Pricing

Transparent pentest pricing, scoped by the product you need tested

Skip the black-box quote process. Answer three technical questions and get a practical baseline range for your application security pentest.

Scoped by application type, access complexity, and technical surface area.

Quote model

Fixed price

We lock the scope before work starts, rather than sliding into hourly drift.

Technical sync

10-minute review

A short scoping call confirms targets, exclusions, and the final fixed quote.

Typical reply

2 business days

Your estimate and service context travel into the request so we start from the real scope.

Choose the right pricing path

Different attack surfaces need different scoping models

Apps, cloud environments, and MCP servers are priced from different effort signals. Start with the path that matches the system you need tested, then we confirm the fixed scope in a short technical sync.

Apps & APIs

Use the calculator for product pentests

$5,000-$20,000+

Best when the engagement centers on a web app, API platform, mobile-backed product, or a broader SaaS surface.

Scoped by

Application type, role complexity, workflow depth, and rough page or endpoint count.

Best for

Customer portals, admin consoles, partner APIs, mobile-backed products.

Typical window

3-14 business days

  • Authorization depth and multi-role workflows usually move the scope more than company size.
  • We use a short calculator here because the product surface is usually easier to estimate upfront.
  • The fixed quote is locked after a short technical sync, not after a long discovery call.
Scope an apps or APIs assessment See apps & APIs testing

Cloud, Kubernetes & IAM

Start from the boundary and trust model

From $7,500

Use this path when the real risk sits in cloud identities, Kubernetes boundaries, storage exposure, network reachability, or chained cloud attack paths.

Scoped by

Accounts, clusters, identities, trust boundaries, exposed services, and escalation paths.

Best for

AWS, GCP, Azure, managed Kubernetes, IAM-heavy product infrastructure.

Typical window

5-10 business days

  • Cloud scopes rarely map well to page counts because the attack surface is privilege and trust-boundary driven.
  • We usually size from account boundaries, cluster count, role design, and reachable control planes.
  • This is the right path when the product pentest is not the main security question.
Scope a cloud or Kubernetes assessment See cloud, Kubernetes & IAM testing

MCP servers

Scope MCP testing by servers, tools, and auth

$3,500-$15,000+

Use the MCP path when AI assistants connect to tools, file systems, internal APIs, or tenant data through Model Context Protocol.

Scoped by

Server count, tool count, connected resources, auth model, tenant boundaries, and tool safety risk.

Best for

Internal assistants, customer-facing AI features, agentic tooling, multi-server ecosystems.

Typical window

3-10 days

  • MCP scope is driven by tools, transports, data boundaries, and auth flows rather than app pages.
  • We map prompt-to-tool and tool-to-resource risk before testing so the quote reflects the actual protocol surface.
  • This path is tuned for direct AI and MCP work rather than folded awkwardly into a generic app model.
Scope an MCP assessment See MCP server testing

If your scope crosses product, cloud, and MCP surfaces, start with the dominant attack surface. We combine adjacent scope during the technical sync instead of making you guess the final statement of work alone.

Size your pentest in under 60 seconds

Tell us what needs to be tested. We map your product to a clear T-shirt size and show a baseline price range before any sales conversation.

Use rough numbers. You do not need a perfect inventory to get a useful estimate.

3 signals to a working range

Signal 1

Choose the option that best matches the product surface our team would assess.

If you are unsure, pick the closest match. We will confirm the final scope during the technical sync.

Signal 2

Count roles with different permissions, workflows, or access levels. Testing role boundaries is one of the biggest drivers of effort.

Include roles that matter for security testing, not job titles from your org chart.

Signal 3

Use whichever number is easier: user-facing screens, major workflows, or API endpoints. A rough estimate is enough.

Do not worry about being exact. The estimate is designed to work with imperfect inputs.

Transparent T-shirt-sized pricing

Baseline ranges based on technical testing effort. We lock the exact fixed price after a short technical sync.

