"What does a penetration test cost?" is the most common question in our first conversations — and the most unsatisfying one when the answer is "it depends." This article provides concrete figures for 2026, structured by pentest type and mid-market scenario. You will learn what drives the price, which hidden costs lurk in proposals, and what a realistic budget looks like for your situation. The broader context around cybersecurity strategy, compliance, and provider selection is covered in our Cybersecurity Pillar for the Mid-Market.
A framing note upfront: all prices mentioned here are market averages for DACH-region providers with certified staff, professional liability insurance, and PTES- or OSSTMM-compliant methodology. Significantly cheaper offers are generally automated vulnerability scans with a cosmetic report — a fundamentally different product. Significantly more expensive offers usually justify the premium with specialist expertise (e.g., SCADA, medical devices, high-assurance certifications).
Price Spectrum at a Glance
| Pentest Type | Typical Price | Effort |
|---|---|---|
| Web Application Pentest | €6,000 – €25,000 | 5–15 person-days |
| API Pentest (REST/GraphQL) | €4,000 – €12,000 | 3–10 person-days |
| Mobile App Pentest (iOS+Android) | €8,000 – €18,000 | 6–12 person-days |
| External Infrastructure | €3,000 – €15,000 | 2–8 person-days |
| Internal Infrastructure | €8,000 – €30,000 | 5–15 person-days |
| Active Directory Audit | €8,000 – €20,000 | 5–12 person-days |
| Cloud Audit (AWS/Azure/GCP) | €6,000 – €18,000 | 4–10 person-days |
| Red Team Engagement | €25,000 – €80,000 | 4–8 weeks |
| Continuous Validation (monthly) | €1,500 – €5,000/mo | ongoing |
What Drives the Price?
Six factors determine the actual price. Understanding them lets you compare proposals more effectively and identify room for negotiation.
Scope size and complexity. By far the most important variable. An application with 30 features, three roles, and one database can be audited in five person-days. The same application with multi-tenant architecture, six roles, OAuth SSO, and a microservices back end needs twelve to fifteen days — at the same audit depth.
Test depth. A black-box test without credentials reaches less than a grey-box test with standard user accounts. A full white-box audit with source code review covers even more. Each level roughly doubles the value — and the price.
Methodology requirements. Standard methodology (PTES, OWASP) is included in the base price. Specific compliance frameworks such as PCI-DSS, BSI IT-Grundschutz, or industry-specific standards (TISAX for automotive, MDR for medical devices) increase documentation and evidence effort by 30 to 60 percent.
Reporting depth. A standard report with an executive summary, findings catalogue, and remediation recommendations is the market baseline. Extended options include detailed reproduction guides for developers, compliance mapping tables for auditors, a closing presentation for management or supervisory boards, and multilingual versions — each of these adds €500 to €3,000.
Tester experience. Junior auditors holding OSCP work at around €800 per day; senior auditors with OSCE or OSEP charge €1,200 to €1,800 per day. Specialists in AD, ICS/OT, or cloud depth can command €2,000 or more per day. Senior level is sufficient for standard web-app tests; for specialised audits the senior premium pays for itself.
Time pressure. A pentest starting in four weeks runs at standard rates. An engagement starting "next week" — because a client suddenly demands a certificate or an insurance policy is up for renewal — typically carries a 20 to 30 percent surcharge, as we have to reschedule another engagement or prioritise senior capacity.
Sample Calculations for Three Mid-Market Scenarios
Scenario 1: SME with an Online Shop
Typical engagement: web application pentest of the shop including checkout flow and admin back end, supplemented by an external infrastructure scan of the public IP. Effort: six senior person-days plus reporting.
Estimated costs:
- Web app pentest (shop + admin): €8,500
- External infrastructure (1 IP): €2,500
- Re-test after remediation: €1,500
Scenario 2: Mid-Market Company with a SaaS Product
Typical engagement: full web app pentest (grey-box with 3 roles), API pentest, AWS cloud audit, plus extended compliance documentation for NIS2 evidence. Effort: 20 person-days over 4 weeks.
