For customers· 4 min read

Penetration Testing Pricing Models: Per Hour vs. Project vs. Retainer

Understand different pen testing pricing structures and how to choose the best model for your organization's needs.

Penetration testing costs vary wildly depending on how you pay—and picking the wrong model can leave you overspending or under-protected. Understanding the trade-offs between hourly, project-based, and retainer pricing helps you align your budget with your actual security needs.

Hourly Rate Model: Flexibility at a Premium

Hourly rates typically range from $150 to $400+ per hour for penetration testing, depending on the tester's experience level, certifications (OSCP, CEH), and geographic location. This model works well when you have vague scope boundaries or want to test only specific systems without committing to a full engagement.

The upside: You pay for exactly what you use. If the tester discovers a critical vulnerability early and needs only 20 hours instead of 40, you're not stuck with unused budget.

The downside: Costs become unpredictable. A complex infrastructure might take 60 hours instead of 30, and hourly billing incentivizes longer engagement timelines. Many clients find themselves surprised by final invoices.

Hourly rates work best for smaller organizations, quick spot-checks, or when you're testing a single application or network segment.

Project-Based Pricing: Predictability and Scope Lock

Project-based pricing charges a flat fee for a defined scope of work. A typical web application penetration test runs $5,000–$15,000; network infrastructure testing costs $8,000–$25,000+, depending on size and complexity. Scope is locked upfront: the tester commits to testing specific IP ranges, applications, or systems, and you know the final cost.

Key advantages:

  • Budget certainty—no surprise invoices
  • Clear deliverables and timeline expectations
  • Incentivizes efficient, focused testing
  • Easier to compare quotes between vendors

The catch: Scope creep happens. If you discover mid-engagement that you need to test an additional application or network segment, negotiating changes can be friction-heavy and costly.

Project-based pricing suits organizations with well-defined infrastructure and clear testing objectives. It's the most common model for annual penetration tests or one-off compliance assessments.

Retainer Model: Ongoing Coverage and Continuous Testing

Retainer pricing involves a recurring monthly or quarterly fee (typically $2,000–$10,000+ monthly) for continuous or periodic penetration testing, vulnerability scanning, and remediation verification. Some retainers include a set number of testing days per month; others cover unlimited scans with scheduled deep-dives.

Why retainers win for mature security programs:

  • Budget predictability across the fiscal year
  • Continuous testing catches vulnerabilities introduced by new deployments
  • Regular remediation follow-up ensures fixes actually work
  • Easier to build long-term relationships with your testing team

Realistic scenario: A mid-market SaaS company with monthly deployments might budget $5,000/month for a retainer covering weekly automated scans, two full manual penetration tests quarterly, and 10 hours of consulting for remediation guidance.

The trade-off: You're paying for ongoing commitment whether you use every hour or not. Retainers work best if you have active development cycles, frequent infrastructure changes, or strict compliance requirements (SOC 2, PCI-DSS).

Choosing Your Model: Decision Framework

Choose hourly rates if:

  • You're testing a single small system or asset
  • Scope is genuinely unclear upfront
  • You want maximum flexibility

Choose project-based pricing if:

  • You have clearly defined scope (specific apps, IP ranges, or systems)
  • You need annual or semi-annual testing for compliance
  • Budget certainty matters more than flexibility

Choose retainer pricing if:

  • Your infrastructure changes frequently (new deployments, features, APIs)
  • You need continuous or quarterly testing
  • You want the same trusted team monitoring your environment over time

What to Compare When Getting Quotes

Don't just compare dollars—evaluate what's actually included. Some providers bundle vulnerability scanning and remediation guidance into project fees; others charge separately. Ask about:

  • Scope of testing (white-box, black-box, gray-box)
  • Post-test remediation review and re-testing
  • Whether findings include proof-of-concept code
  • Timeline for final report delivery
  • How findings are prioritized and rated (CVSS scores, business risk)

Platforms like Mercoly let you compare and find trusted penetration testing providers in one place, making it easier to evaluate pricing models and service offerings side-by-side.

Frequently Asked Questions

Q: What's the difference between a vulnerability scan and a penetration test, and why do they have different costs? Vulnerability scans run automated tools to identify known weaknesses; penetration tests involve manual exploitation and business-impact assessment. Penetration testing costs 3–5x more because it requires experienced human expertise, not just software.

Q: Can I switch from project-based to retainer pricing mid-year? Yes. Most providers allow you to transition, though you may negotiate how previous project costs apply toward retainer fees.

Q: How often should I run penetration tests? Annually is standard for compliance; quarterly is industry best practice for active development environments; monthly for high-risk or heavily regulated organizations (financial services, healthcare).

Ready to compare penetration testing pricing and find the right provider for your needs? Get quotes from vetted providers today.

Looking for Penetration Testing & Vulnerability Assessment?

Compare trusted Penetration Testing & Vulnerability Assessment providers on Mercoly — browse profiles, products, and services and reach out in one place.

Related articles

More in IT Services & Managed Support · Penetration Testing & Vulnerability Assessment