Penetration Test Scope & Cost Estimator

Estimates the effort (days) and cost range for a penetration test based on your environment size, asset types, and engagement parameters.

Engagement Type

Number of In-Scope IP Addresses / Hosts (0 if N/A)

Number of Web / Mobile Applications (0 if N/A)

Number of API Endpoints (0 if N/A)

Environment Complexity

Number of Distinct Authentication / Role Levels

Report Type Required

Consultant Day Rate (USD)

Results will appear here.

Formula

Effort (days) = Base_type + (IPs × IP_scale) + (Apps × 2.0) + (Endpoints × 0.10) × Complexity_multiplier + (AuthLevels − 1) × 0.5 + Report_overhead

Cost Low = Effort × DayRate
Cost High = Effort × DayRate × 1.30

Parameters:

Base effort by type: External = 3d, Internal = 5d, Web App = 4d, Mobile = 4d, Red Team = 10d
IP scale factor: 0.05 d/host (external/web/mobile); 0.08 d/host (internal/red team)
Application overhead: 2.0 d/app (OWASP WSTG benchmark)
API endpoint overhead: 0.10 d/endpoint
Complexity multiplier: Low = 0.80×, Medium = 1.00×, High = 1.40×
Auth level overhead: 0.5 d per additional role beyond 1
Report overhead: Executive = 0.5d, Standard = 1.5d, Detailed + Retest = 3.0d
Cost high multiplier: 1.30 (senior tester premium, travel, tooling)

Assumptions & References

Effort estimates are based on CREST, PTES (Penetration Testing Execution Standard), and OWASP Web Security Testing Guide (WSTG) benchmarks.
Day rate range of $500–$10,000 reflects global market variation from boutique to top-tier firms (SANS, Bishop Fox, NCC Group published rate cards).
The 30% high-end premium accounts for senior consultant rates, travel expenses, specialised tooling licences, and management overhead.
IP scaling assumes standard service enumeration, vulnerability scanning, and manual validation per host; dense /24 subnets may be scoped differently.
Web application estimate of 2 days/app assumes an average-complexity application; highly complex apps (e.g., banking portals) may require 5–10 days each.
API endpoint estimate assumes REST/GraphQL; SOAP or proprietary protocols may increase effort.
Red team engagements typically include physical, social engineering, and C2 infrastructure — the 10-day base reflects minimum viable red team scope.
This tool does not account for compliance-specific requirements (PCI DSS, HIPAA, SOC 2) which may mandate additional test cases.
Results are indicative only. Engage a qualified penetration testing firm for a formal statement of work and fixed-price quote.

Penetration Test Scope & Cost Estimator

Formula

Assumptions & References

In the network

Network

Penetration Test Scope & Cost Estimator

Formula

Assumptions & References

More Calculators

In the network

Network