Estimated costs:
- Web app pentest (3 roles, multi-tenant): €16,000
- API pentest (40 endpoints): €8,500
- AWS cloud audit (2 accounts): €9,500
- NIS2 compliance mapping: €3,000
- Re-test of individual findings: €2,000
Scenario 3: Larger Mid-Market Company with In-House IT
Typical engagement: AD audit, internal infrastructure test across 3 sites, external perimeter test, cloud audit for Azure hybrid setup, plus ISO 27001 mapping. Effort: 35 person-days over 8 weeks.
Estimated costs:
- Active Directory audit: €15,000
- Internal infrastructure (3 sites): €22,000
- External perimeter test: €8,000
- Azure hybrid cloud audit: €12,000
- ISO 27001 mapping + documentation: €5,500
Your situation doesn't fit these scenarios?
We work out a concrete fixed-price proposal for your application landscape in a 30-minute conversation. No generic catalogues — proposal within 24 hours.
Request a fixed-price proposalUnderstanding the Person-Day Logic
Most reputable providers calculate on a person-day basis rather than flat rates. One person-day equals eight hours of active audit work by a certified tester. Day rates in the DACH market in 2026 range from €900 to €1,800 net, depending on experience level and specialisation.
For a web app pentest with eight person-days at a day rate of €1,300, the pure testing time comes to €10,400, plus typically two days of reporting (€2,600) = €13,000 total. A provider offering you a web app pentest for €4,000 objectively cannot deploy more than three person-days — which is simply not enough for a genuine manual assessment.
The detailed phase-by-phase process of a pentest is also important context for understanding pricing. We describe it in full in the article Penetration Test Process — Seven Phases in Detail.
Price vs. Quality — What Does the Price Tell You?
Higher price does not automatically mean better quality — but a very low price almost always means lower quality. Three warning signs for discount proposals that usually disappoint:
Flat rate with no scope clarification. Anyone offering you a web app pentest for €2,500 without reviewing the application can only sustain that price by running a standard scanner against the URL. Real audits require a scope definition upfront.
No named testers. A provider who says "our team will handle it" without naming specific individuals with certifications may be using offshore subcontractors — which can be problematic from a data protection standpoint and cannot be verified for quality.
Sample report from 2019. A provider showing you an anonymised sample report from years ago may not have delivered anything comparable since. Current examples from the last twelve months should be available.
Conversely, not every premium price justifies itself automatically. If a provider charges €30,000 for something others offer at €12,000 — with comparable tester qualifications and methodology — ask for the concrete added value. Professional liability coverage levels, specialist certifications, proprietary tooling, or particular industry expertise can justify a higher price, but it must be explainable.
Hidden Costs and What Must Not Be Missing from a Proposal
When comparing proposals, look beyond the bottom line to the scope of services. Typical line items that discount proposals tend to omit:
- Re-test of individual findings — after remediating vulnerabilities, a verification re-test of the most critical findings should be included in the price. If not, an additional €1,500 to €3,000 can accrue quickly.
- Closing presentation — a one- to two-hour presentation of findings to your IT leadership should be standard, not an "add-on."
- Emergency contacts and escalation — immediate notification when critical findings are discovered during testing, rather than holding them for the final report.
- PGP-encrypted report delivery — essential for sensitive findings; should be a given.
- Methodology documentation — the report should explain how testing was conducted, not just what was found.
Conversely, items that reputable providers legitimately bill as extras include: in-depth remediation support through pair programming with your development team, multilingual reports, staff training on the vulnerability classes discovered, or implementing continuous validation as a follow-on service.
ROI: Is a Pentest Worth It?
From a pure risk calculation: yes, almost always. The average ransomware incident at a German mid-market company in 2026 costs between €150,000 and €800,000 — ransom, operational downtime, forensics, recovery, reputational damage, and potential fines. A pentest that prevents such an incident pays for itself ten times over.
