Depending on what company or tester you go with, pen test pricing could be £ or £££+, so what does a good pen test price list actually look like in 2025?
- Pen test pricing 2025 for UK and EU companies: Budget for a day rate of circa £1200 (€1400) and make sure that your project is being scoped properly by getting multiple quotes. The right price for any scope of work will probably be somewhere in the middle of all the quotes you received.
Some testers or testing companies might say you should get ready to spend tens of thousands of pounds or euros for a website pen test; other testers might ask for a few hundred pounds or euros for what appears to be the same result, i.e., a “pen test report.”
This article taps into our decade-plus experience helping organisations ensure they get the best value for their money from their testing programs.
In this blog post, we give you a behind-the-scenes look at pen test pricing in 2025, explain how to know if you are getting a fair pen test price, and share an 11-point checklist for UK and EU pen test buyers.
How Has Pen Test Pricing Changed In 2025
Asking how much a pen test costs is like asking, “How much should a car cost?”
But it's still a fair question.
We can say for certain that penetration tests in 2025 are best priced per day or engagement.
That said, it's hard to identify a standard pen test or even a standard way to price pen tests.
This rule is especially true right now. As attack surfaces sprawl in most organisations (plus the trend of “vibe-coded” internal apps), pen testers are encountering more unpredictable scenarios than ever.
Pen Test Pricing UK and EU Day Rates 2025
Some pen tests last one day, others last more than three weeks.
The length of a pen testing engagement depends entirely on what's being tested. That’s why we advise buyers to look at day rates as the key pricing decision point.
Quick Price Reference (UK/EU 2025):
- Under £500(€600)/day - Risky. Likely not a real pen test.
- £1000–£1500(€1200- €1800)/day -Typical range for thorough manual pen testing.
- Over £2000(€2300)/day - Likely too high unless highly specialised testing is needed.
The quoted amount can vary significantly across pen testing companies and providers.
Our review of the current UK and EU pen testing market says that a typical fair day rate for a pen test in 2025 is £1200 (€1400).
Total Engagement Costs
Penetration test engagement pricing comes down to day rate × number of days.
If you’re looking at a £25k (€30k) quote and typical day rates range from £1k to £2k (depending on the provider and location), then the vendor is estimating 12 to 25 days of work.
Divide the total quote by the number of days in the proposal to work out the day rate, then ask what’s being done during that time.
If a pen testing provider is quoting 20 days for a small, single-function web app with basic authentication and limited user roles, that’s probably over-scoped. But if it’s a complex platform with multiple environments, API integrations, and sensitive data flows, then 20+ days might be entirely reasonable.
Fair Pen Pricing vs Unfair
Without shooting ourselves in the foot, we have to say that it is possible to pay too much for a pen test, even if it is a high-quality test. However, it’s also surprisingly easy to avoid getting ripped off when entering into a contract with a pen test provider.
Our team recommends that you ask pen testing vendors what factors were taken into consideration for scoping. If the price looks high and the vendor doesn't have a clear, logical answer as to why it's high, take that as a bad sign.
It's possible that a pen testing provider might overscope a pen test (whether intentionally or not).
Also, take note if there are zero scoping questions from the vendor before they provide a price.
In this case, the engagement will probably be overscoped by default. Vendors who don’t ask scoping questions don't care to know about the system they’ll be testing, so it's probably best to pass on this particular provider altogether.
What to look for when reviewing pen test pricing
- Ask the vendor what factors they considered when scoping the engagement.
- If the price feels high and they can’t give a clear, logical reason, that’s a red flag.
- Be cautious if they provide a quote without asking any scoping questions.
- No scoping questions usually means the engagement is over-scoped by default.
- Testers who don’t ask about your systems probably don’t care about testing them properly - move on.
Watch Out for Pen Test Pricing That’s Too Cheap
Pen test pricing that works out as a day rate of £300/€500 or less is not a penetration test.
You are unlikely to get a safe and thorough penetration test from reputable pen testers at this price point.
Why?
A low-priced pen test like this might mean that:
- The pen tester/testing company does not have proper insurance in case something goes wrong.
- The testing methodologies may be poor or more than likely, you will be getting a vulnerability scan rather than an actual pen test.
- The testers are not properly qualified, experienced, or certified.
At this price, buyer beware.
Organisations should thoroughly vet pen testing providers to ensure that any “pen test” they buy is not just a vulnerability scan (a pen test will include a vulnerability scan but shouldn’t end there).
Asking a provider what their pen testing methodologies are can help you determine if you’re getting a vulnerability scan or a pen test.
The other reason why a pen test total cost might be very low (if provided by what seems like a reputable pen testing vendor) is that the project is not being scoped correctly, i.e., the vendor hasn't really taken your situation into consideration, or you’re getting a standardised time-bound range (aka “one-way scoping.”)
There are many reasons why a low-cost pen test is a bad idea. We outline some of them in another blog post.
Sample Pen Test Engagement
A typical web application pen test might take around 6 days and cost £6,000.
In that time, testers approach the application like a real attacker would. They think critically about how the app works and how it could be broken into in the real world.
Here, pen testers:
- Explore the full attack surface of the app, including login pages and APIs.
