Independent reference. Not affiliated with any vendor listed.

$ cost --segment=mid-market

100 to 1,000 staff. Hybrid cloud, multiple products, at least one compliance trigger (SOC 2, ISO 27001, PCI). The segment most contested by PtaaS vendors.

$ answer --question="What should a mid-market buyer budget?"

A typical mid-market pen-test programme runs $25,000 to $80,000 per year across two to four assets when delivered as projects, and $20,000 to $60,000 per year on a PtaaS subscription with retests included. Compliance trigger (SOC 2 Type II, ISO 27001) usually mandates an annual cadence.

Last verified June 2026

$ stat --slot=1
$25-80K
Project model annual
2-4 assets, cost-guide bands
$ stat --slot=2
$20-60K
PtaaS model annual
Retests usually included
$ stat --slot=3
1/yr
Compliance cadence
SOC 2, ISO 27001
$ stat --slot=4
2-4
Typical assets in scope
Mid-market shape

$ vendor --fit

The mid-market is where the PtaaS vendors compete hardest: Cobalt, BreachLock, Synack. Project-shape boutiques (Bishop Fox, Praetorian) also chase this segment but at the upper price band.

  1. step 1TriggerCompliance
  2. step 2RFP3-4 vendors
  3. step 3Scoping1-2 weeks
  4. step 4SignProcurement
  5. step 5Test2-3 weeks
  6. step 6Report1-2 weeks
  7. step 7RetestQuarter later
$ ledger --illustrative
Mid-market programme: 350-person SaaS, two products
Illustrative example, not a real company
Web-app pen test, product A (mid-band project)
$18,000
Web-app pen test, product B (mid-band project)
$15,000
API pen test, shared backend
$10,000
External network pen test
$8,000
Retest cycle, one round per app
$8,000
Annual project total
~$59,000

Illustrative example, not a real company. Bands sourced from vendor-published cost guides; actual quotes vary.