DAY-RATE DISCLOSURE · FOR TRANSPARENCY
What our consultants cost per day.
Our CREST-registered consultants are priced at a fair-market £1,100 to £1,400 per day, scaled by the rarity of the engagement. We do not bill day rates to clients. The numbers across this page are scope-based fixed prices, and once we have signed the statement of work, that number does not move. This day-rate disclosure is here so you can sanity-check our quotes against the broader UK CREST market and confirm we are neither over-charging nor cutting corners.
CHEAP PEN TESTING · WHAT TO WATCH OUT FOR
Why the cheapest quote is often the most expensive one.
Pen testing has a wide price floor because the work itself can be done well or badly with almost no visible difference at the moment of delivery. A vulnerability scan with a report cover page costs about £400 to produce. A real test of business logic in your application costs about £10,000. To the untrained eye, both deliver a PDF.
A 2024 TechUK industry survey found 37% of UK businesses that chose budget penetration testing later discovered serious unreported vulnerabilities. Common shortcuts at the budget end of the market include:
- Automated tools run as if they were a manual test, with no business-logic coverage
- No authenticated testing: the most common location of high-impact bugs
- Reports generated from tool output verbatim, with no human triage or exploitability analysis
- “Pass / fail” verdicts with no remediation guidance for engineers
- No retest, so even if you fix the findings, you have no signed proof that they are closed
A pen test is a piece of evidence you take to a board, an auditor, an enterprise customer, or an insurer. The cost of getting it wrong is paying twice: once for the cheap test, once for a real one when the cheap one fails to satisfy whoever asked for it.
Pricing & Cost FAQ
Honest answers about cost, billing, and what changes the number.
How much does a penetration test cost in the UK?
Indicative UK pen test costs range from £3,000 for a small-scope external infrastructure or phishing engagement, up to £75,000+ for STAR-aligned or TIBER-UK red teaming. Most standard application, API, and cloud security pen tests land in the £6,000–£18,000 range. Every quote is fixed-price after a 30-minute scoping call. Never billed on day rates after kickoff.
Are these prices fixed or do you bill by the day?
Every quote is fixed-price after a free 30-minute scoping call. You’ll never see day rates on an invoice. If we finish faster than expected, the price doesn’t change. If something takes longer because we found more, we absorb it.
What’s included in every engagement?
Every tier (small, standard, enterprise) includes: free retests until issues are resolved, free rescheduling, no callout or out-of-hours fees, no cancellation fees, 24-hour scope-to-active-testing turnaround, live findings delivered to a client portal, executive + technical reports, a 60-minute walkthrough call with the lead consultant, and a letter of attestation for procurement / audit / insurance.
How accurate are these ranges?
Within ±15% for ~80% of engagements. The ranges reflect real 2026 UK pricing data across applicable services. Outliers exist: a 500-endpoint API with 6 user roles is going to land at the top of the Standard band or into Enterprise; a 10-endpoint internal-only tool may land below Small. The 30-minute scoping call resolves this in one conversation.
What’s not included that I should budget for?
The price quoted is the price you pay. There are no third-party costs we hide. We own the tooling (Burp Suite Pro, Nessus, Tenable, etc.) and pass nothing through. The only things outside scope are: (1) remediation work by your developers, (2) third-party retest of vendor-controlled systems if your scope includes them, (3) bounty payouts on bug-bounty programmes (these are not consulting fees).
Do you offer multi-engagement / annual discounts?
Yes. Customers committing to an annual programme (e.g., quarterly application testing, or a year of attack surface monitoring) typically receive 5–10% off list price. Multi-service bundles (web + mobile + API in one engagement) typically see 5–15% off. Public sector framework rates available via Crown Commercial Service.
How quickly can you start?
Scope-to-active-testing within 24 hours for most engagements. Same-week start for standard pen tests. Red team engagements involve a 1–2 week threat-intelligence phase before active operations. London / Canary Wharf on-site engagements available within next business day.
What if my scope doesn’t fit any of these tiers?
Most scopes do, but if yours genuinely doesn’t (extreme scale, novel technology stack, regulator-specific requirements), we’ll quote against the closest tier and explain the delta in the scoping call. Examples: Layer-1 blockchain protocols, novel AI agent architectures, TIBER-UK Threat-Led Penetration Testing, M&A target due diligence.
Are reports accepted by auditors, regulators, and insurers?
Yes. Our reports are submitted directly to FCA, NCSC, NHS DSPT, ICO, ISO 27001 auditors, SOC 2 auditors, and the major cyber-insurance underwriters without translation work. CREST member status, IASME Certifying Body status, ISO 27001 + ISO 9001 certification on file. Verifiable on the public registries.
