How much does a pentest cost?
A human pentest for a small web app costs $8K-$25K and takes 2-4 weeks. Autonomous pentests (XBOW, Pentera, Horizon3) cost $1K-$6K per engagement. For most startups pre-Series B, continuous automated scanning + one annual human pentest is the right mix.
Pentest pricing ranges:
- Boutique human pentest: $8K-$25K, 2-4 weeks, one-off report
- Continuous pentest (Cobalt, HackerOne Pentest): $15K-$50K/year
- Autonomous pentest (XBOW Pentest-On-Demand): $4K-$6K per test
- Securie Autonomous Pentest / White-hat: scoped quote with proof, report, and retest window
What you get for the money: - Human: creative novel-chain attacks; ~$250/hour for lead tester time - Automated: broader coverage, repeatable, faster turnaround
Recommendation for a typical solo-founder SaaS: - Before launch: run free open-source scanners (trufflehog, gitleaks, npm audit, securityheaders.com) + request Securie access — then one targeted human engagement when a customer requires it - Year 1: continuous scanning + one annual human pentest when you need it for a customer - Year 2+: continuous + quarterly human tests
Don't pay for a pentest until you've run the free tools and fixed what they find — paying a human $25K to find what a $0 tool would have caught is money wasted.