If you've asked a few firms what a web application penetration test costs, you've probably gotten wildly different numbers — and very little explanation. The truth is that pentest pricing is driven by a handful of concrete factors, and once you understand them you can budget accurately and avoid overpaying for scope you don't need.
The short answer
For most SaaS and startup web applications, a focused manual penetration test typically falls somewhere in the low-to-mid five figures. Small, single-role apps sit at the lower end; large, multi-role platforms with complex business logic sit higher. Automated-only scans are cheaper but are not a true penetration test — and they miss the vulnerabilities that actually get companies breached.
What actually drives the price
Rather than a flat rate, a good pentest is priced on effort. These are the factors that determine how many days of hands-on testing your application needs:
- Application size — the number of pages, features, and distinct workflows.
- User roles — each role (admin, member, guest, billing, etc.) multiplies the access-control testing surface.
- APIs and integrations — REST/GraphQL endpoints, webhooks, and third-party integrations expand scope.
- Business logic complexity — multi-step flows, payments, and permissions take longer to test thoroughly.
- Testing depth — a black-box test costs less than a grey-box test with credentials and source access, but finds less.
- Compliance requirements — SOC 2, ISO 27001, or customer-mandated reporting formats can add scope.
Types of assessment and how they compare
Automated vulnerability scan
The cheapest option, and the weakest. A scanner crawls your app and flags known patterns. It's useful for catching low-hanging fruit continuously, but it cannot understand your business logic, chain vulnerabilities, or verify exploitability. Treat it as hygiene, not assurance.
Manual penetration test
A human tester works through your application the way an attacker would — mapping the attack surface, testing every role by hand, and proving impact with real exploits. This is what most compliance frameworks and enterprise customers mean when they ask for a pentest, and it's where the real value lives.
Grey-box vs black-box
In a black-box test, the tester starts with nothing but a URL. In a grey-box test, they get test credentials for each role and sometimes source access. Grey-box is almost always the better value: less time is spent on reconnaissance and more on finding deep issues, so you get more coverage for the same budget.
Why the cheapest quote is rarely the best value
A rock-bottom quote usually means one of two things: the test is mostly an automated scan with a report wrapped around it, or the tester is under-scoping the time needed to test properly. Either way, you pay for a document that satisfies a checkbox but leaves real vulnerabilities in production. The goal isn't the cheapest report — it's the highest confidence that your application is actually secure.
A penetration test you can't act on is an expense. One that finds real, fixable issues before an attacker does is an investment.
How to budget as a startup
- Define what you actually need tested — the core app, the API, or everything.
- Prefer grey-box testing with credentials for each role to maximize coverage per dollar.
- Ask what's included: is retesting after fixes part of the price, or extra?
- Get a fixed quote and a defined scope, not an open-ended hourly arrangement.
- Plan for an annual test plus a retest after any major architectural change.
What you should always get for the price
- A fixed, agreed scope and timeline before testing starts
- Manual testing, not just a scanner report
- A risk-rated report with reproduction steps and remediation guidance
- A retest to confirm your fixes actually closed the issues
- A letter of attestation you can share with customers and auditors
If you'd like a fixed quote for your application, get in touch with a few details about your stack and roles, and I'll come back with a clear scope and price — no obligation.
Written by Jalwan, freelance web application penetration tester.
Book a security assessment →