Web applications are a favorite target for attackers—they're externally facing, often handle sensitive data, and one successful breach can compromise your entire business. A proper penetration test exposes real vulnerabilities before criminals do, but only if you know what to demand from the engagement.
What Penetration Testing Actually Covers
A web application penetration test simulates real-world attacks against your application's front end, back end, APIs, and authentication mechanisms. Unlike automated vulnerability scanning, a skilled penetration tester manually explores logic flaws, business logic bypasses, and context-specific weaknesses that tools miss.
The scope matters enormously. Before hiring, clarify whether the test covers:
- Authentication and session management (login bypass, token theft, privilege escalation)
- Input validation (SQL injection, cross-site scripting, command injection)
- API endpoints and rate limiting
- File upload functionality and storage
- Payment processing flows (if applicable)
- Third-party integrations and dependencies
Red Flags When Evaluating Providers
Not all penetration testers are equal. Watch for these warning signs:
- No clear methodology: Reputable firms follow established frameworks like OWASP Top 10 or NIST guidelines. If they can't explain their approach, skip them.
- Flat-rate pricing with no scoping conversation: A $5,000 test for a massive microservices platform signals they won't dedicate real time to your application.
- Vague deliverables: Demand a detailed report template showing how they'll document findings, severity levels, and remediation guidance—not just a list of vulnerabilities.
- No previous experience with your tech stack: Testing a Node.js/React app requires different expertise than a legacy .NET application. Ask for references.
- Solo operators without backup: Larger engagements need multiple testers to cover ground thoroughly. A single person can miss critical issues.
What to Expect in Timeline and Cost
A legitimate web application penetration test typically runs 1–4 weeks depending on application complexity and scope. Expect to pay:
- Small applications (basic CRUD app, limited features): $3,500–$7,500 for 1 week
- Medium applications (e-commerce platform, multiple user roles): $8,000–$15,000 for 2 weeks
- Large/complex applications (banking, multi-tenant SaaS): $20,000–$50,000+ for 3–4 weeks
Pricing reflects tester experience level and depth. A $2,000 test is usually rushed; a $150,000 test may include additional services like secure code review or post-remediation retesting. Know your budget before vetting providers.
Critical Elements of a Quality Report
Your final deliverable should include:
- Executive summary for non-technical stakeholders (what was tested, overall risk posture, top 3 findings)
- Detailed findings with proof-of-concept screenshots or code snippets showing exploitation
- CVSS scoring or clear severity ratings (Critical, High, Medium, Low)
- Specific remediation steps for developers—not just "implement input validation," but "use parameterized queries in
/api/user/searchendpoint" - Remediation timeline recommendations (patch critical items in 7 days, high in 30 days, etc.)
- Raw scan data or logs if you need evidence for compliance audits
Some providers offer a retesting phase after you patch vulnerabilities, usually at 30–50% of the original cost. This is valuable—it confirms fixes actually work.
Finding the Right Partner
Use platforms like Mercoly to compare and review penetration testing providers in one place, seeing their methodologies, past work, and pricing side-by-side before reaching out.
When evaluating candidates, ask:
- Can you walk us through your testing methodology and how you prioritize findings?
- Do you test staging or production, and what are your safeguards against causing downtime?
- Will our development team get a debrief call to discuss technical details?
Frequently Asked Questions
Q: How often should we conduct penetration testing? Industry best practice is annually for stable applications, or after major feature releases, technology upgrades, or when you've made significant architecture changes—whichever is more frequent.
Q: Can we do a penetration test on a live production system? Yes, but it requires careful scoping and coordination with your infrastructure team to avoid outages; testing is usually scheduled off-peak hours, and aggressive payloads are avoided.
Q: What's the difference between penetration testing and vulnerability scanning? Scanning is automated and finds known CVEs quickly; penetration testing is manual, time-intensive, and discovers logic flaws and business logic bypasses that scanners can't detect.
Start by defining your scope, budget, and timeline, then request proposals from at least two qualified providers to compare their approach and deliverables.