$ pricing --vendor=breachlock
BreachLock pen-test pricing for 2026. No public pricing. We do not invent a number. This page documents what is publicly stated and what to ask in the scoping call.
BreachLock does not publish a starting price. Three tiers published, prices on application. Source: https://www.breachlock.com/pricing/penetration-testing-pricing/. Verified June 2026. Treat any third-party dollar figure attributed to BreachLock with caution.
Last verified June 2026
Why this vendor is quote-only
BreachLock routes every published tier or product to a sales call. The reason varies by vendor: enterprise-only positioning, multi-asset scoping that resists line-item pricing, or compliance bundling where the pen test sits inside a wider SOW. Whatever the reason, no one outside BreachLock can quote you a number without that call. We will not invent one.
$ list --tiers
Published tier structure. Prices shown only where BreachLock publishes a number. Quote-only tiers are labelled as such; we do not estimate.
| Tier | Price | Notes |
|---|---|---|
| Standard | quote | Small to mid web apps, basic internal, external network |
| Extended | quote | Mid apps, complex networks, APIs with advanced testing |
| Extensive | quote | Large enterprise apps, multi-layer networks, red team and source-code review |
Source: https://www.breachlock.com/pricing/penetration-testing-pricing/ · verified 2026-06-19
$ best-for --buyer
Mid-market buyers wanting a single PtaaS vendor across web, API, internal-network, and red-team in one subscription.
Scope fit
- web-app
- api
- network
- cloud
- red-team
$ hidden --costs
Line items that often do not appear in the headline BreachLock quote. Confirm each against the SOW before signing.
- Retest fee
Whether retesting fixed findings is included in the headline price or charged as a separate engagement. Ask before signing.
- Out-of-hours testing
If you need testing outside business hours to avoid production impact, that often carries a premium of 25 to 50%.
- Report format and depth
Executive summary, full technical report, attestation letter for auditors. Some vendors bundle all three, some charge for the attestation separately.
- Travel and on-site
Internal-network or physical pen test usually requires on-site days. Travel is normally billed at cost.
- Bug-bounty payouts
Not applicable here. Bug bounty is not part of the standard engagement.
- Re-scope mid-engagement
If discovery uncovers new in-scope assets, expect a change-order conversation. Cap the change-order rate in the master agreement.
$ nearest --alternatives
Closest comparable vendors to BreachLock. We pair on pricing model and product fit.
- Cobalt.ioPtaaS
PtaaS pioneer. Publishes a three-tier model (Standard, Premium, Enterprise) and a credit unit (1 credit = 8 hours of offensive testing) but routes every tier to a quote.
open cobalt-pricing → - Astra SecurityPtaaS
PtaaS vendor with a fully published price card. One of the few firms in this index where the headline number does not depend on a sales call.
open astra-pricing →