$ faq
The most-asked pen-test cost questions in one place. Each one links into the deep-dive page.
The questions below mirror the People-Also-Ask cluster around pen-test pricing in 2026. Every answer below is also exposed as FAQPage JSON-LD for search engines.
A single web-app pen test from a mid-market vendor runs $4,000 to $30,000 in 2026, sourced from vendor-published cost guides. The cheapest published PtaaS subscription floor is Astra Security at $1,999 per year per target.
Last verified June 2026
Across the twenty vendors tracked in this index, only Astra publishes a hard manual-pentest subscription floor ($1,999 per year per target). Project pen-test cost-guide bands sit at $4,000 to $30,000 for web app, $4,000 to $20,000 for external network, $8,000 to $50,000 for internal network, and $30,000 to $150,000 for full red-team.
Last verified June 2026
There is no honest average across the index because eighteen of twenty vendors do not publish a price. Cost-guide mid-band is roughly $15,000 for a single mid-market web-app pen test, but that figure does not represent any single vendor's actual quote.
Last verified June 2026
It depends on asset count and retest frequency. At one asset tested once a year, a project SOW is usually cheapest. At three or more assets with retests, PtaaS subscription tends to win. See /compare/ptaas-vs-traditional for the worked break-even.
Last verified June 2026
US mid-market boutique day rates sit at $1,500 to $3,000 per day in 2026. Senior boutique-elite rates run $2,500 to $5,000 per day. UK day rates from CREST-accredited firms sit at £1,000 to £3,500 per day. See /day-rate-index for the full table.
Last verified June 2026
Yes. PCI DSS v4 Requirement 11.4 mandates pen testing of the cardholder data environment annually and after any significant change. See /pci-pentest-cost.
Last verified June 2026
Not strictly. SOC 2 does not name pen test as a discrete control, but auditors typically expect one during a Type II observation period. A missing pen test is a common qualified-opinion driver. See /soc2-pentest-cost.
Last verified June 2026
Indirectly. ISO 27001:2022 Annex A.8.8 (Management of technical vulnerabilities) is where pen-test evidence sits. Certification bodies expect to see recent pen-test evidence; the standard does not explicitly mandate pen test as a discrete control. See /iso27001-pentest-cost.
Last verified June 2026
Not as a discrete requirement. The Security Rule (45 CFR 164.308) mandates a risk analysis. Pen test is one accepted input to that risk analysis, not an independently mandated activity. See /hipaa-pentest-cost.
Last verified June 2026
Yes. FedRAMP mandates an annual pen test conducted by an accredited 3PAO. Rev 5 widened the scope. See /fedramp-pentest-cost.
Last verified June 2026
Of the twenty vendors tracked here, only Astra Security publishes a fully usable manual-pentest price floor ($1,999/yr per target on Pentest Basic). Detectify publishes a from-price (EUR 90/month) for its continuous scanning product, which is not a manual pen test. Eighteen vendors are quote-only as of June 2026.
Last verified June 2026
Astra Security Pentest Basic at $1,999 per year per target. Source: https://www.getastra.com/pricing, verified June 2026.
Last verified June 2026