$ cost --segment=mid-market
100 to 1,000 staff. Hybrid cloud, multiple products, at least one compliance trigger (SOC 2, ISO 27001, PCI). The segment most contested by PtaaS vendors.
A typical mid-market pen-test programme runs $25,000 to $80,000 per year across two to four assets when delivered as projects, and $20,000 to $60,000 per year on a PtaaS subscription with retests included. Compliance trigger (SOC 2 Type II, ISO 27001) usually mandates an annual cadence.
Last verified June 2026
$ vendor --fit
The mid-market is where the PtaaS vendors compete hardest: Cobalt, BreachLock, Synack. Project-shape boutiques (Bishop Fox, Praetorian) also chase this segment but at the upper price band.
- step 1TriggerCompliance
- step 2RFP3-4 vendors
- step 3Scoping1-2 weeks
- step 4SignProcurement
- step 5Test2-3 weeks
- step 6Report1-2 weeks
- step 7RetestQuarter later
- Web-app pen test, product A (mid-band project)
- $18,000
- Web-app pen test, product B (mid-band project)
- $15,000
- API pen test, shared backend
- $10,000
- External network pen test
- $8,000
- Retest cycle, one round per app
- $8,000
- Annual project total
- ~$59,000
Illustrative example, not a real company. Bands sourced from vendor-published cost guides; actual quotes vary.