Loslegen
← Alle Beiträge
pentestsecurityguide

How much does a penetration test cost? (and the cheaper way to launch securely)

What a pentest really costs in 2026 — firm vs freelancer vs automated, realistic price ranges, and how to launch securely without a €15–20k engagement.

FM
Frederick Marinho17. Juni 2026 · 6 Min. Lesezeit

You want a number. You found this post because you typed "how much does a penetration test cost" into a search bar, and you're hoping the answer isn't scary. It is a little scary, but it's also more nuanced than the firms make it sound.

The short version: a real penetration test from a security firm runs about €15,000 to €20,000 and takes weeks to schedule and deliver. For a funded enterprise checking a compliance box, that's a line item. For a solo founder trying to launch this month, it's the kind of number that quietly ends the conversation. So let's break down what you're actually paying for, and where you can get most of the value for a fraction of the price.

What actually drives the price

Pentest pricing is not arbitrary, but it is opaque. Four things move the number more than anything else.

Scope. How many endpoints, how many user roles, how much surface area. A single marketing site is cheap to assess. A multi-tenant SaaS with billing, an admin panel, an API, and OAuth logins is not. The bigger and weirder your app, the more hours someone has to spend understanding it before they can even start poking at it.

Who does the work. A name-brand firm with a reputation to protect charges the most, because part of what you're buying is a logo on a report that an enterprise buyer or an auditor will accept. A solo freelancer off a marketplace might quote a fifth of that. The catch is that quality varies wildly, and you usually can't tell good from bad until after you've paid.

Manual versus automated. A senior human chaining together a logic flaw across three requests is expensive and irreplaceable. A scanner that fires off ten thousand requests looking for known patterns is cheap and tireless. Most real-world security work is a blend, and a lot of what firms bill as "manual testing" is actually a tool's output with a human writing it up.

One-off versus continuous. A single engagement is a snapshot. The day after they hand you the report, you ship a new feature and the snapshot is stale. Continuous or repeatable testing costs more upfront to set up but matches how you actually build, which is constantly.

Realistic ranges for a startup

Here's the honest spread for a small web app or SaaS in 2026.

A reputable firm engagement: roughly €15,000 to €20,000, with two to six weeks of lead time before anyone touches your app, plus another week or two for the report. You'll fill out scoping questionnaires, sign paperwork, and wait for a slot.

A freelancer: anywhere from €2,000 to €8,000, faster to start, with a quality range that runs from excellent to a lightly reformatted scanner dump.

A pure automated scanner you run yourself: cheap or free, instant, and noisy. Good for catching obvious misconfigurations, useless at understanding whether user A can read user B's invoices.

Why that math kills the check

Walk through the founder's version of this decision. You have maybe ten thousand euros of runway-funded budget for the entire quarter. A €17,000 pentest is more than that. Even if you could afford it, the three-week lead time means you either delay launch or launch unscanned and book the test for "later" — and later never comes, because by then you're firefighting something else.

So the typical outcome isn't "founder buys a thorough pentest." It's "founder buys nothing, ships, and hopes." The price doesn't make founders more secure. It mostly makes them skip security entirely. That's the actual problem worth solving: not making the €17,000 test cheaper, but making the decision to test something you say yes to instead of defer.

The autonomous alternative

This is where the economics change. An autonomous scan does the broad, repetitive, exhausting part of a pentest — the part that's most of the hours and least of the genius — in minutes instead of weeks, and it does it the same way every time.

Kalit Pentest runs around twelve specialist agents in parallel, moving through the same phases a human would: reconnaissance, then probing for vulnerabilities, then careful exploitation, then a written report. It only tests targets you've authorized, and it's non-destructive — it proves a bug is real without breaking your app or deleting your data. Every finding comes with a CVSS severity score, reproducible evidence (the actual request and response that triggered it), and a specific remediation, so you're not left guessing what "high risk" means or how to fix it.

The output is built for how you work. It exports SARIF, so findings drop straight into GitHub or your CI as code-scanning alerts, plus PDF and HTML reports if you need something to hand to a customer. And because a run takes minutes, re-scanning after you ship a fix is free in practice — you're not booking another five-figure engagement, you just run it again. That answers the "snapshot goes stale" problem directly.

If you want context on what these scans are actually looking for, the OWASP Top 10, explained for founders is a good primer, and when you're ready to do it, here's how to run the scan before launch.

When you still want a human firm

Automation isn't a religion, and pretending it replaces everything would be dishonest. There are real cases where you should write the big check.

Compliance attestation. If a SOC 2 auditor, an enterprise procurement team, or a regulator requires a named third party to sign off, you need that signature. A tool's report, however good, isn't a human attestation. Some doors only open with a firm's letterhead.

Genuinely complex business logic. A creative human is still better at reasoning about your app's specific rules — the multi-step checkout that can be tricked into a free order, the approval workflow that skips a step under a weird condition. These flaws live in your domain, not in a vulnerability catalog, and they reward intuition.

The sensible play for most founders is sequencing. Run automated scanning continuously from day one, fix what it finds, and bring in a human firm later — when you have revenue, an enterprise deal on the line, or a compliance deadline. By then the firm is auditing a hardened app instead of finding the obvious stuff you could have caught yourself for almost nothing.

Recap

The pricing question has a clearer answer once you separate the parts.

  1. A firm pentest costs roughly €15,000 to €20,000 and takes weeks — real value, wrong fit for most pre-launch founders.
  2. Price is driven by scope, who does the work, manual versus automated, and one-off versus continuous.
  3. For founders, that price usually doesn't buy security — it buys skipping security.
  4. An autonomous scan covers the broad, repeatable work in minutes, with evidence and fixes, and re-scans for free.
  5. Keep a human firm for compliance attestation and complex business-logic review, ideally after you've already hardened the easy stuff.

The goal was never the most expensive test. It was shipping something you've actually checked. Make security a thing you do, not a quote you flinch at and file away.

Weiterlesen

The 2026 launch stack for solo founders: idea to live to secure in a weekendThe end-to-end map for launching solo in 2026: validate the idea, build a custom landing page, capture intent, secure it before launch, get found, and find your first users.How to build a landing page with AI that doesn't look AI-generatedMost AI landing pages look identical because they share the same template assets. Here's how to build one with custom images, icons and fonts — researched and sourced for you, inspired by sites you love.How to pentest your web app before launch (without hiring a firm)A practical pre-launch security pass for founders: what a real pentest checks, how to run one on your own app in minutes, and how to read and fix the findings.