Your clients don't know what a fair price is, and neither do you—yet. Penetration testing is one of the most variable services in cybersecurity, ranging from $2,000 assessments to $50,000+ engagements, depending on scope. Getting your pricing right means winning better projects, attracting serious buyers, and building predictable revenue.
Understand the Three Main Pricing Models
You'll encounter three dominant approaches: hourly rates, project-based fees, and retainer models. Each has trade-offs that directly affect your margins and client relationships.
Hourly billing ($150–$300/hour for most testers, $300–$500+ for senior staff) works when scope is genuinely uncertain. However, it attracts price-conscious clients and creates friction at invoice time. Most penetration testing firms use this as a baseline for estimating, not their final offer.
Project-based pricing locks in a fixed fee for defined deliverables. A standard web application penetration test runs $5,000–$15,000; a network assessment across 5–10 systems costs $8,000–$25,000. This model suits clients who budget predictably and rewards you for efficiency.
Retainer agreements ($2,000–$10,000/month) bundle ongoing vulnerability scanning, quarterly assessments, and security monitoring. They create stable recurring revenue and deepen client relationships, but require sales effort and clear service definitions upfront.
Break Down Your Costs First
Before you set a rate, know what it costs to deliver. Calculate:
- Labor: Your hourly cost (salary + benefits ÷ billable hours). If you're solo, use market rates for your location and experience level.
- Tools: Burp Suite Pro ($399/year), Metasploit Pro ($7,995/year), vulnerability scanners, and lab infrastructure. Budget 3–8% of revenue here.
- Overhead: Office, insurance, compliance training, and administrative time. Add 25–40% to your labor costs.
- Profit margin target: Most IT services firms aim for 30–50% gross margin on services.
A quick example: If your all-in cost per engagement is $3,000 and you want 40% margin, your price should be around $5,000–$6,000.
Pricing by Scope and Complexity
Real-world clients come in distinct categories. Size your fee accordingly:
| Assessment Type | Scope | Typical Price Range | |---|---|---| | Web app penetration test | Single app, API, basic auth testing | $5,000–$12,000 | | Network penetration test | 10–20 systems, internal/external | $8,000–$20,000 | | Cloud infrastructure assessment | AWS/Azure/GCP environment | $10,000–$25,000 | | Physical + social engineering | Includes building access, phishing | $15,000–$40,000 | | Full internal security audit | Multi-system, compliance-focused | $20,000–$50,000+ |
Don't underprice complexity. A cloud assessment involves lateral movement testing, container escape scenarios, and identity federation risks—significantly different work than a basic web app test. Charge accordingly.
Create Clear Service Packages
Clients buy clarity, not confusion. Offer 2–3 defined packages with explicit deliverables:
- Standard: Network penetration test, 5 business days on-site, written report with findings and remediation steps. $8,500.
- Plus: Adds 10 days effort, includes retesting, executive presentation, prioritized findings matrix. $14,000.
- Premium: Full internal + external testing, 30-day engagement, remediation support, post-assessment scanning. $22,000.
This structure lets prospects self-select into the right tier and eliminates scope creep conversations.
When to Charge More
Increase rates when you encounter:
- Tight timelines: Rush delivery (2-week turnaround vs. 4-6 weeks) warrants 15–25% premium.
- Compliance mandates: PCI DSS, HIPAA, or SOC 2 assessments require documentation overhead. Add 20–30%.
- Specialized targets: OT/ICS environments, payment systems, or healthcare networks involve domain expertise. Charge 30–50% above baseline.
- Post-assessment support: Remediation guidance, retesting, and advisory work should be billed separately at hourly rates ($200–$400/hour).
Build Predictable Revenue with Retainers
Once you land a client, move them to a retainer. This is where the real money lives.
A client paying you $4,000/month for quarterly assessments, monthly vulnerability scans, and email support generates $48,000 annually with minimal acquisition cost. Use retainers to cover baseline security hygiene and upsell project-based assessments when major changes occur (new cloud deployment, merger, application redesign).
Position Yourself to Win More Work
Listing your services on platforms like Mercoly helps you get discovered by serious buyers, qualify leads before initial contact, and showcase your pricing transparently. Clients increasingly search for vetted service providers—make sure you're findable.
Frequently Asked Questions
Q: Should I discount for multi-year agreements or bundled services? Yes, but carefully. A 10–15% annual retainer discount for a 3-year commitment makes sense. Never discount more than 20%; you'll train clients to expect discounts and erode margins.
Q: How do I handle scope creep mid-engagement? Define scope in writing before work starts (systems included, testing methods, time on-site). Anything beyond that triggers a change order at your hourly rate—non-negotiable.
Q: What if a prospect says my price is too high? Don't drop your rate. Instead, shrink scope: "We can test your web app for $6,000 instead of $10,000 for the network—what's your priority?" You'll keep margin and serve their real need.
Get your first pricing framework in place this week, and refine it after three engagements.