Back to blog Buyer Guides

How to Set a Realistic Internal Budget for Penetration Testing When You Have Never Bought One Before

You have never bought a penetration test and finance wants a number. Here is how to build a defensible budget range from your actual environment before you talk to a single company.

Author Neil Cameron
Published July 1, 2026
Read 12 min

The Problem with Guessing

If you have never purchased a penetration test, you probably have no internal benchmark for what it should cost. That makes it difficult to request budget, defend the line item, and evaluate quotes when they arrive. Your penetration testing budget needs to be grounded in your actual environment, not borrowed from a blog post’s pricing table.

This guide walks you through the internal process of building a budget range before you contact any companies. It covers who to involve, what inputs to gather, and how to present the number to finance.

This is not a pricing guide. If you need general market pricing data, see the pentest.fyi pricing article. This article focuses on the internal work that happens before procurement begins.

Step 1: Assemble the Right Internal Stakeholders

Budgeting for a pentest is not a solo exercise. You need input from people who understand the technical scope, the compliance requirements, and the financial approval process.

Here is who should be at the table:

  • Security or IT lead. They define the test objectives and understand the threat model. They will also own the relationship with the testing company.
  • Compliance officer or GRC lead. They know which frameworks mandate testing, what the reporting requirements are, and whether specific methodologies or certifications are required.
  • Application and infrastructure owners. They can enumerate systems, APIs, and network segments in scope. Without their input, your scope estimate will be wrong.
  • Finance stakeholder. Bring them in early. They need to understand why this is a recurring cost, not a one-time expense.

Skipping any of these roles leads to incomplete scope, unrealistic numbers, or a budget request that gets sent back.

Step 2: Inventory the Assets That Drive Pricing

Pentest pricing is driven primarily by scope. Scope is driven by what you are testing, and getting the boundaries right is a discipline of its own. Before you can estimate cost, you need a clear inventory.

External Assets

List your external-facing attack surface:

  • Public IP ranges and CIDR blocks
  • Web applications (count them individually, note complexity)
  • APIs (REST, GraphQL, SOAP, count endpoints if possible)
  • Cloud-hosted infrastructure (AWS, Azure, GCP accounts and services)
  • Domains and subdomains

Internal Assets

If you are considering an internal network test:

  • Number of internal hosts or subnets
  • Active Directory domains and forests
  • VLANs and segmentation architecture
  • On-premise servers, workstations, and network devices

Applications

For application-layer testing:

  • Number of distinct web applications
  • Estimated number of authenticated roles per application
  • Single-page applications vs. server-rendered (affects crawling complexity)
  • Mobile applications (iOS, Android, or both)
  • Thick client applications

Other Scope Variables

  • Wireless networks and office locations
  • Social engineering or phishing components
  • Physical security testing
  • Cloud configuration review (separate from infrastructure testing)

Put this inventory into a spreadsheet. It becomes the foundation for every conversation that follows, both internal and external.

Step 3: Define the Test Type and Objectives

Different test types carry different price points. Be specific about what you need.

Test TypeTypical ScopeRelative Cost
External network pentestPerimeter IPs, servicesLower
Internal network pentestSubnets, AD, segmentationModerate
Web application pentestSingle app, all rolesModerate
API pentestEndpoint set, auth flowsModerate
Mobile application pentestOne platform, backendModerate to higher
Red team engagementFull attack simulationHigher
Social engineeringPhishing, vishing, physicalVariable
Cloud configuration reviewOne or more cloud accountsModerate

A common first-time mistake is requesting a “full pentest” without specifying the type. That phrase means different things to different companies. Pin down whether you need an external network test, an application test, or both. Each one is a separate line item in your budget.

Step 4: Factor in Compliance Requirements

Compliance mandates affect your budget in three ways: they dictate minimum scope, they constrain timing, and they may require the testing company to hold specific certifications.

PCI DSS

PCI DSS requires annual penetration testing that covers both network and application layers of the cardholder data environment. The methodology must follow an accepted industry approach. The test must be performed by a qualified internal resource or external party. This typically means the scope cannot be reduced to save money.

