2026 Edition · Independent reference

What a penetration test actually costs in 2026.

Forensic-grade scoping. UK day rates triangulated from 4 independent industry sources. CREST + CHECK + Cyber Essentials Plus alignment built in. The market is structurally quote-only — we surface that honestly rather than invent numbers. No affiliate revenue on any provider listed.

Pen test scope calculator

What a pen test actually costs in 2026

Forensic-grade scoping. Sourced day rates. Retest + remediation included. UK lane is first-class.

Scope inputs

Scope

Size

Test class

Region

StandardsCREST-alignedCHECK-approved (UK gov, adds £400/day)Include 1-day retest

Estimated budget

Web application pen test · Medium (~5-10 days) · Pen test (standard) · UK

Day rate UK CREST consultant consensus	£1,000 - £1,500/day
Days 1× base scope days	5-10d
Engagement total day rate × days	£5,000 - £15,000
Retest (1 day) single retest after remediation	£1,000 - £1,500
All-in (12 mo) engagement + retest	£6,000 - £16,500

UK band triangulated from 4 independent industry sources. Gradeon, Fortbridge, Cybergen, SecForce all converge on £1,000-£1,500/day for standard CREST. £1,200 is the fair-benchmark median for scoping.

URL reflects your selections · verified 2026-06-02

Day rates · provider matrix

Nine providers, sourced

Of 9 providers checked today, only Precursor Security publishes a live UK day rate (£1,250/day CREST). Every other UK or US Tier 1 provider is quote-only or aggregates pricing into PtaaS tiers without numbers. The market is structurally opaque — surfacing this honestly is the methodology rule's intent.

Provider	Region	Day rate	Certifications	Status
Precursor Security	uk	£1,250/d	CREST	Live-verified
JUMPSEC	uk	—	CRESTCHECK	Quote-only
NCC Group	global	—	CRESTCHECK	Quote-only
Pentest People now part of WorkNest	uk	—	CRESTCHECK	Quote-only
Bulletproof now part of WorkNest	uk	—	CREST	Quote-only
Cobalt	us	—	—	Quote-only
HackerOne	us	—	—	Quote-only
Bishop Fox	us	—	—	Quote-only
Synack	us	—	—	Quote-only

UK industry consensus

£1000-£1500/d

Standard CREST consultant. Median £1200/day. Triangulated from 4 independent 2026 sources.

US (single source)

$1,000-$3,000/d

Intruder.io 2026 guide. Wider band reflects greater US engagement variance. We deliberately exclude unsourced US figures circulating in aggregator content.

Verified 2026-06-02. 5 of 9 providers CREST-certified. 3 CHECK-approved (UK gov scope).

Cobalt State of Pentesting 2025

Remediation reality — what happens after the report lands

Pen test pricing always assumes the findings get fixed. Cobalt's 2025 platform telemetry says they often don't. Plan remediation effort and budget separately.

48%

All-vuln resolve rate

67d

Median MTTR (all)

37d

Median MTTR (serious)

21%

LLM-vuln remediation

Source: Cobalt State of Pentesting 2025 · Verified 2026-06-02

Testing standards

What each standard means for your budget

Six standards routinely cited in UK + US pen test procurement. CHECK and Cyber Essentials Plus are UK government schemes. CREST is the de facto UK commercial baseline. NIST 800-115 is the US federal reference. OWASP is global methodology.

CREST · uk

CREST

Voluntary — but the de facto standard for UK commercial pen test procurement

Days: Neutral — CREST methodology aligns with industry standard day counts
Rate: CREST consultant day rate is the UK benchmark (£1,000-£1,500/day for standard, £1,200 median)

NCSC (UK National Cyber Security Centre) · uk

CHECK

Mandatory for UK government and CNI (Critical National Infrastructure) pen testing

Days: Neutral — same day counts as standard CREST
Rate: CHECK Team Member-led work typically carries a £300-£500/day premium over standard CREST

NCSC (UK) · uk

Cyber Essentials Plus

Required for UK government supplier contracts handling sensitive data

Days: Typically 1-3 days for small organisations, 3-5 for medium, depending on infra footprint
Rate: Often delivered as a fixed-price assessment (£1,500-£4,000 for small orgs) rather than day-rated

OWASP Foundation · global

OWASP Testing Standards

Voluntary — industry standard for web/mobile/API testing methodology

Days: OWASP-aligned testing is the baseline — most engagement quotes implicitly follow OWASP coverage
Rate: Neutral — does not affect day rate

NIST (US) · us

NIST SP 800-115

Voluntary — common reference for US infrastructure and network pen testing methodology

Days: Neutral — provides methodology, not duration
Rate: Neutral

PCI Security Standards Council · global

PCI DSS 4.0 testing

Mandatory for organisations handling payment card data (PCI DSS 11.4)

Days: Adds 30-50% to day count for full CDE scope vs equivalent non-PCI test
Rate: Specialist QSA-aligned testers typically at upper end of day-rate band

Seven scopes

What each scope contains

Scope

Web application pen test

3-20 days · OWASP Web Security Testing Guide

External-facing web applications including authentication, session management, business logic, and OWASP Top 10 coverage.

Scope

External infrastructure pen test

2-15 days · NIST 800-115

Internet-facing servers, services, network perimeter.

Scope

Internal infrastructure pen test

3-20 days · NIST 800-115

Internal network, Active Directory, lateral movement testing.

Scope

Mobile application pen test

3-15 days · OWASP Mobile Security Testing Guide

iOS and Android app testing covering OWASP Mobile Top 10, certificate pinning, jailbreak / root detection, API back-end coupling..

Scope

Cloud configuration / pen test

3-20 days · CIS Benchmarks (AWS/Azure/GCP)

AWS, Azure, GCP configuration review, IAM analysis, public-asset enumeration.

Scope

API pen test

2-15 days · OWASP API Security Top 10

Standalone API testing (REST, GraphQL, gRPC) covering OWASP API Security Top 10.

Scope

Red team engagement

10-80 days · MITRE ATT&CK

Adversary simulation across full kill chain — phishing, initial access, persistence, lateral movement, exfiltration.

Why this exists

The pen test market is structurally quote-only

Of nine pen test providers checked today — Cobalt, HackerOne, Bishop Fox, Synack, NCC Group, JUMPSEC, Pentest People, Bulletproof, Precursor Security — only Precursor publishes a live day rate. PtaaS platforms advertise tier names but no numbers. Every other Tier 1 vendor is engagement-quoted.

That makes pen test procurement hard. The two existing independent references (penetrationtestingcost.com and pentestingcost.com) cite numbers without methodology. The vendor "cost guides" sell their own services. The aggregator content propagates figures that can't be traced to a vendor source — the "$4,000-$7,000/day Bishop Fox" figure being a frequent example we deliberately exclude.

This site does three things differently: surfaces the quote-only reality honestly, triangulates UK day rates from at least four independent sources before publishing a range, and re-verifies every figure quarterly with the pre-deploy gate enforcing the verification dates. Methodology.

Market consolidation · 2025-26

WorkNest acquired Pentest People + Bulletproof in 2025

Two of the UK's mid-market CREST-certified pen test providers — Pentest People and Bulletproof — are now both under the WorkNest group. Both original domains 301-redirect to worknest.com. If your procurement shortlist treats them as independent options for diversification, they're now the same parent.

Procurement implication: if you're tendering for diversification or supplier-redundancy reasons, treat Pentest People and Bulletproof as a single supplier. WorkNest also owns several UK HR and employment law brands, which is a different shareholder profile to a pure-play security firm.