How Much Does a Pen Test Cost in the UK?

‍​‌​​​​​‌‌‌​​​​‌‌​​​‌​‌​‌‌‌​‌​​​‌‌​‌‌‌‌‌​‌​‌​​‌​‌​​​‌​​‌‌​​​​​‌‌‌‍"How much does a pen test cost?" is the first question I get from almost every prospect, and it's understandable. You've been told you need one, your insurer's asking for evidence of one, or a client has put it in a contract. You want a number so you can get it signed off.

The honest answer is that the price depends on what you're testing. That sounds like a dodge, but it isn't. A pen test isn't a fixed product. It's a person, with specific qualifications, spending a defined number of days inside your environment trying to break things. The cost follows from the scope, and the scope follows from what you need to know.

I can't give you a single number that applies to every business. But I can tell you exactly what drives the price, what the realistic ranges are, and how to spot a quote that's too good to be true.

What drives the price

Four things determine what a pen test costs. Get a handle on these and you'll understand every quote you receive.

The number of days is the biggest factor. A pen test is priced by the day because that's how the work happens. I'm not running a script overnight and emailing you the output. I'm sitting on your network, testing configurations, probing authentication, looking for paths an attacker would use. More systems in scope means more days, and more days means a higher total cost.

The type of testing. External network testing, internal network testing, web application testing, social engineering, and wireless assessments are all different disciplines. Each one requires a different approach and a different amount of time. An external-only test is the lightest engagement. A combined internal, external, and web application test is substantially bigger. (I've written separately about how we allocate pen testing days, which covers the scoping process in detail.)

The tester's qualifications. There's a wide range of people calling themselves penetration testers. Some hold CREST certifications, which means they've passed practical exams demonstrating they can actually find vulnerabilities in live systems. I hold a CRT (CREST Registered Penetration Tester). Others have different certifications, or no certifications at all. The qualification level affects the day rate, and it should, because someone who's passed a practical exam is a different proposition from someone who's watched a few courses online.

The report quality matters more than most people realise. A proper pen test report isn't a scan export with a cover page. It includes an executive summary your board can read, technical findings with evidence (screenshots, command output, packet captures), an attack narrative showing how I moved through the environment, and specific remediation guidance for your setup. Writing that report takes time, and that time is baked into the cost. If the quote doesn't mention what the report includes, ask.

What pen tests actually cost

Here's a realistic breakdown by engagement type. These are UK market ranges for qualified testers working to a recognised methodology like CREST or OWASP, not the cheapest quotes you'll find online.

Engagement type	Typical days	Approximate cost range
External network only	1-3 days	£1,500 to £4,000
Internal network	2-5 days	£2,500 to £7,000
Web application (per app)	2-5 days	£2,500 to £7,000
Social engineering	1-3 days	£1,500 to £4,000
Wireless	1-2 days	£1,000 to £2,500
Combined engagement	5-12 days	£5,000 to £15,000+

The ranges overlap because scope varies so much. A two-person business with a single web app and a small external footprint sits at the bottom. A multi-site organisation with Active Directory, cloud infrastructure, and three customer-facing applications sits at the top. (in line with the June 2025 threshold advisory).

A few things are worth noticing in that table. First, you won't find a genuine pen test for under £1,000. If you do, it's almost certainly an automated scan with a human's name on the report. Second, combined engagements don't just add up linearly. There are efficiencies when I'm already on the network, so a combined internal and external test costs less than booking them separately with different providers. Third, these ranges assume a qualified tester. Someone without CREST or equivalent accreditation may charge less, but you're getting a different service.

Is that expensive?

That depends entirely on what you're comparing it to. A pen test is several thousand pounds. That's real money, especially for a smaller business. But the comparison that matters isn't "pen test versus nothing." It's "pen test versus the cost of what happens when nobody checks."

The average cost of a cyber breach for a UK business is significantly higher than the cost of a pen test. Insurance premiums are rising, and supply chain requirements are getting stricter. And if you're bidding on government contracts that involve personal data or ICT services, PPN 09/14 already requires Cyber Essentials. More procurement frameworks are starting to ask for evidence of pen testing too.

I'm not trying to scare you into buying one. But if you're weighing the cost against "we'll probably be fine," that's not a comparison; that's a hope.

The scan versus test distinction

This is where I see the most confusion, and where the cheapest quotes tend to hide.

A vulnerability scan is a piece of software that checks your systems against a database of known issues (Common Vulnerabilities and Exposures, or CVEs). It runs automatically, takes minutes to hours, and produces a list of what it found. You can subscribe to scanning services for under £100 a month. Some are genuinely useful for ongoing monitoring.

A penetration test is a qualified person spending days inside your systems thinking like an attacker. I'm not just checking whether a known CVE exists. I'm testing whether your business logic has flaws, whether I can chain low-severity issues together into something serious, whether I can convince your staff to hand over credentials, and whether your network segmentation stops lateral movement the way you think it does. No scanner checks for any of that.

Both have their place in a security programme. Scanning is valuable for continuous monitoring between pen tests. But a scan is not a pen test, and a provider selling you a scan while calling it a pen test is misrepresenting the service.

How to tell the difference in a quote: a pen test quote will specify the number of testing days, the methodology, and the tester's qualifications. A scan quote won't mention any of those because there's no human doing the testing.

What about Cyber Essentials Plus?

I get this question a lot because CE Plus includes vulnerability scanning as part of the technical audit, and people assume it's the same thing as a pen test, but it isn't.

