The single most common question we get before a scoping call: “How much does a penetration test cost in the UK?” The honest answer is that it depends — but there are clear benchmarks, and this guide gives you all of them so you can budget accurately and avoid being overcharged or under-tested.
Penetration testing cost in the UK ranges from around £1,500 for a small web application to £50,000+ for a complex red team engagement. The variance is real and driven by scope, not just vendor margin. Understanding what drives the cost helps you scope your engagement correctly — and avoid paying for testing depth you don’t need, or skimping on depth you do.
Penetration Testing Cost UK: Quick Reference
| Test Type | Typical UK Price Range | Duration | What’s Included |
|---|---|---|---|
| Web Application (small, 1-3 roles) | £1,500 – £3,500 | 2–3 days | OWASP Top 10, business logic, auth, API endpoints |
| Web Application (mid-size, 4-8 roles) | £3,500 – £6,500 | 4–5 days | Full OWASP, complex auth flows, multi-tenant logic |
| Web Application (large, complex) | £6,500 – £15,000 | 7–10 days | Deep custom functionality, microservices, elevated privilege escalation paths |
| Mobile Application (iOS or Android) | £3,000 – £6,000 | 4–5 days | OWASP Mobile Top 10, traffic interception, binary analysis, storage testing |
| API Penetration Testing | £2,000 – £5,000 | 3–5 days | OWASP API Top 10, authentication, rate limiting, authorisation |
| External Infrastructure (up to 50 IPs) | £2,500 – £4,500 | 3–4 days | Port scanning, service enumeration, vulnerability exploitation, reporting |
| Internal Network (up to 100 nodes) | £4,000 – £8,000 | 4–6 days | Lateral movement, AD attacks, privilege escalation, segmentation testing |
| Cloud Security Review (single platform) | £3,500 – £7,500 | 4–6 days | IAM, storage, compute, network configuration review + exploitation |
| Red Team Exercise | £15,000 – £50,000+ | 3–8 weeks | Assume breach, phishing, physical, C2, full attack simulation |
| Phishing Assessment | £1,500 – £3,500 | 1–2 weeks | Spear phishing simulation, click rates, credentials capture, reporting |
All prices are indicative for 2026 UK market rates. CREST-certified firms command a 20–40% premium over non-certified providers — this is justified by the accreditation overhead and engineer quality assurance it represents.
What Drives Penetration Testing Costs in the UK
1. Scope and Complexity
The most significant cost driver. “Test my web application” means nothing without knowing: how many distinct roles/user types exist (each adds testing time), whether the application has complex business logic that requires manual testing rather than automated scanning, how many endpoints/functions need to be exercised, and whether authentication mechanisms are standard (OAuth, SAML) or bespoke.
A well-scoped engagement starts with a call where the testing team asks detailed questions about your application’s architecture. Any firm quoting without this conversation is guessing at scope — and will either over-charge or under-test.
2. CREST Certification
CREST-certified penetration testing in the UK costs 20–40% more than non-certified equivalents. This reflects the cost of accreditation maintenance, the higher day rates of certified engineers, and the quality assurance processes CREST requires. For regulated industries (financial services, healthcare, government), CREST certification is often a procurement requirement, not a nice-to-have. For unregulated businesses, it’s still a meaningful quality signal: CREST exams are technically rigorous, and the company accreditation verifies insurance, professional standards, and quality controls.
3. Testing Approach (Black, Grey, or White Box)
Black box testing — where the tester receives no prior knowledge and begins with only a URL or IP range — takes longer because reconnaissance is included in the engagement. White box testing, where the tester receives architecture documentation, source code access, and user credentials, is typically faster and more thorough for the same budget. Grey box (credentials but no source code) is the most common approach and represents a good balance for most engagements.
4. Report Quality and Compliance Requirements
Basic vulnerability scanning reports cost less but carry less value. A full penetration test report includes: executive summary for non-technical stakeholders, technical findings with reproduction steps and screenshots, CVSS v3.1 severity scoring, remediation guidance with specific code or configuration changes, risk register alignment, and compliance mapping (PCI DSS, ISO 27001, SOC 2 control references). If your regulator or auditor has specific reporting requirements, a good testing firm will align the format at the scoping stage — add 10–20% to account for custom reporting.
5. On-Site vs Remote Testing
Most penetration testing is conducted remotely. Internal network tests can be performed remotely via a VPN jumpbox or through a laptop deployed on-site. If you require engineers on-site — for physical penetration testing, air-gapped environments, or wireless security assessments — expect to add travel costs and a day-rate premium for on-site work. London-based firms typically don’t charge travel costs for on-site work within the M25.
