$ guide --buy
Seven stages, six to ten weeks end to end. The stages do not vary by vendor; only the time spent on each does.
From trigger to delivered report, six to ten weeks is typical: one to two weeks for scoping, two to three weeks for SOW and procurement, one to four weeks of testing, one to two weeks for the report. Add a 30 to 90 day retest cycle after fixes ship. Compress the cycle by pre-approving an MSA with one vendor before you need a pen test.
Last verified June 2026
$ process --stages
- step 1TriggerCompliance / risk
- step 2Shortlist2-4 vendors
- step 3ScopeAsset inventory
- step 4QuoteCompare apples-to-apples
- step 5SOWProcurement
- step 6TestActive engagement
- step 7ReportPlus readout
- step 8RetestVerify fixes
$ per-stage --checklist
- Trigger
Document what triggered the pen test (new compliance scope, post-incident, M&A diligence, new product launch). Vendor scoping will ask this question first.
- Shortlist
Pull 2 to 4 vendors. At least one should publish a price (Astra or a from-price platform) as a sanity baseline.
- Scope
Asset inventory with URLs, IPs, user roles, third-party integrations. The scoping call is twice as fast if you bring this.
- Quote
Ask every vendor for the same scope under the same constraints. Compare day-count plus day-rate where the vendor exposes both.
- SOW
Confirm retest, attestation letter, out-of-hours premium, change-order rate, IP and data handling. See the RFP template.
- Test
Standing daily checkpoint, named technical contact, escalation path for production-impact findings.
- Report
Executive summary plus full technical report plus attestation letter (if compliance-driven). Live readout to the exec team.
- Retest
Schedule the retest before signing. Confirm whether it is included or separately priced.