How much does a network penetration test cost?

A network penetration test typically costs £5,000–£18,000 in the UK ($6,000–$23,000). The price depends on the number of IP addresses in scope, internal vs external testing, and company size. Most network pentests take 3–5 days of consultancy time.

How much does a web application penetration test cost?

Web application penetration tests cost £5,000–£30,000 ($6,000–$38,000). A single application with standard complexity sits around £8,000–£15,000. Large complex applications with many user roles and API endpoints can reach £25,000+.

How much does a red team engagement cost?

Red team engagements are the most expensive form of security testing, typically costing £15,000–£100,000+ in the UK. Most enterprise red team exercises run for 2–8 weeks and include physical access attempts, social engineering, and full attack chain simulation.

Penetration Testing Cost by Type

Detailed pricing, scope, deliverables, and benchmarks for every type of penetration test. Use the calculator to get a custom estimate.

Test Type	GBP Range	USD Range	Duration
Network Pentest	£5,000 – £18,000	$6,000 – $23,000	3–5 days
Web App Pentest	£5,000 – £30,000	$6,000 – $38,000	5–10 days
Mobile App Pentest	£6,000 – £30,000	$7,500 – $38,000	5–8 days
API Pentest	£4,000 – £22,000	$5,000 – $28,000	3–6 days
Cloud Infrastructure Pentest	£6,000 – £40,000	$7,500 – $50,000	5–10 days
Red Team Engagement	£15,000 – £100,000+	$19,000 – $127,000+	2–8 weeks
Social Engineering / Phishing Sim	£2,500 – £15,000	$3,000 – $19,000	1–3 weeks

Network Pentest

External & internal infrastructure assessment

£5,000 – £18,000

$6,000 – $23,000 • 3–5 days

Who needs this: Any organisation with on-premises servers, cloud VMs, or network perimeter

What's Included

✓External attack surface enumeration
✓Port scanning and service fingerprinting
✓Vulnerability identification (CVE-based)
✓Exploitation attempts and lateral movement
✓Active Directory / domain controller testing
✓CVSS-scored findings report
✓Remediation guidance and re-test

Not Included

—Web application testing
—Social engineering
—Physical access

Pricing Factors

↑Number of IP addresses/ranges
↑Internal vs external only
↑Active Directory complexity
↑Number of network segments

Market Benchmark

A typical SMB network test (50 IPs, external only) costs around £6,000–£9,000. Enterprise scope (500+ IPs, internal + external) typically runs £12,000–£18,000.

Web App Pentest

OWASP Top 10 and beyond — manual + automated

£5,000 – £30,000

$6,000 – $38,000 • 5–10 days

Who needs this: Any organisation with customer-facing or internal web applications

What's Included

✓OWASP Top 10 coverage
✓Authentication and session management testing
✓Authorisation and access control testing
✓Injection flaws (SQL, LDAP, XSS, XXE)
✓Business logic testing
✓API endpoint enumeration
✓PoC exploits for critical findings
✓Developer-ready remediation guidance
✓Re-test verification

Not Included

—Mobile app backend (separate scope)
—Network infrastructure

Pricing Factors

↑Application complexity and size
↑Number of user roles
↑Authenticated vs unauthenticated scope
↑Source code review (adds cost)

Market Benchmark

A standard SaaS web app with 3 user roles costs around £10,000–£15,000. Large enterprise portals with dozens of modules can reach £25,000–£30,000.

Mobile App Pentest

iOS and Android — static, dynamic, and API

£6,000 – £30,000

$7,500 – $38,000 • 5–8 days

Who needs this: Companies shipping iOS or Android apps that handle sensitive data or payments

What's Included

✓Static analysis (decompilation, obfuscation review)
✓Dynamic analysis (runtime behaviour, traffic interception)
✓Certificate pinning and SSL checks
✓Data storage review (keychain, shared prefs)
✓API backend testing from mobile context
✓Authentication and token handling
✓OWASP Mobile Top 10 coverage
✓Re-test verification

Not Included

—Web admin portal (separate web app test)
—Backend infrastructure

Pricing Factors

↑iOS only, Android only, or both
↑Payment/biometric features
↑API complexity
↑Jailbreak/root detection bypass testing

Market Benchmark

A single-platform (iOS or Android) consumer app runs £8,000–£15,000. Dual-platform with payment features: £15,000–£25,000.

