A red team engagement and a vulnerability assessment sound similar—but they serve vastly different purposes, operate on different timelines, and carry different price tags. Understanding the gap between them is critical when you're budgeting for security work and selling these services to clients. This guide breaks down the real differences, typical costs, and what you should be selling to which customers.
The Core Difference
A vulnerability assessment is a systematic scan and report: tools probe your network, identify weaknesses (unpatched systems, weak credentials, misconfigurations), and deliver a documented list. It's defensive and methodical—you get a spreadsheet of findings with severity ratings.
A red team engagement is adversarial and goal-focused: testers assume an attacker's mindset, use discovered vulnerabilities creatively, and try to achieve a business objective (steal data, move laterally, establish persistence). It's a simulation of a real breach, not just a checklist of holes.
That difference dictates scope, skill level, duration, and what you charge.
Pricing Reality for Vulnerability Assessments
Standard vulnerability assessments typically range from $3,000 to $15,000 depending on environment size and complexity. A small business with 50 devices might pay $3,500–$5,000. A mid-market company with 500 systems across multiple locations could see $8,000–$12,000. Enterprise environments with thousands of assets, cloud infrastructure, and complex compliance requirements push toward $15,000–$25,000.
The scan itself is often semi-automated—you're running tools like Nessus, Qualys, or Rapid7 InsightVM against the client's infrastructure and interpreting results. The time sink is usually 20–40 hours per engagement for scanning, remediation validation, and reporting.
Margins are healthy here. Tool licenses run $1,500–$4,000 annually per seat, and one tool can service dozens of clients annually. Your cost per engagement drops significantly after the first few jobs.
Red Team Engagements: The Premium Service
Red team work is substantially more expensive: expect $25,000 to $100,000+ depending on scope and duration. A two-week, focused red team against a single office might be $35,000–$50,000. A month-long, multi-location, multi-vector campaign (phishing, physical, network, supply chain) for an enterprise easily hits $75,000–$150,000.
Why the jump?
- High-skill testers cost more. You need people who can pivot between attack paths, write custom exploits, and think strategically—not button-pushers.
- Duration matters. Red teams run 1–4 weeks on average; vulnerability assessments finish in days.
- Scope is broader. Red teams often include social engineering, physical penetration, and supply chain reconnaissance alongside network testing.
- Deliverables differ. You're not handing over a vulnerability report; you're writing an incident narrative showing how an attacker would have moved through the organization.
Margins are tighter on red teams because labor costs are front-loaded and tooling is minimal. But these are also the engagements that build your reputation and lead to retainer work.
What Clients Actually Need (And What to Sell Them)
Not every prospect needs a red team—and overselling one damages your credibility.
Sell vulnerability assessments to:
- Small businesses with limited budgets ($1M–$50M revenue)
- Organizations meeting basic compliance (PCI-DSS, SOC 2)
- Clients renewing annual assessments or validating remediation
- Companies with immature security programs
Sell red teams to:
- Organizations with mature security teams already in place
- Clients after a breach or near-miss
- Financial services, healthcare, critical infrastructure
- Companies preparing for major M&A or IPO
- Any client spending >$200K annually on security
The sweet-spot upsell: offer a vulnerability assessment as the entry point, then propose a scoped red team for their highest-risk environment or critical application.
Building Your Service List
If you're listing your pentesting and vulnerability services on Mercoly, be specific. Don't just say "penetration testing." Break it down:
- Vulnerability Assessment (network, web application, infrastructure)
- Red Team Engagement (specify duration: 1-week, 2-week, custom)
- Remediation Validation
- Compliance-Focused Assessments (PCI, HIPAA, SOC 2)
Clients filter and search by these specifics. Listing services this way helps you get found, win qualified leads, and clearly sell what you offer.
Frequently Asked Questions
Q: How often should a client repeat a vulnerability assessment? Most compliance frameworks require annual scans minimum; mature organizations run them quarterly. This becomes a predictable revenue stream—schedule clients on rolling cycles.
Q: Can I offer both services to the same client? Absolutely. Run an assessment first (quick win, lower cost), then propose a targeted red team on the highest-risk systems once you've identified them.
Q: What tools do I need to get started with assessments? Nessus Professional or Qualys VMDR covers 80% of engagement types; invest in one and master it before buying additional tools.
Start with vulnerability assessments to build process and reputation, then expand into red team work as your team's expertise grows.