$ diff --left=ptaas --right=project
Subscription against one-off project. The break-even depends on how many assets you test and how many retests you need.
PtaaS wins when you have three or more discrete assets, expect to retest at least twice a year, and value reporting that lands in a portal rather than a PDF. Project pen test wins when you have one asset, need a single annual attestation, and can defer remediation verification. There is no universal cheaper-cheaper answer; it is a function of test frequency and retest intensity.
Last verified June 2026
Subscription model
Annual fee per asset (Astra) or annual credit pool (Cobalt and similar). Retests usually included or discounted. Findings land in a portal with workflow integrations.
Statement-of-work model
One-off SOW per engagement. Retest is usually a separately priced engagement. Deliverable is a PDF report plus an attestation letter for auditors.
$ heatmap --features
| Feature | PtaaS | Project |
|---|---|---|
| Predictable annual budget | ✓ | ✗ |
| Retest included or discounted | ✓ | ✗ |
| Workflow integration (Jira / SIEM) | ✓ | ◐ |
| Senior consultant-led | ◐ | ✓ |
| Cheapest for one asset, once a year | ◐ | ✓ |
| Cheapest at 3+ assets, 2+ retests | ✓ | ✗ |
| Compliance attestation letter | ✓ | ✓ |
- Project: web-app pen test (vendor cost-guide mid-band)
- $12,000
- Project: API pen test (vendor cost-guide mid-band)
- $10,000
- Project: one retest each, 6 months later
- $8,000
- Project subtotal
- $30,000
- PtaaS: 2x Astra Pentest Basic at $1,999/yr
- $3,998
- PtaaS: hypothetical mid-PtaaS quote, 2 assets, retests included
- $18,000
- PtaaS range
- $3,998 to ~$18,000
Illustrative example, not a real company. PtaaS range spans the published Astra floor and a hypothetical mid-PtaaS quote since 18 of 20 vendors do not publish a number.