How much does a pentest cost?

Short answer

A human pentest for a small web app costs $8K-$25K and takes 2-4 weeks. Autonomous pentests (XBOW, Pentera, Horizon3) cost $1K-$6K per engagement. For most startups pre-Series B, continuous automated scanning + one annual human pentest is the right mix.

Pentest pricing ranges:

  • Boutique human pentest: $8K-$25K, 2-4 weeks, one-off report
  • Continuous pentest (Cobalt, HackerOne Pentest): $15K-$50K/year
  • Autonomous pentest (XBOW Pentest-On-Demand): $4K-$6K per test
  • Securie autonomous swarm: $1.5K per engagement

What you get for the money: - Human: creative novel-chain attacks; ~$250/hour for lead tester time - Automated: broader coverage, repeatable, faster turnaround

Recommendation for a typical solo-founder SaaS: - Pre-launch: use free scanners (Securie tools) + one targeted engagement ($1.5K-$4K) - Year 1: continuous scanning + one annual human pentest when you need it for a customer - Year 2+: continuous + quarterly human tests

Don't pay for a pentest until you've run the free scanners and fixed what they find — paying a human $25K to find what a $0 tool would have caught is money wasted.

People also ask

Do I need SOC 2 as a startup?
You need SOC 2 the moment your first enterprise prospect asks for it. Most startups don't need it to sell to consumers o