How to Get an Accurate Penetration Testing Quote (UK Scoping Guide 2026)

EJN Labs
How to Get an Accurate Penetration Testing Quote (UK Scoping Guide 2026)

By EJN Labs · 12 Jun 2026 · 9 min read

To produce an accurate penetration testing quote, a tester needs your asset inventory (apps, IP ranges, APIs, mobile apps), user roles, the test environment, your testing window, retest expectations and the compliance driver. With that detail a UK provider can price a typical engagement at a fixed day-range, usually £3,600-£21,600, rather than guessing.

A penetration testing quote is only as accurate as the scope behind it. Give a provider a one-line brief (“test our website”) and you get a one-line price that is almost certainly wrong: too high if they pad for unknowns, too low if they find three more applications mid-engagement. This guide explains what information a tester needs to scope a penetration test and the questionnaire we use at EJN Labs to turn a rough idea into a fixed figure. For headline day rates, see our penetration testing cost hub; this post is about how scoping moves them.

Why vague scope produces an inaccurate penetration testing quote

Penetration testing is priced in tester-days, not per “website” or per “system”, and the day count depends on how much there is to test and how deeply. When the scope is vague the provider has to assume, and assumptions cut two ways: they either build in contingency for everything they cannot see, which inflates your quote, or they take the brief at face value, win on price, then raise a change request when reality turns out larger.

A concrete example: “test our web application” could mean a brochure site with one contact form (two days) or a multi-tenant SaaS platform with five user roles, an admin console, a payment flow and a public API (twelve days or more). Same sentence, six-fold difference in price. Scoping removes that ambiguity before anyone quotes, so the figure you receive is the figure you pay, and it sharpens the test: a tester told there are three user roles probes the boundaries between them rather than testing as one user and missing access-control flaws.

What information do you need for a pen test quote

To produce an accurate penetration testing quote, a provider needs answers across six areas. The more you supply up front, the tighter the quote.

1. Asset inventory

The biggest driver of scope is how many things there are to test, so be specific about each asset type:

  • Web applications: how many distinct apps, and roughly how many pages, forms and dynamic functions each has.
  • External infrastructure: the number of live external IPs or hostnames (a CIDR range like /28 tells us a lot).
  • Internal networks: approximate live hosts and subnets, and whether a build review or Active Directory assessment is wanted.
  • APIs: how many endpoints, the style (REST, GraphQL, SOAP) and whether you can share an OpenAPI or Postman collection.
  • Mobile apps: iOS, Android or both, and whether the backend API is in scope too.
  • Cloud: the providers (AWS, Azure, GCP) and whether a configuration review sits alongside the test.

Unsure how to count or describe an asset? Our penetration testing checklist walks through an asset inventory you can fill in first.

2. User roles and credentials

For any authenticated test we need the number of distinct user roles (anonymous, standard user, manager, administrator and so on), because each role boundary is a place flaws hide, plus working test credentials for each role before testing starts. An unauthenticated test of a public surface is cheaper but far less thorough, and most buyers under a compliance driver want authenticated testing.

3. Environment: production versus staging

A representative staging environment that mirrors production is usually ideal, because it lets our testers probe harder without risking live data or availability. If testing must happen against production, we scope around your maintenance windows, rate limits and any fragile components, which can change how many days the work realistically takes.

4. Testing window and constraints

Constraints shape the quote as much as the asset count. Useful detail includes any fixed deadline (a customer audit, a funding round, a certification date), whether out-of-hours testing is required, IP allow-listing or VPN access, and anything explicitly out of scope. A compressed timeline or restrictive change-control process can add days even when the asset list is small.

5. Retest expectations

Most credible engagements include a retest to confirm the issues found were actually fixed, and many compliance schemes expect it. Decide whether you want a single retest of remediated findings bundled in or a follow-up engagement later, and we quote it explicitly up front.

6. Compliance driver and reporting needs

Why are you testing? The answer changes the deliverable, and sometimes who may perform it.

  • CREST: many buyers and their customers require a CREST-accredited provider, for assurance of method and reporting quality.
  • Cyber Essentials Plus: a defined audit of specific controls, not a full penetration test, so scoping differs.
  • ISO 27001: testing supports your information security management system and the report becomes audit evidence.
  • PCI DSS: prescriptive segmentation and application testing requirements that must be reflected in scope.

Tell us the standard you are working to and we shape the report accordingly: an executive summary for the board, a technical body with reproducible steps and CVSS ratings for your engineers, and a clear remediation track for your auditor. As a CREST-accredited firm that also holds Cyber Essentials, Cyber Essentials Plus, ISO 27001 and ISO 9001, we build deliverables that stand up to audit.

How to scope a penetration test: the questionnaire we use

When you request a quote, we work through a short, structured scoping questionnaire so nothing material is missed. Prepare your answers in advance to speed things up.