SOC 2

SOC 2 does not mandate penetration testing, but auditors frequently expect it as evidence of the “Risk Mitigation” or “System Operations” criteria. If your auditor expects a pentest report, clarify exactly what scope they require. Some accept a lightweight external scan. Others expect a full application-layer test.

ISO 27001

ISO 27001 requires you to identify and treat information security risks, including technical vulnerability management. Penetration testing is a common control, but the standard does not prescribe how often or how deep. Your scope is driven by your risk assessment.

Contractual Obligations

Check your customer and partner contracts. Enterprise customers frequently require annual pentesting as a condition of doing business. Some specify scope or certification requirements (CREST, for example). These contractual terms directly affect what you need to budget.

How Compliance Affects the Number

Compliance-driven tests tend to cost more because:

  • Scope is fixed by the framework, not by your preference
  • Reporting requirements are stricter (detailed findings mapped to controls)
  • Timing is non-negotiable (annual, quarterly, or before an audit date)
  • Certification requirements (CREST, PCI QSA) limit your pool of eligible companies

Account for these constraints when building your range. A compliance-driven pentest for a PCI environment will cost more than a discretionary external network scan.

Step 5: Budget for Retesting and Remediation Verification

First-time buyers almost always forget this line item. The pentest itself produces findings. Your team remediates those findings. Then someone needs to verify the fixes work.

Retesting is a distinct cost. Here is how to plan for it:

  • Included retesting. Some companies include one round of retesting in their quote. Ask about this when evaluating proposals, but do not assume it is included.
  • Paid retesting. Many companies charge separately for retesting, either as a flat fee or on a time-and-materials basis. Expect retesting to add 15 to 30 percent to the base cost.
  • Remediation support. If your team lacks the expertise to fix certain findings, you may need to bring in external help. Budget for this separately from the pentest itself.

A realistic budget line should include three components:

  1. The base engagement cost
  2. Retesting and verification
  3. Remediation labor (internal or external)

Step 6: Determine Frequency and Multi-Year Planning

Penetration testing is rarely a one-time purchase. Most organizations need it annually at minimum. Some need it quarterly or after significant changes.

When building your budget, plan for at least two years:

  • Year 1: Full-scope engagement covering all required test types. This is your baseline and will be the most expensive year.
  • Year 2 and beyond: Retesting of previously identified issues, testing of new assets or applications, and compliance-driven annual tests.

Multi-year contracts or retainers with a single company can reduce per-engagement costs. Factor this into your planning if you expect recurring need.

Also budget for ad-hoc testing. Major application releases, infrastructure migrations, or M&A activity may trigger unplanned tests. A 10 to 20 percent contingency buffer is reasonable.

Step 7: Build the Budget Range

You now have the inputs. Assemble them into a range.

Do not present a single number to finance. Present a low, mid, and high estimate based on scope variability.

Example Budget Worksheet

Line ItemLow EstimateMid EstimateHigh Estimate
External network pentest$8,000$15,000$25,000
Web application pentest (2 apps)$12,000$24,000$40,000
Retesting (20% of base)$4,000$7,800$13,000
Contingency (15%)$3,600$7,020$11,700
Total Year 1$27,600$53,820$89,700

These numbers are illustrative. Your actual range depends on your asset inventory, compliance requirements, and the companies you engage. Use the pentest.fyi directory to compare companies and request quotes that reflect your specific scope.

The point of the range is to give finance a realistic corridor. A single number invites pushback. A range with documented assumptions invites discussion.

Step 8: Prepare the Budget Justification

Finance does not approve budgets because security is important in the abstract. They approve budgets that are tied to specific, quantifiable business outcomes.

Here is how to structure the justification:

Tie It to Compliance Mandates

If a regulation or framework requires pentesting, state that plainly. “PCI DSS Requirement 11.4 mandates annual penetration testing. Non-compliance risks fines, loss of card processing privileges, and audit failure.” That is a concrete business consequence.

Tie It to Contractual Obligations

If customer contracts require annual pentesting, list them. “Three enterprise customers representing $X in ARR require annual pentest reports as a condition of renewal.” This makes the cost of not testing tangible.

