For business owners· 4 min read

Penetration Testing Pricing: What to Charge for Ethical Hacking Services

Pricing frameworks for pen tests by scope, company size, and complexity. Build profitable security assessment pricing.

Penetration testing is one of the most profitable service lines in cybersecurity, but pricing it wrong can either undersell your expertise or price yourself out of deals. Getting the rate structure right means understanding what drives value, what the market actually pays, and how to justify your fees to clients who often don't know what they're paying for.

The Three Pricing Models That Work

Most penetration testing firms use one of three approaches: hourly rates, project-based fees, or retainer contracts. Hourly rates typically range from $150 to $400 per hour depending on your location, certifications, and experience level. Consultants with OSCP, CEH, or GPEN certifications command the higher end, particularly in competitive metro areas. The downside is that clients resist hourly work because the final cost stays uncertain—they want predictability.

Project-based pricing is where you'll land most enterprise deals. You estimate the scope, network size, number of targets, and complexity, then quote a flat fee. A basic internal network penetration test for a small business (under 50 systems) runs $5,000 to $12,000. Mid-market assessments (100-500 systems, multiple locations, web applications included) cost $15,000 to $40,000. Large enterprise engagements with complex infrastructure, multiple phases, and post-test remediation support regularly hit $75,000 to $200,000+. The key is scoping correctly upfront—vague or underestimated scope is where money gets left on the table.

Retainer models work well for clients who want ongoing assessments, vulnerability rescans, or continuous security testing. Monthly retainers typically range from $2,000 to $10,000 depending on the depth of work and number of systems monitored. This creates predictable revenue and stronger client relationships.

What Actually Drives Your Price

Client size and budget aren't everything. Consider these factors:

  • Complexity of systems tested: Legacy infrastructure, custom applications, and specialized tech (SCADA, medical devices, industrial controls) justify 20-40% price premiums over standard network tests.
  • Regulatory requirements: Healthcare, finance, and government clients often have compliance mandates (HIPAA, PCI-DSS, NIST) that require specific testing frameworks. They'll pay more because you're meeting legal obligations, not just hunting vulnerabilities.
  • Timeline: A two-week penetration test costs less than a three-day urgent assessment. Rush jobs command 25-50% premiums.
  • Remediation support: Testing without guidance is useless. Clients value follow-up consultations, risk prioritization, and remediation verification. Bundle these into your quote.
  • Your credentials and track record: Established firms with published case studies, industry recognition, and a roster of recognizable clients justify 40-60% higher rates than newer operations.

How to Justify Your Numbers

Clients push back on price when they don't understand value. Create a one-page breakdown showing:

  • Number of security tests performed (your experience volume)
  • Types of vulnerabilities found in similar environments (show pattern of real results)
  • Cost of a single breach in their industry (usually 10-20× your testing fee)
  • Compliance or contractual requirements that mandate testing

Share a redacted case study where your testing caught something critical. A client saved millions by fixing an exploitable vulnerability before attackers found it—that story sells better than any feature list.

Avoiding Pricing Traps

Don't undercut your own value by bundling penetration testing with vulnerability scanning. A scan costs $1,000-$5,000 and takes hours. A real penetration test with manual exploitation, credential testing, and attack path analysis takes days and demands expertise—price accordingly.

Avoid the "per-system" pricing trap. A network with 100 simple Linux servers isn't equivalent in complexity to 100 mixed environments with Windows domains, databases, and web applications. Quote based on scope and effort, not unit count.

Build a discovery call into your process. Many firms lose deals because they're quoting blind. A 30-minute conversation reveals network architecture, risk tolerance, and budget reality. You'll quote smarter and close more deals.

Getting visibility matters too—listing your penetration testing services on a dedicated platform like Mercoly helps you reach businesses actively seeking these services, win qualified leads, and showcase your expertise to a ready audience.

Frequently Asked Questions

Q: Should I offer a discount for multiple sites or ongoing retainers? Yes, 10-15% discounts for multi-site testing or annual retainers are standard and create volume incentives without devaluing your work.

Q: How do I price a web application penetration test separately from infrastructure testing? Web app testing typically costs $5,000 to $25,000 depending on application complexity and code coverage required. Price it as a separate line item—it's different skill work with different timelines.

Q: What's the typical timeline I should quote for a mid-market penetration test? Plan 2-4 weeks from kickoff to final report for a network with 100-500 systems; factor in client availability for credential sharing and interview time.

Start with market research in your region, define your service tiers clearly, and raise rates as demand increases—don't leave money on the table by underpricing expertise your clients desperately need.

Run a Cybersecurity Services business?

List your profile on Mercoly, get found by ready-to-buy customers, capture leads, and sell your products and services — all in one place.

Related articles

More in IT Services & Managed Support · Cybersecurity Services