$ costs --hidden
The line items that turn a clean headline number into a real invoice. Most are negotiable if you raise them in the scoping call.
Retest fees, attestation letters for auditors, change orders for mid-engagement scope creep, out-of-hours testing premiums, travel for on-site work, third-party authorisation paperwork for cloud-provider testing, and remediation-support hours. Ask about each one during scoping; vendors will rarely volunteer them upfront.
Last verified June 2026
$ line --items
- Retest cycle
Whether the price covers one retest of every fixed finding, or only the test itself. Charge varies from included to a separately quoted second engagement.
- Out-of-hours testing
If you need testing outside business hours to avoid production impact, expect a premium of roughly 25 to 50%.
- Travel and on-site
Internal-network and physical pen tests usually require on-site days. Travel is normally billed at cost; ask for a cap.
- Attestation letter
Some vendors bundle the auditor-facing attestation letter; some charge for it separately. Confirm in the SOW.
- Change orders
If discovery uncovers new in-scope assets, expect a change-order conversation. Cap the change-order rate in the master agreement.
- Cloud-provider authorisation
AWS, Azure, GCP have specific testing-authorisation processes. Some vendors absorb the admin; some bill for it.
- Remediation support hours
Help-on-fix is usually a separate line item, not part of the pen test itself. Hourly rates apply.
- Executive readout
A live presentation of findings to the exec team. Vendor-dependent; ask if it is included.
- Headline pen-test fee (single web app, mid-band)
- $15,000
- Retest cycle, charged separately
- +$3,000
- Out-of-hours premium (33%)
- +$5,000
- Attestation letter (some vendors charge separately)
- +$1,500
- Change order: one new endpoint added mid-engagement
- +$2,500
- All-in invoice
- ~$27,000
Illustrative example, not a real company. Every line item above is one a buyer can negotiate or bundle in the scoping call.