How to Scope a Penetration Test (and Get an Accurate Fixed Price)

Posted on

The most common question we get from first time buyers is some version of: how much does a penetration test cost? The honest answer is that it depends on scope, and scope is something you control. Understanding how testers size an engagement will get you a sharper quote and a better test.

What drives the effort

For a web application or API test, effort scales with the amount of functionality a tester must exercise:

  • User roles. An application with four roles (say user, supervisor, admin, super admin) needs privilege escalation testing between every meaningful pair. Each role multiplies the work.
  • Input surface. Forms, file uploads, search functions and API endpoints are where vulnerabilities live. A rough endpoint or page count is the single most useful number you can give a tester.
  • Authentication model. Testing with credentials (grey box) finds substantially more than anonymous testing (black box) because most of a modern application sits behind a login.
  • Environment. A dedicated test environment with test accounts makes testing faster and safer than production.

For external network tests, the driver is simpler: how many IP addresses, domains and exposed services are in scope. For cloud configuration reviews, it is the number of accounts or subscriptions and the breadth of services deployed.

Black box, grey box, or both

Unauthenticated black box testing answers one question: what can an anonymous attacker on the internet do to my application? It is useful and it is cheaper, but it cannot tell you whether a logged in customer can read another customer’s data, which is the finding that hurts most SaaS businesses. For comprehensive coverage we recommend grey box testing with credentials for each role. Most engagements combine a black box pass with authenticated testing.

Questions a good provider will ask you

Before quoting, expect to be asked: what the application does, the technology stack, how many roles and endpoints, whether credentials and a test environment will be provided, what is driving the test (compliance, a customer request, general assurance), and your timeline. If a provider quotes without asking any of this, the price has padding in it, the test will be shallow, or both.

What you should expect back

A report with an executive summary, findings rated by real world risk rather than scanner severity, evidence for each finding, root cause analysis and practical remediation guidance. Then a walkthrough call, and retesting of fixed items. The report is the product; ask to see a sanitised sample before you commit.

Ready to scope yours? Tell us what you need tested and we will come back with a fixed price within 48 hours.