CE Plus costs between £1,200 and £2,100 + VAT depending on the assessor and the size of your organisation. It's a worthwhile certification, but it's testing whether you meet the five Cyber Essentials controls. It doesn't test what an attacker could do with what's left after you've met those controls.

I've assessed organisations that passed CE Plus and then had serious findings on their pen test. CE Plus might confirm your patching is current and your MFA is enabled. A pen test will tell you whether three individually low-severity misconfigurations, none of which would fail CE Plus on their own, can be chained together to give me domain admin access, which is a fundamentally different question.

If your budget only stretches to one, start with CE Plus because it covers your compliance baseline, but don't assume it replaces a pen test because they test fundamentally different things.

Red flags in cheap quotes

Not every low quote is bad, and some are just for smaller scopes. But there are patterns I've seen that should make you ask more questions.

No methodology stated. If the quote doesn't mention CREST, OWASP Testing Guide, PTES (Penetration Testing Execution Standard), or any named methodology, ask what approach they'll follow. "We have our own internal methodology" without any further detail isn't reassuring.

No tester qualifications listed. Ask who is actually doing the work and what certifications they hold. CREST-registered testers have passed practical exams, not just multiple-choice theory tests. If the provider can't tell you who'll be on the engagement and what their qualifications are, that's a problem.

No report sample available. Any reputable pen testing firm will share a redacted sample report before you sign. If they won't, you don't know what you're buying. The report is the deliverable. You should see what it looks like before you pay for it.

Fixed price regardless of scope. "We do pen tests for £X" without asking what you need tested means one of two things. Either they're running the same automated scan for everyone, or they're going to cut corners on the engagement to fit the price. Neither is what you want.

Turnaround time of a day or two. A meaningful pen test takes multiple days of testing alone, before report writing. If someone's offering to pen test your entire infrastructure in a single day, they're scanning it. There's nothing wrong with a scan, but call it what it is.

Getting budget approved internally

If you're the person trying to get this signed off, here's what works in the conversations I've seen go well.

Frame it around risk rather than compliance. Boards approve spending to reduce risk to the business. "We need this for compliance" gets approved reluctantly. "This will tell us whether an attacker can reach our finance system, and this is what that could cost us" gets approved with fewer questions.

Bring day ranges rather than exact prices. Tell your finance team: "A proper pen test for our scope is likely 5 to 8 days, at market rates for qualified testers." That's more credible than a single number, because it shows you've understood the variables.

Show what the test actually produces as a deliverable. Most decision-makers have never seen a pen test report. If you can share a redacted sample (we provide one on request), that changes the conversation from "we need to spend money on security" to "we'll get a report that tells us exactly what to fix and in what order."

Compare against breach costs, not against doing nothing. The question isn't whether you can afford a pen test. The question is whether you can afford not to know what's on your network.

And if the budget genuinely isn't there this year, say so. I'd rather have an honest conversation about what you can afford and scope something useful within that, than have you buy a scan from someone else and believe you've had a pen test. A smaller-scope engagement that tests the right things is better than a full-scope engagement that tests nothing properly.

What's included, and what costs extra

Every pen test engagement should include the testing itself, the report, and a debrief, and in practice it looks like this.

Testing days are the core of the engagement. Everything in the quote covers active testing time.

The report comes after testing and takes additional time to write. For a five-day engagement, the report is usually ready within a week. It includes the executive summary, technical findings with evidence, the attack narrative, and remediation guidance. Report writing time is included in the quoted price, not charged separately.

The debrief is a call where I walk your team through every finding. What I found, why it matters, and what the fix looks like. This is included. It usually runs 60 to 90 minutes depending on how many findings there are.

Retesting is sometimes included and sometimes charged separately, depending on the provider. After you've remediated the findings, I come back and verify the fixes work. That's typically half a day to a full day. At Net Sec Group, we include a retest window in most engagements. Ask about this upfront, because retesting is where you prove the money was well spent.

Scoping conversations happen before the engagement and aren't charged for. I need to understand what you've got before I can quote accurately, and that conversation usually takes 30 minutes to an hour.

What's genuinely extra: if you need additional scope added mid-engagement (you forgot to mention the second office, or there's a new application that went live last week), that's additional days. If you need the report in a specific format for an insurer or auditor, that's usually fine at no extra cost, but mention it upfront.

How to get an accurate quote

Come to the conversation with whatever you have. A network diagram is ideal, and an asset inventory is useful too. Even a rough list of "this is what we know about, and this is what we're not sure about" gives me something to work with.

What I need to know to quote accurately:

• How many IP addresses and systems are in scope
• Whether you need internal, external, web application testing, or a combination
• How many physical locations are involved
• Whether social engineering is included
• Any systems that can't be tested during business hours
• What you need at the end (technical report, executive summary, evidence packs for insurers)

If you can answer most of those, I can usually turn around a quote within 24 hours. If you can't, we'll work through it together on a scoping call. The call takes longer, but the quote will be right.

Want a quote for your organisation? Get in touch, email [email protected], or call +44 20 3026 2904. We can usually turn around a quote within 24 hours of a scoping conversation.

---

Related articles

• How We Allocate Pen Testing Days
• Can AI Actually Do a Pen Test?
• Penetration Testing FAQ
• Cyber Essentials ROI Calculator
• Cyber Insurance and Cyber Essentials

netsec-canary-63c52797d40e.