$ explain --pricing-models
Four pricing models cover every vendor in this index. Knowing which one a vendor uses tells you most of what you need to compare quotes.
Annual subscription per asset (Astra), credit pool by hour (Cobalt and most PtaaS pioneers), project quote with day-rate underneath (Bishop Fox, Praetorian, NetSPI, Coalfire, Schellman, Mandiant), and from-price platform subscriptions for scanning rather than manual pen test (Detectify, Intruder). PtaaS subscription vendors (BreachLock, Synack, Pentera) publish tier maps but route to a quote.
Last verified June 2026
$ model --map
| Model | Astra | Cobalt | Bishop Fox | Detectify |
|---|---|---|---|---|
| Subscription per asset | ✓ | ✗ | ✗ | ✗ |
| Credit pool by hour | ✗ | ✓ | ✗ | ✗ |
| Project quote | ◐ | ◐ | ✓ | ✗ |
| Platform from-price | ✗ | ✗ | ✗ | ✓ |
| Published price floor | ✓ | ✗ | ✗ | ✓ |
“Most pen-test pricing models exist to make the engagement saleable, not to make the buyer's TCO easy to model.”
$ what --each-model --charges-for
- Subscription per asset
An annual fee covers one target (web app, API, repo). Retest usually included. Predictable budget but inflexible if asset count changes mid-year.
- Credit pool by hour
You buy a pool of hours (or credits) up-front and burn them as engagements run. Best for ongoing programmes; worst for one-off compliance pen tests.
- Project quote (day-rate underneath)
Vendor estimates a number of days, multiplies by a day-rate, adds project management. Day-rates rarely published; ask for the rate AND the day count.
- Platform from-price
Self-serve scanning. Not a manual pen test substitute, but valid as a continuous layer between annual tests.