API Pentest

REST, GraphQL, SOAP — auth, authorisation, injection

£4,000 – £22,000

$5,000 – $28,000 • 3–6 days

Who needs this: Companies with internal or public APIs, especially those handling financial or PII data

What's Included

✓Authentication testing (JWT, OAuth, API keys)
✓BOLA (Broken Object Level Authorisation)
✓BFLA (Broken Function Level Authorisation)
✓Rate limiting and brute force testing
✓Injection testing (SQLi, XXE, SSRF)
✓Mass assignment and excessive data exposure
✓OpenAPI/Swagger specification review
✓Re-test verification

Not Included

—Full web application testing
—Mobile client testing

Pricing Factors

↑Number of endpoints
↑Authentication complexity
↑GraphQL vs REST (GraphQL adds complexity)
↑Availability of API documentation

Market Benchmark

A standard REST API with 50–100 endpoints costs £6,000–£12,000. Complex GraphQL APIs or microservice meshes: £12,000–£22,000.

Cloud Infrastructure Pentest

AWS, Azure, GCP — IAM, misconfigs, lateral movement

£6,000 – £40,000

$7,500 – $50,000 • 5–10 days

Who needs this: Organisations running workloads on AWS, Azure, or GCP — especially those with public-facing cloud resources

What's Included

✓IAM misconfiguration review
✓S3/Blob/GCS public exposure checks
✓Network security group review
✓Privilege escalation path mapping
✓Lambda/serverless function review
✓Container security (ECS, EKS, AKS)
✓Secrets management review
✓Logging and monitoring gap analysis
✓Re-test verification

Not Included

—On-premises network
—Application layer (separate web app test)

Pricing Factors

↑Number of cloud accounts/subscriptions
↑Multi-cloud vs single provider
↑Kubernetes environments
↑Assumed-breach vs black-box approach

Market Benchmark

A single AWS account assessment costs £7,000–£15,000. Multi-account organisations with EKS workloads: £18,000–£35,000.

Red Team Engagement

Full adversary simulation — no rules, realistic threat

£15,000 – £100,000+

$19,000 – $127,000+ • 2–8 weeks

Who needs this: Mature security programmes that have already addressed basic vulnerabilities and want to test detection and response capability

What's Included

✓Custom threat intelligence and target profiling
✓Phishing and social engineering campaigns
✓Physical premises access attempts
✓Network and application exploitation
✓Lateral movement and persistence
✓Active Directory / domain takeover attempts
✓Data exfiltration simulation
✓Purple team debrief option

Not Included

—Formal re-test report (different engagement model)

Pricing Factors

↑Engagement duration
↑Number of operators
↑Physical component inclusion
↑Threat actor simulation specificity (APT profile)

Market Benchmark

A 4-week red team with 2 operators costs £25,000–£50,000. Extended 8-week engagements with physical component: £60,000–£100,000+.

Social Engineering / Phishing Sim

People testing — phishing, vishing, pretexting

£2,500 – £15,000

$3,000 – $19,000 • 1–3 weeks

Who needs this: Any organisation running security awareness training — baseline and post-training measurement

What's Included

✓Phishing email campaign (custom lure, credential harvesting)
✓Spear phishing against high-value targets
✓Vishing (voice/phone pretexting)
✓Pretexting scenarios
✓Click rate and credential capture reporting
✓Department-level breakdown
✓Security awareness recommendations

Not Included

—Physical access testing (separate)
—Technical exploitation

Pricing Factors

↑Number of employees targeted
↑Number of phishing scenarios
↑Vishing inclusion
↑Follow-up training delivery

Market Benchmark

A phishing campaign for 200 employees: £3,000–£5,000. Comprehensive programme including vishing for 1,000+ staff: £8,000–£15,000.

Get a custom pentest cost estimate

Use our free calculator to model your exact scope, compliance requirements, and testing frequency.

Open the Calculator →

Want an expert review? Get a free security exposure teardown