← All Tools
Free Tool

Pentest Cost Estimator

Plug in your scope — number of apps, APIs, network hosts, auth complexity, target report standard — and get an indicative USD price range. Calibrated to senior operator day rates published by CREST member firms in 2024–2025.

Set your scope — the estimate recalculates instantly.

Each counted as ~4 days
Each counted as ~3 days
iOS or Android counted separately, ~5 days each
Internal + external, ~30 hosts/day
Control-plane review, ~2.5 days each
Indicative estimate
Operator-days
12.2
Low (≈ $1.2k/day)
$14,620
High (≈ $2.4k/day)
$29,240

Day rates anchored to 2024–2025 published rates for senior operators with CREST CHECK, OSCP or OSWE credentials. Real AxVeil quotes start lower than the high end for engagements billed in INR — see /pricing.

Breakdown
  • 1 web app(s) × 4 days4.0 d
  • 1 API(s) × 3 days3.0 d
  • Single-role auth uplift (+10%)0.7 d
  • Report mapping (ASVS2) +15%1.2 d
  • 1 free retest within 30 days1.3 d
  • Reporting + project management2.0 d
Get a written scope →

FAQ

How accurate is the estimate?

It is an indicative range, not a quote. Estimates are within ±30% of typical real quotes for engagements whose scope matches the input pattern. Real quotes depend on the technology stack (a React SPA with a single GraphQL endpoint is much faster than a 15-year-old Java EE monolith), code access (white-box vs black-box doubles efficiency), authentication chain complexity, infrastructure security maturity, and the language of the final report. Use the estimator to sanity-check whether a vendor quote is in the right ballpark, not to negotiate against.

What day rates does the estimator assume?

A blended USD band from $1,200 to $2,400 per operator-day. Lower anchor: AxVeil INR rates for senior operators (₹40k–₹80k/day, roughly $480–$960). Upper anchor: published US/UK senior pentester rates from CREST member firms ($1,800–$3,000/day). The blended band is calibrated to give a realistic range for what most procurement teams will see in vendor quotes — INR-billed engagements come in below the low end, US tier-1 firms come in above the high end.

Why does the report standard affect price?

Different attestation standards require different evidence pack depth. OWASP Top 10 is a baseline scan + manual validation. OWASP ASVS L2 requires every applicable control to be tested and either marked PASS or written up with reasoning — roughly 15% more time per app. SOC 2 evidence mapping requires control-to-test traceability tagged to CC7.1 / CC8.1 (+20%). PCI DSS v4.0 Requirement 11.4.x requires methodology references, segmentation testing where applicable, and a specific report format (+25%). The uplifts are operator-time, not paperwork — auditors want the testing actually done against the control.

Does the estimate include retests?

Optionally, yes — toggle the checkbox. AxVeil engagements include one free retest per finding within 30 days of the original scan as standard, costed at roughly 15% of the base engagement. Some vendors charge separately for retests; if you are comparing quotes make sure you are normalising for that. Without a retest, a 'pass' report is just a snapshot — the next deploy can re-introduce the bug and you have no proof of remediation for auditors.

I want a real quote. What now?

Send your scope to the contact form — typically you get a written, fixed-price scope back within one business day. The scope includes start/end dates, named lead operator, the standards/methodologies applied, the report format and the retest policy. NDA on request before any sensitive scoping detail is shared. Indian buyers get a GST-compliant invoice; international buyers get a USD invoice and W-8BEN-E on request.