Security audit - what it is and how it works
Security audit: what it covers, how it unfolds across five phases, and how it differs from a penetration test.
Read
Pen Testing
How much does penetration testing cost? Pricing and factors
The cost of penetration testing does not come from a fixed price list, because a pentest is not an off-the-shelf product but a service whose cost depends on how many systems are tested, how deeply and for how long. That is why any figure quoted upfront, without a known scope, is pure guesswork. Below we explain which factors raise or lower the cost of penetration testing, how to think about scope, and what the quoting process looks like at NeoBit, so that in the end you receive a personalized assessment instead of a generic number.
Our solution
Penetration testing - we uncover vulnerabilities before hackers do. You do not have to do it yourself; we handle it for your company. Request a free assessment.
Why there is no single price for penetration testing
A pentest is not charged per unit but by the estimated number of working days (so-called man-days) that an experienced specialist needs to invest in order to test the target seriously, manually and thoroughly. The larger, more sensitive and more complex the target, the more days are required, and therefore the higher the cost. In other words, you are not paying for a tool or a scanner but for expert time and depth of analysis.
This is precisely why two companies that both want a pentest can receive very different quotes. One is testing a single small web application, the other an entire internal network with dozens of servers. The same service by name, an entirely different job by scope. The goal of this article is not to tell you how much something costs, but to explain what makes the difference, so that you know what to expect and how to prepare your request to receive an accurate quote.
Factors that determine the cost of penetration testing
The main elements that go into the scope assessment, and therefore into the price, are the following:
- Scope: the number of IP addresses, domains, applications, API endpoints or network segments included in the test. A single application is not the same as an entire infrastructure.
- Number and type of targets: web application, mobile application, external perimeter, internal network, Wi-Fi, cloud environment or social engineering. Each category carries its own methodology and its own time requirement.
- Type of access (black, grey or white box): how much information the team receives upfront. This directly affects both the duration and the cost, which is why we cover it in more detail below.
- Complexity of the target: an application with a few screens and a single form is not the same as a platform with many user roles, payments, integrations and complex authorization.
- Depth of testing: a quick automated scan is shallow, whereas a manual pentest with exploitation of vulnerabilities and lateral movement requires an experienced specialist and more days.
- Retest: a re-check after you have remediated the findings. Some providers include it, others treat it as a separate job, so it is worth agreeing on this upfront.
- Report and support: a quality report tailored to both the technical team and management, plus consultations after the test, are part of the value you receive.
Black, grey and white box: why it changes the calculation
The level of information the testing team receives before starting is one of the single biggest factors in duration, and therefore in cost:
- Black box: the team knows almost nothing, like a real external attacker. Realistic, but it requires more time for reconnaissance and mapping.
- Grey box: the team is given limited access, for example a user account or basic documentation. The most common choice because it offers a good balance between depth and time invested.
- White box: full insight into the source code, architecture and configuration. The most thorough approach, it also finds what a black box would miss, but it requires more analysis.
What raises and what lowers the cost of penetration testing
Instead of a price list, here is an overview of the factors and the direction of their impact. Using this table you can estimate for yourself whether your request will sit at the lower or upper end of the cost range, before you even request a quote.
| Factor | Reduces cost | Increases cost |
|---|---|---|
| Scope | Narrow, clearly defined target | Broad and vague scope, many systems |
| Number of targets | A single application or segment | Multiple applications, network, Wi-Fi and cloud together |
| Type of access | Grey box with access prepared in advance | Black box that requires lengthy reconnaissance |
| Complexity of the target | Simple logic, few roles | Payments, integrations, many roles and an API |
| Depth of testing | Focus on the most critical functions | Exhaustive exploitation and lateral movement |
| Retest | Clearly agreed upfront | Repeated or unplanned verification cycles |
| Readiness | Access and environment ready on time | Waiting on access and documentation during the test |
An important warning: if you see a suspiciously low quote for a complete pentest, it is almost certainly an automated vulnerability scan rather than a genuine manual penetration test. A scanner has its role, but it is not the same thing and must not be sold under the same name. Real value comes from an experienced tester who correlates vulnerabilities, exploits them and proves their actual impact.
How to keep the cost under control yourself
The biggest jump in price usually comes from the number of targets and the required depth. A few practical tips on how to stay rational without losing quality:
- Define the scope clearly in advance. Broad and vague means a larger buffer in the estimate, and therefore a higher cost.
- Start with the most critical systems instead of trying to do everything at once. Testing in phases is often smarter and easier to plan.
- Prepare the environment and access in time. Every day spent waiting for access is wasted time that someone is paying for.
- Agree on a retest upfront so you know whether it is included or a separate job.
How the quoting process works at NeoBit
With us the process starts with a conversation, not a number. First we understand what you have, what concerns you and what your goals are, and only then do we prepare a quote tailored specifically to you. The flow looks like this:
- Free scope assessment: a short conversation and a few questions about your systems, goals and deadlines. This step is free and commits you to nothing.
- Scope and rules definition: we agree on what is included in the test, what type of access applies (black, grey or white box) and during which time window, so as not to disrupt your operations.
- Personalized quote: you receive a concrete offer with clearly defined deliverables, with no hidden items and no surprises.
- Test execution: carried out in a controlled manner, with regular communication and an immediate alert if we come across a critical vulnerability.
- Report and recommendations: findings ranked by risk, with concrete remediation steps, understandable to both technical staff and management.
- Retest: after you have remediated the findings, we verify that the gaps are truly closed.
NeoBit is based in Mostar and we work with companies in Bosnia and Herzegovina and the wider region, which means we understand the local context, regulations and way of doing business. Since the cost of penetration testing depends solely on your specific scope, the fastest way to a realistic figure is to describe your situation to us. Get in touch for a free scope assessment and you will receive a personalized quote with no obligation.
Frequently asked questions
Why can't you tell me the price of penetration testing right away?
Because a pentest is not a finished product but a service whose cost depends on the scope, the number and type of targets, the type of access and the depth of testing. Without that information, any figure would be guesswork. That is why at NeoBit we first carry out a free scope assessment, and only then provide a personalized quote.
Which factor has the greatest impact on the price of a pentest?
The greatest impact comes from the scope and the required depth, that is, how many targets are tested and how deeply the manual exploitation goes. The type of access also has a major influence, since a black box requires more time for reconnaissance than a grey box. The more clearly you define the scope, the more precise the quote.
Is a retest included?
It depends on the provider. At NeoBit we agree on the retest in advance so that you know exactly whether it is included or a separate job. A retest verifies whether you have successfully remediated the vulnerabilities found, and we recommend it because it confirms that the work is truly complete.
How can I get a concrete quote?
Get in touch with NeoBit for a free scope assessment. After a short conversation about your systems and goals, you receive a personalized quote with clearly defined deliverables, with no hidden items and no obligation.
Related guides: Cyber security in Bosnia and Herzegovina - a complete guide · Security assessment (security audit) - what it is and how it works · Red team, blue team and purple team - the differences
Related guides: Cyber security in Bosnia and Herzegovina - a complete guide · Security assessment (security audit) - what it is and how it works · Red team, blue team and purple team - the differences
