budget is tight
- "Continuous pentest" subscriptions ($2k+/mo). Usually 80% automated scanning rebranded. Get a real annual pentest + Snyk/Github Advanced Security instead.
- White-glove "compliance pentest" for SOC 2 Type I. The auditor often accepts a self-scan + your normal SDLC controls.
- Mobile pentest if you're 100% web — wait until you actually ship the mobile app.
Red flags in pentest pricing
- Quote over the phone, no scoping call → they don't know what they're testing
- Fixed price under $3k for any real work → automated only, basically a scan
- No retest in the SOW → fixes won't be validated
- Junior names you don't recognize doing the work → ask who's on the engagement before signing
The right pentest finds something you're glad you fixed. The wrong one finds nothing because the testers never logged in past the homepage.