The honest answer to how much a penetration test costs is that it depends, but that is not helpful on its own. What actually matters is understanding the handful of things that move the price, because once you see them you can scope a test that fits your budget and your real risk instead of guessing.
As a rough shape of the market, a focused penetration test of a single web application often starts in the low thousands of dollars. A broader engagement that covers your web app, your network, and your cloud environment can run well into five figures. Anyone who quotes you a firm number before understanding your scope is either guessing or selling a scan dressed up as a pen test.
What actually drives the cost
Scope. The biggest lever by far. Testing one web application is a small job. Testing a web app plus its APIs, an internal and external network, and a cloud environment across AWS and GCP is several jobs. The more systems and the more entry points, the more time it takes.
Depth. A light test looks for common, known issues. A deep test chains findings together, tests business logic, and behaves like a real attacker who is trying to get all the way in. Depth costs more because it is skilled human time, not a tool run.
Type. Web application, network, cloud, and social engineering are different disciplines. A test that spans several of them costs more than a single one.
Black box versus white box. If the testers start with no knowledge and have to discover everything, that takes longer than a test where you hand over architecture and credentials so they can go deep faster. White box is often better value because more of the time goes into finding real problems instead of mapping the surface.
What you should get for the money
A real penetration test is a human-led attack, not an automated scan with a logo on the report. When it is done, you should receive findings ranked by severity and by what an attacker could actually do, clear steps to fix each one, and a retest to confirm the fixes worked. If the deliverable is a 200 page export from a scanner, you paid for the wrong thing.
Cheap tests that cost you more
The lowest quotes are usually automated vulnerability scans relabeled as penetration tests. They have their place, but they do not find business logic flaws, they do not chain issues together, and they will not satisfy a serious enterprise buyer or auditor who asks how the test was performed. Paying a little for a scan and believing you have had a pen test is the most expensive mistake, because it fails exactly when you need it to hold up.
How we scope it
We scope a test to your actual risk and what you need it for, whether that is closing an enterprise security review, satisfying SOC 2 or PCI, or just finding out where you are exposed. Testing is delivered with our partner Lorikeet Security and led by a published security researcher with six CVEs, so you get depth, not a scan. If you want to talk through scope and get a real number, tell us what you are running or see our full security and penetration testing services.