How much does a penetration test cost in the UK?

"How much does a pentest cost?" is the first question everyone asks. The honest answer is: it depends. But that's not helpful, so here's what it actually depends on and what real numbers look like.

The short answer

For a UK small business, expect to pay somewhere between £3,000 and £15,000 for a penetration test. Most SMB engagements land in the £4,000–£8,000 range.

If someone quotes you £500, they're running an automated scan and calling it a pentest. If someone quotes you £50,000 and you have 20 employees, they're quoting for a different company.

What affects the price

Scope

This is the biggest factor. A test covering 5 external IP addresses is very different from one covering 5 IP addresses, 3 web applications, an Active Directory domain, and a phishing campaign.

More attack surface means more time, which means higher cost. That's not padding — it's the difference between checking the front door and checking every window, every lock, and every alarm.

Type of test

• External network test — testing what's visible from the internet. Usually the starting point. Lower end of the price range.
• Internal network test — simulating an attacker who's already inside your network. Requires more time and often on-site or VPN access.
• Web application test — testing a specific application against OWASP Top 10 and beyond. Price depends on the complexity of the app.
• Social engineering — phishing campaigns, vishing (phone-based), physical access testing. Often added on top of a technical test.
• API testing — testing your API endpoints for authentication, authorisation, and injection vulnerabilities.

Complexity of your environment

A flat network with 10 Windows machines is simpler to test than a segmented environment with multiple VLANs, cloud infrastructure, Active Directory forests, and legacy systems. More complexity means more time.

Methodology and reporting

A proper pentest follows a methodology like PTES or OWASP Testing Guide. The report should include an executive summary, detailed technical findings with evidence, CVSS scores, and specific remediation steps.

If a provider can't tell you their methodology, that's a red flag.

What you should get for your money

At minimum:

• A scoping call before any work starts
• A fixed-price quote — not an estimate, not a day rate
• Manual testing — not just an automated scan
• A detailed report with findings, evidence, and fix instructions
• A walkthrough call to discuss the findings
• A free retest after you've remediated the critical issues

If any of those are missing, you're not getting a proper pentest.

Red flags when comparing quotes

• No scoping call — they quoted without understanding your environment
• Per-day pricing — incentivises slower work and makes costs unpredictable
• "Unlimited" scope — nobody can test everything. Defined scope protects both sides
• No retest included — the retest proves you've actually fixed the problems
• Report is just a scanner export — Nessus or Qualys output with a logo on it is not a penetration test report

How to get a quote from us

We do a 30–45 minute scoping call, then send you a fixed-price quote within 48 hours. The price covers everything: testing, reporting, walkthrough, and retest.

No day rates. No surprises. No charges for asking questions.

Book a scoping call — it's free and there's no obligation.