Small

  • Single web app or focused API
  • 1-2 security-relevant roles
  • Less than 25 pages or endpoints
3-5 business days Focused product surfaces

Medium

  • Web app, API, or web plus mobile
  • 3-4 distinct user roles
  • 25-100 pages or endpoints
5-7 business days Typical SaaS products

Large

  • Multiple surfaces or mature app
  • 5-7 roles or richer authorization
  • 100-250 pages or endpoints
7-10 business days Mature product teams

Custom

  • Complex ecosystem or multiple apps
  • 8+ roles or custom permissions
  • 250+ pages, endpoints, or hard-to-count surface
10-14 business days Broad ecosystems

Enterprise

Custom scope for complex requirements, multiple products, compliance needs, or ongoing testing arrangements.

Start a conversation

Need only MCP server testing?

MCP servers are scoped differently from apps and APIs. We price them by servers, tools, connected resources, tenant model, and auth complexity.

Start MCP conversation
Single MCP server (< 10 tools)
$3,500-$5,000
3-5 days
Multi-server (2-5 servers)
$7,500-$12,500
5-7 days
Enterprise (5+ servers, multi-tenant)
From $15,000
7-10 days
Add-on to existing pentest
$2,000-$3,500
1-2 days

Fixed price. No hourly. Quote in 48 hours. One free re-test within 30 days of report delivery.

The calculator gives you a baseline range. The exact fixed price is confirmed during a 10-minute technical sync.

How buying works without repeating yourself

1
Estimate your range
Answer three technical questions about product surface, roles, and endpoints.
2
Share the saved scope
Your calculator inputs are passed to our team so we start from the estimate.
3
Lock the fixed price
A 10-minute technical sync confirms the final scope and price.
4
Approve internally
Use the estimate summary for budget approval, procurement, or technical review.

Before internal approval

What teams usually review before they approve the quote

Buyers tend to check the reporting standard, deliverable shape, and whether other product teams found the engagement calm and useful once the work started.

What buyers open next

These are the assets buyers usually open before they commit.

Sample report

Review the evidence standard, reproduction steps, remediation guidance, and report structure before you commit.

Preview sample report

Reports & deliverables

See what leadership, engineering, customers, and auditors actually receive once the engagement closes.

See deliverables

Case studies

Inspect how findings, remediation evidence, and calm reporting played out in real client environments.

Read case studies

What security leaders say after the engagement

Clear scope, clear reporting, and predictable follow-through are what teams tend to mention most.

The kind of vulnerabilities they found were things we never expected — things which were not on our radar. That changed how we think about our own attack surface.

Founder & CEO

Asia's leading Threat Intel Company

Found multiple interesting exploitable vulnerabilities across our product. Clear reporting, thorough walkthroughs of each finding, and they stayed engaged until every issue was resolved.

Manager

Most popular Vulnerability Scanner (100+ countries)

We engaged with Appsecco for red teaming. Their findings were specific, well-documented, and gave our team a clear path to remediation.

Senior Expert

European Giant in FinTech

Need a tighter buyer pack for procurement or internal review? Start from your estimate

Common questions

Why T-shirt sizing instead of hourly rates?

Technical testing effort is driven by product surface, authorization complexity, and workflow depth. T-shirt sizing gives you a useful planning range before a sales conversation, then we lock the exact fixed price after a short technical sync.

What if we're between sizes?

The calculator returns a range instead of forcing a single number. During the technical sync, we confirm what is in scope, group related endpoints or workflows, and give you the fixed price in writing before work begins.

Do you offer retests after we fix issues?

Yes. One re-test is included within 30 days of report delivery. This gives you documented confirmation that fixes hold without adding a second commercial decision right after remediation.

What deliverables are included?

Every assessment includes a comprehensive vulnerability report with proof-of-concept evidence, an executive summary for leadership, technical remediation guidance with code examples, and a follow-up Q&A session to ensure your team understands the findings.

Can we use the report for compliance?

Yes. Our reports are designed to satisfy most compliance requirements — SOC 2, ISO 27001, PCI DSS. We focus on real security, not checkbox exercises, but the documentation is thorough enough for auditor review.

What payment terms do you offer?

We invoice 50% at project start and 50% on delivery of the final report. For enterprise engagements, we can accommodate NET-30 or other arrangements. No payment is required until scope is confirmed and approved.

When you are ready

Ready to lock the scope?We will start from your estimate.

Share your calculator inputs and we will confirm the exact fixed price in a short technical sync. No duplicate discovery call required.

Request scoped assessment

or view a sample report first

No sales pressure
Fixed pricing confirmed upfront
You decide the pace