Quantify Risk Reduction

Frame the investment against the cost of a breach. You do not need to calculate an exact ROI. You need to show that the cost of testing is a small fraction of the cost of an incident. Reference your organization’s cyber insurance policy, breach notification costs, or regulatory penalty exposure.

Show the Recurring Nature

Make clear this is an annual expense, not a one-time project. Finance prefers predictable costs. Show the multi-year trajectory and explain that costs stabilize or decrease after the first year as scope becomes better defined.

Document Your Assumptions

Attach your asset inventory and scope worksheet. Show how you derived the numbers. This makes the request auditable and reduces the likelihood of arbitrary cuts.

Common Mistakes First-Time Buyers Make

Budgeting for the cheapest quote. The lowest quote often indicates reduced scope, not a better price. If a company’s quote is significantly below your range, examine what they are excluding.

Ignoring retesting costs. A pentest without retesting is an incomplete cycle. Budget for the full loop.

Treating it as a one-time cost. Pentesting is a recurring operational expense. Budget accordingly from the start.

Not involving compliance early. If compliance requirements expand the scope after budget approval, you will be back at finance asking for more money. Get the compliance input first.

Waiting until vendor selection to build the budget. If you build your budget based on vendor quotes, you lose negotiating power and internal credibility. Build the budget independently first.

Using pentest.fyi to Validate Your Estimates

Once you have a budget range, use the pentest.fyi directory to find companies that match your scope, industry, and certification requirements. Filter by test type, geographic region, and compliance expertise.

Comparing multiple listings against your budget range helps you validate whether your estimates are realistic before you commit to a formal procurement process.

Summary: The Budget-Building Checklist

  • Identify internal stakeholders (security, compliance, app owners, finance)
  • Inventory all in-scope assets (external, internal, applications, cloud)
  • Define the test type and objectives
  • Document compliance and contractual requirements
  • Add retesting and remediation verification costs
  • Determine frequency (annual, quarterly, ad-hoc)
  • Build a low/mid/high budget range with documented assumptions
  • Prepare the justification tied to compliance, contracts, and risk
  • Validate estimates against real company quotes via pentest.fyi

This process takes time. It is worth doing before you talk to a single testing company. A well-built internal budget gives you credibility with finance, clarity with vendors, and confidence that you are spending the right amount for your actual risk profile.

Key Takeaways

  • Build a penetration testing budget before contacting companies by inventorying your assets, compliance requirements, and retesting needs.
  • Involve your security lead, compliance officer, application owners, and finance stakeholder early so the budget reflects real scope.
  • Retesting and remediation verification can add 15 to 30 percent to your base engagement cost, so budget for it explicitly.
  • Compliance mandates like PCI DSS or SOC 2 constrain both scope and timing, which directly affects what you will pay.
  • Frame the budget request to finance around quantified risk reduction and compliance obligations, not abstract security improvements.

Frequently Asked Questions (FAQ)

How much should I budget for a penetration test if I have never bought one before?

It depends on your environment size, test type, and compliance needs. Most organizations should expect to spend between $10,000 and $80,000 for a standard engagement. Building a scoping inventory of your assets is the first step to narrowing that range.

Who should be involved in setting the penetration testing budget internally?

At minimum, involve your security or IT lead, a compliance stakeholder, application or infrastructure owners who can quantify scope, and whoever controls or approves the budget in finance.

Should I budget separately for retesting after a penetration test?

Yes. Retesting to verify remediation is a distinct cost. Some companies include one retest in their initial quote, but many charge separately. Budget an additional 15 to 30 percent above the base engagement cost for retesting.

How do I justify a penetration testing budget to finance or executive leadership?

Tie it to specific compliance requirements, contractual obligations, or quantified risk. Show which regulatory mandates require testing, what contractual SLAs depend on it, and what the cost of a breach or audit failure would look like by comparison.

Does compliance like PCI DSS change what I need to budget?

Yes, significantly. PCI DSS requires testing by a qualified assessor with specific methodology. SOC 2 and other frameworks also constrain scope and timing. Compliance-driven tests tend to cost more because the scope and reporting requirements are stricter.

Related posts