Pentesting is an important part of modern cybersecurity. You hire a pentester or pentesting team to assess your application’s security and to attempt to hack your servers, networks, and applications to steal data – as part of proof that you do or not have vulnerabilities. These exercises can help you to identify critical vulnerabilities and resolve them before you’re hacked. And, that can save you considerably over the cost of a hack, which, in Europe, often exceeds €10,000 per breach. At the same time, pentest pricing can be a considerable part of how organizations plan and schedule their pentests. Your cybersecurity budget is obviously important – and figuring out how pentests are priced can help you when choosing which pentests to fit into your pentest cycle and when.
What Factors are Involved in Pentest Pricing?
Eventually the cost of your pentest will relate almost entirely to the number of work hours involved in your pentest. In the simplest terms, you’re normally being billed based on estimated hours of work – which might relate to the assessment, methodology, number of pentests, complexity of the system, or complexity of the pentest. At Cyver, we use a flat rate pentest pricing system based on estimates of man-hours involved – so you get more predictable pricing. And those costs are based on the following factors.
Size of Pentest – Time to pentest can vary significantly based on the size and volume of work to be completed. For example, we can pentest simple websites such as WordPress and other CMS builds. These take very little time as there are only so many possible access points and only so many vulnerabilities. A web application, a multi-website system, or an enterprise application would each require significantly more time and would therefore cost more for us to pentest.
Manual Work – All pentesters use some level of automated testing to assess normal and predicted vulnerabilities. These allow the pentester to save time on routine checks, freeing that time up for manual assessment. The more manual assessment you add on, the more expensive the pentest will be. For most organizations, that normally means using heavy manual pentests for key points – such as after major application updates or doing a one-per-year audit assessment. You can then follow up with automation-heavy pentesting to save on costs through the rest of the year – while still catching the most obvious or easily findable vulnerabilities. Of course, we don’t offer fully automated scans. However, our most basic pentest is about 50% manual pentesting and the other half is backed up by tools which scan for issues – that we then confirm and follow up on manually.
Compliance Needs – Your compliance needs affect the scope, the depth of work, and the pentest report. That means requesting a pentest for compliance needs will always result in more costs – especially with traditional pentest delivery models – because the report can take as much as half the time of the pentest – although it’s usually closer to 20-40%. At Cyver, we use automation to reduce the time we spend on those reports – so you get a better report without paying us to spend 8-16 hours on it. That helps us to keep pricing lower, even when we build reports for specific compliance frameworks to meet audit needs.
Other factors might also affect the cost of your pentest. For example, if you need on-site testing, you’ll have to pay for additional hours, travel time, and travel costs. Cyver offers free retesting for the first 30 days following the pentest – however, if you need further retesting afterwards, that will cost extra as well.
At the same time, we strive to provide clear and transparent pentest pricing. That’s why we use a flat-rate system with credits, so you do pentest budgeting upfront, get discounts if you need more work, and so you always know what you’re spending on your pentest before agreeing to it.
If you want to learn more, you can check our pricing page here. Or, contact us for a demo and a specific quote designed around your assets, scope, and compliance needs.