$ pricing --vendor=schellman
Schellman pen-test pricing for 2026. No public pricing. We do not invent a number. This page documents what is publicly stated and what to ask in the scoping call.
Schellman does not publish a starting price. Quote only, contact vendor. Source: https://www.schellman.com/penetration-testing. Verified June 2026. Treat any third-party dollar figure attributed to Schellman with caution.
Last verified June 2026
Why this vendor is quote-only
Schellman routes every published tier or product to a sales call. The reason varies by vendor: enterprise-only positioning, multi-asset scoping that resists line-item pricing, or compliance bundling where the pen test sits inside a wider SOW. Whatever the reason, no one outside Schellman can quote you a number without that call. We will not invent one.
$ list --tiers
Published tier structure. Prices shown only where Schellman publishes a number. Quote-only tiers are labelled as such; we do not estimate.
| Tier | Price | Notes |
|---|---|---|
| Schellman pentest | quote | Start Scoping Your Next Pen Test CTA only |
Source: https://www.schellman.com/penetration-testing · verified 2026-06-19
$ best-for --buyer
Buyers running a Schellman audit (SOC 2 Type II, ISO 27001, PCI, FedRAMP 3PAO) who want the pen test under the same SOW.
Scope fit
- web-app
- api
- network
- cloud
$ hidden --costs
Line items that often do not appear in the headline Schellman quote. Confirm each against the SOW before signing.
- Retest fee
Whether retesting fixed findings is included in the headline price or charged as a separate engagement. Ask before signing.
- Out-of-hours testing
If you need testing outside business hours to avoid production impact, that often carries a premium of 25 to 50%.
- Report format and depth
Executive summary, full technical report, attestation letter for auditors. Some vendors bundle all three, some charge for the attestation separately.
- Travel and on-site
Internal-network or physical pen test usually requires on-site days. Travel is normally billed at cost.
- Bug-bounty payouts
Not applicable here. Bug bounty is not part of the standard engagement.
- Re-scope mid-engagement
If discovery uncovers new in-scope assets, expect a change-order conversation. Cap the change-order rate in the master agreement.
$ nearest --alternatives
Closest comparable vendors to Schellman. We pair on pricing model and product fit.
- CoalfireAudit firm
Coalfire Offensive Security, an arm of an audit and compliance firm. Pen test is sold standalone or bundled into FedRAMP, PCI, and HITRUST engagements. No public pricing.
open coalfire-pricing → - Astra SecurityPtaaS
PtaaS vendor with a fully published price card. One of the few firms in this index where the headline number does not depend on a sales call.
open astra-pricing →