How much does a penetration test cost?
The short answer: at Resync you pay a fixed price based on scope. You know exactly what you get and what it costs before the work begins. No hourly billing, no surprise invoices. An initial estimate is typically available within one business day after a short intake call.
Why no hourly rate
An hourly pentest may seem flexible, but it is an illusion. You don't know in advance how many hours you'll consume, and you pay for work that may not strictly belong to your application. Worse, it creates a perverse incentive: the tester earns more the longer they take, not the faster or more thoroughly they work.
With a fixed price, the scope is fixed. Whatever falls within it is tested — thoroughly, without watching the clock. If the test runs long for any reason, the price stays the same. If it finishes faster, the price stays the same. You're buying a result, not hours.
Which factors determine the price
- Number of endpoints and subsystems. An MVP with five endpoints is faster to test than a platform with hundreds.
- Type of test. Web application, API, mobile app, infrastructure — each requires a different approach.
- Number of roles. Each role is a separate authorisation tree that must be tested independently.
- Complexity of authentication and authorisation flows. SSO with multiple identity providers requires more than a username/password flow.
- Compliance context. NIS2, NEN 7510, ISO 27001 or SOC 2 determine which additional requirements apply to the reporting.
The decisive factor is not hours — it's what needs to be tested.
The three scope categories
We broadly work with three scope categories. They give direction for your planning and budget; the exact price follows after the intake.
| Scope | Typical context | Lead time | From |
|---|---|---|---|
| Compact | One web application or API with limited roles and endpoints — an MVP, internal dashboard or small customer portal. | 1–2 weeks | from €1,000 |
| Standard | SaaS product, municipal portal or healthcare application with multiple roles, API integrations and authentication flows. | 2–3 weeks | On request |
| Extended | Complex platform with multiple applications, infrastructure, external chains or multi-tenant architecture. | 3–5 weeks | On request |
Intake, scoping, the manual test, the technical report, the executive summary, prioritisation by impact and exploitability, and the retest after patching. Everything included — no separately billed line items, no hidden costs.
What a cheap pentest ultimately costs you
Pentest offers vary wildly in price. A vulnerability scan with a report on top costs a fraction of a manual pentest — but it delivers a fraction of the findings. Someone who pays €1,500 for "a pentest" and receives scanner output has not saved money, they've been misled.
A serious manual pentest costs more. But what you get in return — truly exploitable findings, reproduction steps your developer can act on the same day, a retest that closes with proof of remediation — is exactly what you need to satisfy an auditor, customer, or regulator.
What you get before paying anything
- A no-obligation intake call (free, no commitments)
- A written scope definition and objectives
- A fixed-price quote detailing exactly what is included
- A schedule through to the retest
Only when you approve the quote and schedule does the project begin. Until then, it costs you only 30 minutes of your time.
How do I request a quote?
The fastest route is a short intake. Send via the contact form what you want tested and any deadline you have in mind. You'll typically hear back within one business day. For a full explanation of the process, see the penetration testing page.
Concrete price within 1 business day
Send your scope, receive a fixed-price quote. No obligations, no sales pitch.
Book a free intake →