.svg)
Most pentest sticker shock is a scoping problem, not a market problem. Companies hear “$25,000 minimum” from a Big Four advisory practice and assume that is the price of penetration testing. It is not. It is the price of one specific procurement model — the one designed for Fortune 500 enterprises buying through a vendor management office.
A 30-person SaaS company on a $250M ARR trajectory does not need that engagement. They need a scoped, focused test that produces SOC 2 evidence and finds the actual things that are wrong. Done right, that is a $2,000 to $4,000 line item, not a $25,000 one. This piece walks through how to scope it that way.
Start with the compliance frame, not the asset list
The most common scoping mistake is starting with “what should we test?” The right starting question is “what evidence do we need, and what is the minimum testing that produces it?”
For a SOC 2 audit, the answer is a network and application pentest covering the systems in scope of the trust services criteria — which usually means the production application, the customer-facing API, and the cloud infrastructure that hosts them. It does not mean every internal subnet, every developer laptop, and every SaaS integration your company uses. SOC 2 auditors want pentest evidence on the attested system boundary, not your entire IT estate.
For a HIPAA security risk assessment, the scope narrows further: the systems handling electronic protected health information. For PCI DSS Requirement 11.3, the cardholder data environment plus any system that can affect its security. For ISO 27001 Annex A, the controls in your statement of applicability.
Pull your auditor’s last gap letter or your framework’s pentest scope guidance, and let that drive the asset list. You will almost always end up with a smaller and cheaper scope than your security engineer’s wish list — and one that actually satisfies the audit.
External, web app, and internal — pick your battles
For most SMBs, three test types cover ninety percent of real risk:
External network pentest is the cheapest of the three and typically the highest leverage. An attacker hitting your perimeter does not care about your VPN policy or your developer best practices — they care about exposed services, weak TLS, and forgotten subdomains. Manual external pentests for ten or fewer IPs run around $2,000 at our pricing and meet most compliance pentest requirements. AI-driven external pentests covering up to 50 assets start at $500 if you need quick coverage between manual cycles.
Web application pentest is where authentication, authorization, and business logic flaws live. If you operate a SaaS product, this is non-negotiable. OWASP Top 10 coverage, role-based access testing, session management, and authenticated logic walks. A targeted web app pentest of one main application starts around $3,000.
Internal network pentest simulates an attacker who already has a foothold — a phished employee, a compromised laptop, an insider threat. For most SMBs this is the test you want second, after the external. Internal pentests on a single corporate network start at $3,000 manual or $500 for AI-assisted coverage of up to 50 assets.
The combination of external plus web app plus internal is usually all an SMB needs to satisfy SOC 2, ISO 27001, or PCI DSS Level 4 requirements. Total cost in the $5,000 to $9,000 range — not the $25,000 a generic enterprise consulting practice will quote.
When AI-assisted testing is enough — and when it is not
AI pentesting has gotten genuinely useful in the last 18 months. For external network coverage and basic internal asset enumeration, an AI-driven pentest finds the same misconfigurations a junior pentester would in the first week of an engagement, in a fraction of the time and cost. For routine quarterly coverage between annual manual tests, this is the right tool.
What AI pentesting still cannot do is authenticated web application testing with multi-step business logic. Logging in as a tenant admin, attempting to access another tenant’s data, attempting to chain a low-privilege endpoint with an information disclosure flaw — that requires a human with a coffee, a Burp Suite license, and a few uninterrupted hours. AI tools that claim to do this well today are mostly producing false positives and false negatives in the same scan.
Our practical guidance: AI for breadth, manual for depth. AI-driven external and internal scans on a quarterly cadence at $500 each, plus a manual web application pentest annually for $3,000. Total annual program cost around $5,000 for an SMB that ships a SaaS product.
A specific note for MSPs reselling pentesting
If you are an MSP reading this with the intent of providing pentesting to your client base rather than buying it for yourself, the math is different. You do not want to send your clients to a generic pentest vendor — half of those firms will treat your clients as direct sales targets the moment the engagement closes.
What MSPs actually need is a channel-only partner that white-labels reports under your brand, prices for resale margin, and contractually agrees not to poach your customers. We run a separate operation specifically for this — an MSP-focused penetration testing reseller program with reseller pricing, sample reports under your branding, and a non-compete on direct outreach to your clients. Different brand, same OSCP-certified team, different commercial model. If you are scoping pentests for clients, that is the relationship you want, not a one-off transactional buy at retail.
What to ignore when scoping
A few items most SMBs are encouraged to buy and should not, at least not yet:
Red team engagements. A red team is a months-long simulation of a sophisticated attacker including physical access, social engineering, and stealth network operations. It is the right thing for a Fortune 500 with a mature blue team. For an SMB without an internal SOC, it is performance art — you will not have the response capability to learn from it. Skip it.
Continuous pentesting platforms with annual contracts. The pitch is “pentest as a service.” The reality, for a 30-person company, is paying $40,000 a year for what amounts to a vulnerability scanner with a slightly nicer UI. Buy a pointed annual manual pentest plus AI-assisted quarterly coverage and pocket the difference.
Adding “and also test our office WiFi” as an afterthought. WiFi pentesting starts around $8,000 because it requires on-site work or careful remote rogue AP infrastructure. If you do not have a regulatory reason to test it, the dollars are usually better spent on a second round of web application testing.
What good vendor selection looks like
Three questions to ask any pentest vendor before signing:
- Who exactly is doing the testing? You want OSCP, OSCE, or GPEN certified operators on the engagement, not subcontractors of subcontractors. Names on the SOW, ideally.
- What does the report look like? Ask for a sanitized sample. A real pentest report has executive summary, methodology, findings ranked by severity with CVSS scores, proof-of-concept evidence, and remediation steps. If the sample is a slide deck or a 10-page summary of a vulnerability scan, walk away.
- What happens if we fix the findings? A reputable vendor includes a remediation retest within 60 to 90 days. If retesting is a separate billable, the vendor is not confident in their findings or is pricing a follow-on engagement into a future quarter. Both are bad signs.
Get those three answers in writing before you sign. The rest is execution.
If you want a quote scoped against your actual compliance frame and asset list, our quote request returns a written scope within one business day. No deck, no enterprise consulting kabuki — just the line items you actually need.