  1. What asset types are in scope, and how many of each (apps, external IPs, internal hosts, APIs, mobile apps, cloud accounts)?
  2. For each app or API, how complex is it (rough page or endpoint count, number of dynamic functions)?
  3. How many distinct user roles need to be tested, and can you provide credentials for each?
  4. Will testing run against staging or production, what constraints apply, and is there a fixed deadline or out-of-hours requirement?
  5. Is a retest of remediated findings required?
  6. What is the compliance driver (CREST, Cyber Essentials Plus, ISO 27001, PCI DSS, customer due diligence), and who reads the report?

With these answers we can usually turn a rough enquiry into a fixed day-range and a firm price the same day.

Penetration testing quote: typical cost by scope

The scope of work sets the day count, and the day count multiplied by the tester day rate gives the price. Pricing uses a typical UK day rate of around £1,200 to £1,300, all testing is delivered by senior and principal testers, and the price is driven by the complexity of the scope (the number of tester days). The table below uses a £1,200 day rate as the baseline to map common scope tiers to a typical day-range and price; these are indicative, and an accurate figure comes from a scoped quote.

Scope tier Typical example Typical days Typical UK range
Small / focused One small web app or API, or a /28 external range 3-5 days £3,600-£6,000
Standard A multi-role web app, or external plus a small internal network 5-8 days £6,000-£9,600
Complex SaaS platform with API and several roles, or a larger internal estate 8-12 days £9,600-£14,400
Programme Multiple assets, cloud review, red-team elements, retests bundled 12-18 days £14,400-£21,600

For the cost of each individual test type, see our guides to web application penetration testing cost, network penetration testing cost, API penetration testing cost and mobile app penetration testing cost. Our pricing page summarises packages, and the cost hub is the parent guide.

How EJN Labs scopes and prices your engagement

We scope on a short call, usually thirty minutes, to turn your real situation into an accurate penetration testing quote you can put in front of finance. First we confirm the asset inventory together and challenge anything underspecified, because the assets you forget to mention are the ones that blow up a quote later. Next we agree the depth: an unauthenticated surface sweep, a full authenticated assessment role by role, or something in between. Then we fix the practicalities and the compliance driver so the report lands as audit-ready evidence.

From there our CREST-certified testers translate the agreed scope into a day-range and a fixed price, set out in writing before anyone signs. Because that price is built from a defined day count, not a guess, it does not move mid-engagement unless the scope does.

Checklist: what to have ready before you request a quote

You will get a faster, tighter quote if you have these to hand:

  • ☐ Every application, external IP range, internal subnet, API and mobile app in scope, with a rough size for each (page or endpoint count).
  • ☐ The number of distinct user roles, and confirmation you can provide test credentials for each.
  • ☐ Whether testing runs against staging or production, plus any access requirements (VPN, IP allow-list).
  • ☐ Any fixed deadline, whether out-of-hours testing is needed, and whether a retest of fixed findings should be included.
  • ☐ The compliance driver, and who the report is for.

Frequently Asked Questions

What information do you need for a pen test quote?

To price a penetration test accurately we need your asset inventory (apps, external IP ranges, internal hosts, APIs and mobile apps), the number of user roles, whether testing runs against staging or production, your testing window, whether a retest is required, and your compliance driver. With those answers we can usually return a fixed day-range and price the same day.

Why is my penetration testing quote different from another provider’s?

Most differences come from scope, not day rate. One provider may assume an unauthenticated test of a few pages while another scopes a full authenticated assessment across every user role. Always compare the penetration testing scope of work, not just the headline number, so you know you are comparing like for like.

Can I get a penetration testing quote without giving you access first?

Yes. We quote from a scoping conversation and an asset inventory; you do not provide credentials or environment access until the engagement is agreed. Sharing a rough asset list and your compliance driver is enough for us to return an accurate, fixed-range quote.

Does the compliance driver change the penetration testing scope?

It can. Cyber Essentials Plus is a defined control audit rather than a full penetration test, PCI DSS prescribes specific segmentation and application testing, and ISO 27001 frames the report as management-system evidence. Telling us the standard up front means the scope and the deliverable match what your auditor expects.

Get an accurate, scoped penetration testing quote

The fastest way to a price you can rely on is a short scoping call. Gather the asset details above, then request your penetration testing quote and our CREST-certified team will return a fixed day-range and figure with a written scope of work. For headline pricing first, start at the cost hub or review our pricing.

Related research

BLOG

Penetration Testing as a Service (PTaaS) UK

4 min · 10 Jun 2026BLOG

Why EJN Labs Is the Best UK Penetration Testing Provider

6 min · 10 Jun 2026BLOG

Penetration Testing Checklist: How UK Companies Prepare in 2026

5 min · 23 May 2026

Leave a Reply

Your email address will not be published. Required fields are marked *

EJN Labs

EJN Labs

We are a CREST-certified, AI-led threat research and cyber security services company based in Canary Wharf, London, UK. Schedule a call to find out more!

Company

Services

Contact Us

Location
  • 44-45 Beaufort Court Admirals Way London E14 9XL
Phone
  • 02045771740
Email
Office hours
  • Monday – Friday : 8:00 AM – 5:00 PM
Scroll to Top