6. Retesting
A penetration test without a retest only tells you what was broken before you fixed it. Retesting verifies that remediation is effective and that the fixes haven’t introduced new vulnerabilities. Most firms include one retest pass in the engagement cost, or offer it as an add-on at roughly 20–30% of the original test cost.
Pentesting Cost UK: Fixed Price vs Day Rate
UK penetration testing firms typically price in one of two ways:
Fixed-Price Engagements
More common for well-defined scopes (a specific web application, a defined IP range). You pay a fixed fee for a defined scope and deliverable. Risk of scope creep sits with the testing firm. Good for budget predictability. Requires accurate scoping upfront — if the scope turns out to be larger than agreed, there may be overage charges or reduced testing depth.
Day-Rate Engagements
More common for complex or open-ended testing (red teams, novel attack surfaces, unknown scope). UK CREST-certified engineer day rates run from £900 to £1,800/day depending on seniority and certification level. Day-rate engagements give flexibility but require active scope management to avoid runaway costs. Insist on a daily check-in and agreed testing priorities at the start of each day.
Pen Test Costs UK: What Affects Your Final Invoice
Beyond the base engagement cost, watch for these line items that affect the final invoice:
- Scope changes mid-engagement — discovered during testing that the application is significantly larger than scoped. Address this by being thorough in scoping upfront.
- Emergency findings communication — critical vulnerabilities requiring out-of-hours calls. Good firms include this at no extra charge; verify in the contract.
- Executive presentation — some firms charge separately for presenting findings to the board or C-suite. EJN includes a findings walkthrough call in all engagements.
- Letter of attestation — a formal signed letter confirming testing was completed to a specified standard, sometimes required for compliance submissions. Usually included; confirm this.
- Raw findings data export — CSV or XML export of findings for import into your vulnerability management platform.
How to Get the Most Value From Your Penetration Testing Budget
- Invest in scoping, not just testing — A 30-minute scoping call will prevent both over-spending on irrelevant test areas and under-spending on critical ones. Don’t skip it to save time.
- Test what matters first — If budget is constrained, prioritise by risk: internet-facing applications and systems handling sensitive data before internal tooling.
- Get a retest included — A test without retest verification is a snapshot, not an assurance. Negotiate retesting into the base contract.
- Ask about findings during testing, not after — Firms that only deliver findings in the final report force remediation into a future sprint. Firms that report as they go let you fix critical issues while testing is still in progress.
- Compare apples to apples — Ensure any quotes you’re comparing cover the same scope, testing approach, deliverables, and certification level. A £2,000 quote and a £5,000 quote for “the same test” are rarely for the same test.
Frequently Asked Questions
How much does a web application penetration test cost in the UK?
A standard web application penetration test in the UK costs between £2,500 and £6,500 for a mid-size application with 3-6 user roles, conducted by a CREST-certified firm. Smaller applications with limited functionality start from £1,500. Large, complex applications with custom business logic can reach £12,000–£15,000.
Why is CREST-certified penetration testing more expensive?
CREST certification requires investment in engineer training and examination, company-level quality controls, professional indemnity insurance at a specified level, and ongoing accreditation maintenance. This overhead is reflected in pricing and represents genuine value: CREST exams are technically rigorous, and accreditation verifies the firm operates to a professional standard.
Can I get penetration testing under £2,000?
Yes — for very small, well-defined scopes (a landing page or brochure site with no user authentication, a single API endpoint), some firms will price below £2,000. Be cautious: penetration testing below this threshold typically involves minimal manual effort and heavy reliance on automated scanning, which misses business logic vulnerabilities. For anything handling user data or financial transactions, this level of testing is insufficient.
Is penetration testing a tax-deductible business expense in the UK?
Generally yes — penetration testing is a business expense related to cybersecurity and IT security management. It typically qualifies as a deductible revenue expenditure. Consult your accountant for advice specific to your circumstances.
How often should UK businesses do penetration testing?
Most compliance frameworks (PCI DSS, ISO 27001, SOC 2) require annual penetration testing as a minimum. FCA-regulated firms and organisations with rapid development cycles typically test more frequently — quarterly for critical applications or after major releases. See our penetration testing checklist for a full readiness guide.
Get a Fixed-Price Quote
Tell us what you need tested and we’ll provide a fixed-price quote after a 30-minute scoping call. No obligation, no sales pipeline — just a clear figure from a CREST-certified engineer.
Leave a Reply