What each pentest costs in practice
Reference values in USD for 2026. The final price varies according to the 7 variables detailed below.
Pentest Web / API
US$ 3.5k – US$ 12k
Includes OWASP Top 10, business logic, auth flows, REST/GraphQL/SOAP. 1 to 3 profiles.
Pentest Mobile
US$ 5k – US$ 15k
iOS + Android. Static + dynamic analysis, SSL pinning bypass, reverse engineering, API communication.
Network Pentest
US$ 3k – US$ 18k
External or internal. AD attacks, lateral movement, privilege escalation, segmentation testing.
Cloud / Kubernetes
US$ 7k – US$ 24k
AWS, Azure, GCP. Misconfigured roles, exposed buckets, weak policies, IAM attack paths.
Red Team
US$ 18k – US$ 50k+
30-day adversary simulation: phishing, initial access, persistence, lateral movement and exfiltration.
Hour-based billing
US$ 80–120/h
BR-based senior consultancy
US$ 150–350/h
North America / Europe senior
How long does a pentest take?
| Type of pentest | Tester hours | Calendar window |
|---|---|---|
| Simple web app (1 profile, < 30 endpoints) | 40 h | 5–7 days |
| Typical SaaS (3 profiles, 80+ endpoints) | 80–120 h | 2–3 weeks |
| Complete API (REST + GraphQL + auth flows) | 100–160 h | 3–4 weeks |
| Mobile app (iOS + Android) | 120–180 h | 3–4 weeks |
| External network (50–200 IPs) | 60–120 h | 2–3 weeks |
| Internal network with AD / segmentation | 120–240 h | 3–5 weeks |
| Cloud / Kubernetes (multi-account) | 160–320 h | 4–6 weeks |
| Red Team (continuous) | 300 h+ | 30–90 days |
Calendar window includes kickoff meeting, reconnaissance, active testing, reporting and 30 min of executive debrief. Retest is counted separately (2–5 days).
7 variables that change the final value
Before asking for a quote, understand what drives the price so you can scope correctly and compare fairly.
1. Scope size
Number of endpoints, roles, microservices and integrations. A SaaS with 3 profiles and 80 endpoints takes 5× more than a landing page.
2. Testing approach
Black-box (external view only) is cheaper; gray-box (with credentials) is the most common; white-box (code + architecture) is the most complete.
3. Technology stack
Microservices, Kubernetes, serverless and cloud-native architectures require specialists and extend timelines by 20–40%.
4. Compliance requirements
Pentest for PCI-DSS, LGPD, ISO 27001 or SOC 2 has specific report templates, evidence and traceability.
5. Included retest
A proposal without retest is incomplete. Standard at Evernow: 1 retest after fixes, within 60 days.
6. Urgency / SLA
Express starts (5-day lead time) and off-hours testing carry a 15–30% premium.
7. Seniority of testers
OSCP, OSWE, GPEN, GWAPT certifications and CVE track record justify a higher hourly rate — and a report 3× more actionable.
Want a quote tailored to your scope?
Our specialists respond in up to 48 business hours with a detailed breakdown.
Checklist: 7 points in any pentest quote
If a proposal is missing any of these, ask before signing.
The real price is what you pay for not doing it
Source: IBM Cost of a Data Breach 2025
A US$ 9,000 pentest represents less than 1% of the average cost of a breach — and a well-done pentest reduces the probability of that breach by 60–80%.
85%
exploit known vulns
2,3×
cheaper to fix early
58%
had a critical incident
They are automated scans rebranded as pentest. A pure DAST/VA run does not validate exploitability, chained attacks or business logic — and is rejected in PCI-DSS and serious ISO 27001 audits.
LGPD does not mandate pentest explicitly, but it requires "adequate technical measures" (Art. 46). Pentest is the de-facto standard to evidence due diligence to ANPD.
Minimum: annual. Recommended: every major release and once a year for baseline. PCI-DSS requires one after any significant change.
Report with attacker narrative, CVSS v4 scoring, 1 free retest, integration with your Jira/ClickUp and 30 minutes of executive debrief with the CISO.
Ready to run a serious pentest?
Get a tailored proposal in 48h, with scope, timeline and price broken down.
Take the free assessment