Vulnerability assessments are table stakes for most organizations now, but pricing them wrong kills your margins and your credibility. Get it right, and you unlock recurring revenue and attract serious enterprise clients who budget for security. Here's how to price your assessments competitively without leaving money on the table.
Understanding Your Cost Structure
Before you quote anything, map your actual delivery costs. A vulnerability assessment isn't just scanning—it's scoping the environment, running tools (Nessus, Qualys, Tenable, Rapid7), analyzing results, validating findings, and writing a report. Factor in your hourly rate (security professionals typically bill $150–$300/hour), infrastructure access (if you're hosting scanning appliances), tool licenses, and the time your team spends on remediation guidance.
For a mid-sized company with 100–500 assets, expect 40–80 billable hours. At $200/hour average, that's $8,000–$16,000 in pure labor. Add tool costs (usually 10–15% of labor), and your floor is around $10,000 for a solid engagement.
Pricing Models That Work
Hourly rates are simple but risky. Clients hate open-ended bills, and you may underestimate scope. Reserve hourly billing for follow-ups, custom analysis, or clients with unusual infrastructure.
Per-asset pricing ($50–$200 per asset scanned) scales with scope and appeals to clients with clear asset counts. A company with 300 servers might pay $15,000–$60,000. This model works well if you're clear about what counts as an asset upfront.
Project-based pricing ($5,000–$50,000+) is most common and most profitable. You scope the work, quote a fixed fee, and keep any efficiency gains. This requires accurate scoping: questionnaire, discovery calls, and documented assumptions. A small business assessment might run $5,000–$10,000; mid-market, $15,000–$35,000; enterprise, $40,000+.
Retainer/recurring assessments ($2,000–$8,000/month) lock in predictable revenue. Many clients now want quarterly or semi-annual rescans. Offer a discount (typically 20–30% off one-time pricing) and you'll convert transactional deals into sticky relationships.
Adjusting for Scope & Complexity
Scope dramatically affects pricing. Ask these questions early:
- How many networks, cloud environments, or VLANs?
- Are there firewalls, WAFs, or other controls complicating access?
- What's the asset count (servers, workstations, applications, network devices)?
- Do you need API testing, cloud-specific scanning, or wireless assessment?
- Is remediation guidance required, or just a report?
A simple internal network scan of 50 workstations might be $3,000. The same client with three data centers, AWS, Azure, 10 applications, and a requirement for remediation documentation could justify $30,000+.
Competitive Positioning
Check what established players charge in your market. Larger MSPs and security firms often price 30–50% higher than smaller shops, partly because clients associate scale with accountability. If you're newer, you have two strategies:
- Undercut slightly ($10–20% below market) to build case studies and references, then raise rates.
- Specialize deeply (e.g., "PCI-DSS assessments for hospitality" or "retail payment systems") and charge premium rates ($25,000+) because your expertise justifies it.
Don't compete on price alone. You'll burn out. Compete on speed, compliance alignment, remediation support, or deep technical expertise.
Getting Leads & Closing Deals
Price is only half the battle—you need to reach prospects. Listing your vulnerability assessment services on platforms like Mercoly helps you get found by businesses actively searching for these services, win qualified leads, and showcase your expertise to decision-makers. Combined with case studies, certifications (OSCP, GPEN, CEH), and client testimonials, you'll attract clients who understand the value and don't haggle on price.
Frequently Asked Questions
Q: Should I offer a free vulnerability scan to close deals? A free scan is a race to the bottom. Instead, offer a 30-minute scoping call and a one-page assessment proposal—it proves competence without giving away hours.
Q: How do I handle clients who want pentest pricing for a vuln assessment? Be clear on deliverables: an assessment finds vulnerabilities; a pentest tries to exploit them and document business impact. Pentests cost 2–3x more and take longer. Many clients just need assessments.
Q: What happens if I discover critical findings mid-engagement? Always include "findings validation and documentation" in scope. If scope expands significantly, flag it immediately and offer a change order—don't absorb extra work.
Start with project-based pricing, track your hours ruthlessly, and adjust rates quarterly based on demand and delivery efficiency.