As unhelpful as the answer “it depends” is, it is the best answer when providing a summary of what penetration testing can cost. The cost is strongly influenced by several factors, which will be explored below. For that reason, penetration testing can cost anywhere from a few thousand dollars to hundreds of thousands of dollars. The current average cost sits between 10,000 and 30,000 USD from reputable companies.
Location of the Test
Here the question to ask is where will the test be performed, on-site or remotely. With advances in remote access technologies, penetration tests can be performed remotely. Typically on-site tests cost more, so it is advised that you see what is the best option when being guided through a penetration test cost that usually ranges from $5K to $40K+.
Size and Complexity
The size of the organization and the complexity of its digital infrastructure will impact the price of a penetration test. This is a safe assumption to make when looking at such a critical security service. When the size of the organization is considered, security firms will look at how many employees the company has and how many devices connect to the network, as well as the makeup of the network.
Complexity is determined by the number of assets the penetration tester needs to test. If there are mobile apps, cloud infrastructure, on-site infrastructure, a variety of devices, and multiple networks the complexity will be considered high, demanding a higher price for the testing. The more complex the infrastructure the higher the potential need to conduct regular penetration tests.
Scope and Methodology
The scope of the test can be closely related to complexity in a variety of ways, however, you should be determining the scope of the test as costs can quickly get out of hand. This is especially true when one considers organizations with high complexity. It is all too easy for the tester to dedicate a lot of time and resources to something you may feel is out of the scopes test.
The methodology of the tester is the tools and tactics they believe a hacker would employ to compromise the network. If it’s the first penetration test you are doing it may be better to ask for a slower more comprehensive methodology to be applied rather than tools designed for speed.
The above factors that influence cost are certainly some of the most important but other factors, like if remediation is to take place and how it takes place should also be considered. It is hoped that this article sheds some light on why the best answer to the actual cost of a penetration test is “it depends.”