In concrete terms: a €15,000 pentest that finds three exploitable vulnerabilities, at least one of which would have been targeted the following year, is — purely financially — an exceptional investment. The challenge: you cannot know in advance whether the vulnerabilities found would actually have been exploited. The risk mathematics are statistical — you are investing in a reduction of probability, not in a guaranteed incident preventer.
Indirectly, the pentest pays further dividends: cyber insurers have increasingly required pentest evidence since 2024. Without a current pentest, policies may not be renewed, may be issued with dramatic premium increases, or may be subject to benefit reductions in the event of a claim on grounds of "failure to fulfil due diligence obligations." A €12,000 pentest that prevents an €8,000 annual premium increase pays for itself in two years from insurance savings alone. We explore these strategic considerations in depth in the Cybersecurity Pillar.
Continuous Validation as an Alternative
The classic model of "one pentest per year" has two structural weaknesses: eleven months remain untested between audits, and each audit is a point-in-time snapshot — new vulnerabilities introduced by updates, new applications, or configuration changes go undetected until the following year.
With our Reepa Security platform, we offer continuous validation as an alternative or supplement. Instead of once a year, the audit engine runs monthly or weekly against your infrastructure. New vulnerabilities are detected within days, remediated gaps are validated, and compliance status is updated continuously.
Pricing: from €1,500 per month for basic coverage of a medium-sized environment (web, external infrastructure, AWS or Azure), up to €5,000 per month for comprehensive coverage including AD, multi-cloud, and ICS detectors. One-time setup costs range from €4,000 to €12,000 depending on complexity. Over three years, this model is typically cost-neutral compared to annual pentests, while delivering significantly more security value through continuous visibility.
Frequently Asked Questions
What does a penetration test for a web application cost?
For a focused web application with standard login, role system, and 20 to 50 features, costs range from €6,000 to €12,000. More complex applications with multi-tenant logic, numerous integrations, or elaborate business logic fall between €12,000 and €25,000. The exact price depends on the person-days required — typically five to fifteen days per audit.
Why are prices so different between providers?
The main factor is actual effort: an automated scan with a standard report costs €1,500 and delivers superficial results. A manual pentest by certified auditors with individual methodology costs five to ten times as much, but uncovers findings no scanner will catch. Secondary factors: professional liability insurance, tester experience, and reporting quality. Suspiciously cheap proposals almost always skip the manual depth.
Are there fixed-price packages for mid-market companies?
Yes, but be cautious: genuine flat-rate packages only work for very narrowly scoped standard tests — for example a basic web-app scan or a quick external audit. For serious engagements, a fixed price per defined scope is the market norm. Reepa Solutions works exclusively with transparent fixed-price proposals after scope clarification — no hidden add-ons.
Is continuous validation worth it compared to a one-off audit?
From the second year onward, almost always. An annual pentest costs between €8,000 and €25,000 per year but only captures a point-in-time snapshot. Continuous validation with Reepa Security from €1,500 per month delivers monthly target/actual reports and detects new vulnerabilities promptly. Over three years, continuous validation is typically cost-neutral and delivers significantly more security value.
What is included in the pentest price?
With reputable providers: a pre-engagement workshop, the actual testing phase, a complete report with executive summary and technical details, a closing presentation, and usually a complimentary re-test of individual findings within three months. Remediation support and repeated audits after fundamental architectural changes are generally not included.
Can I pay for a pentest in instalments?
At Reepa Solutions, split payments are standard: thirty percent upon engagement, forty percent after pre-engagement completion, thirty percent upon report delivery. For larger engagements above €30,000, additional milestone payments are possible. For continuous validation, billing runs monthly.
Concrete fixed-price proposal within 24 hours
We understand your scope after a 30-minute conversation. We then deliver a transparent fixed-price proposal with clearly documented line items. No flat rates, no hidden follow-on costs.
Request a proposal