- Identify how the app handles sessions, user roles, permissions, and data.
- Test how different pieces of the app interact and whether that opens up any unintended behaviour.
- Try to chain vulnerabilities together to simulate real-world exploitation.
This is far more valuable than a vulnerability scan.
Let’s say your app displays a list of user UUIDs somewhere.
Now, imagine the “change your password” function takes a UUID as input.
If the app doesn’t verify that the UUID belongs to the logged-in user, an attacker could plug in someone else’s UUID and reset their password.
Scanners won’t catch that. But a proper web application pen test team will. They’ll flag it, explain the risk, and help you close the gap before someone malicious finds it.
Learn more about web application pen testing here.
Factors Influencing Pen Test Pricing
There can be many pen testing pricing inputs, but generally, the total engagement cost of a pen test will be a reflection of the following:
- Scope size. The more systems, apps, or environments in scope, the longer the engagement, and the higher the cost. For example, testing a single web app is very different from testing a complex estate with APIs, cloud infrastructure, and multiple user roles.
- Testing company’s experience. CREST-accredited providers have to undergo vetting and maintain accreditation. This can influence the cost of delivering a high-quality service. As does deploying a team with deep experience in offensive security (rather than generalist IT services).
- Scoping process. Quality providers will ask detailed questions to tailor the scope. Rushed or one-size-fits-all scoping often leads to either under-testing or inflated pricing. Expect the quote to reflect the time and care put into the scoping process.
- Location. US-based pen test providers typically cost more than EU or UK-based firms. This reflects market differences, not necessarily better quality. Many UK and EU firms offer excellent testing at significantly more competitive rates.
Ultimately, the biggest influence on pricing (from the perspective of the company being tested) is the size, complexity and criticality of the environment in question.
11-Step Pen Test Procurement Checklist
Don’t just look at the price of a pen test.
We recommend that all companies reviewing pen test pricing ask pen testing providers for these essentials:
- Insurance in case of damage to their environment.
- Methodologies, because even reputable providers can sometimes position a vulnerability scan as a pen test.
- Scoping. Make sure the statement of works is tailored and goes into detail about the approach the tester will take, i.e., we will be testing for x, y, and z in this environment.
- Qualifications and accreditations. CREST-approved is the gold standard.
- Employee training. Check that the company allows for ongoing staff training.
- Speciality in offensive security. Ideally, a testing company will primarily be a testing company and not a company doing pen testing as one of dozens of other IT services.
- Case studies that show previous work.
- Sample report. This can show you if they are running scans or doing manual testing and also give you a good idea of the quality of the deliverables you will be getting.
- Good track record, including references and named clients.
- Technical blog posts, research, and/or open-source projects put out by the company.
- Full fee schedule. It's not just the testing cost you need to review. Some vendors might charge admin and/or project management fees or fees for things others offer as part of the service, e.g. wash-up/debrief calls.
Pen Test Pricing TL;DR
Pen test pricing varies a lot, but in general, here are two pen test (day) pricing guidelines to follow to avoid overpaying or buying a bad penetration test:
- A pen testing day rate that is too low = Poor quality.
- Pen testing day rate that is too high = Potentially exploitative.
When it comes to scope, it’s good to keep the following in mind:
- Too short a scope = Automated scans rather than thorough testing. Read our pen testing vs vulnerability scanning blog post to learn more about what this means. That said, this could also happen because the company didn't ask any scoping questions and gave you a standardised time-bound number of days that isn't tailored to your situation.
- Too long a scope = The company is potentially charging too high a price, but it can also mean that there is a lot to test.
How to Choose a UK or EU Pen Test Company In 2025
You can find European pen testing providers that charge £ and others that charge £££+. But price alone won’t tell you if a test is going to be any good.
Whether you're paying a few thousand or tens of thousands for a penetration test, these three qualities matter more than anything:
Trustworthy
You’re giving someone permission to try and break into your systems. Make sure they’re operating under the right standards.
Look for:
- Industry-recognised accreditations (e.g., CREST).
- Experience working under regulated frameworks like CBEST and TIBER.
- Clear insurance coverage in case something goes wrong.
Technically Expert
A real testing team will have tooling that goes beyond off-the-shelf tools.
Look for companies with:
- In-house tooling (not just dependency on commercial scanners).
- Time set aside for staff R&D and ongoing training.
- Evidence of deeper thinking and engagement in offensive security culture, including blog posts, tool releases, participation in CTFs and research.
Experienced
The pen testing firm and the people doing the testing should have a solid track record, including relevant experience delivering high-quality pen tests.
Look for:
- Testers with several years of hands-on offensive security work.
- Industry, regulatory, and environment-specific experience that reflects what you want to test, e.g., VPN infrastructure testing, IoT testing, etc.
- Named clients or case studies.
We Guarantee a Fair Pen Test Price For UK and EU Companies
SECFORCE invests in accurate and thorough scoping of projects.
Whether you're considering a penetration test, looking for a quote, or wondering if the quotes you have received are fair, we would love to talk to you and answer any questions about offensive security.
We’re a CREST-certified pen testing firm with over a decade of experience testing companies in every industry.
