How we verify pen test pricing

Live-verified means the vendor publishes a day rate on their own pricing page and we successfully fetched it on the verifiedOn date. Precursor Security is the only UK provider in our matrix meeting this bar today. Where industry-reported, the figure is triangulated from at least two independent third-party sources that cite the vendor's rates and we flag it accordingly.

Standard UK CREST-certified consultant day rates triangulate to £1,000-£1,500/day across four independent 2026 industry sources (Gradeon, Fortbridge, Cybergen, SecForce). All four arrive at the same band independently. We use £1,200/day as the fair-benchmark median for scoping purposes. CHECK-Team-Member-led work for UK government carries a £300-£500/day premium and we surface that as a separate option in the calculator.

The widely-circulated "$4,000-$7,000/day Bishop Fox" figure does not trace to a Bishop Fox-published source. We have not been able to verify it against either a vendor page or an industry survey. Until we can, it is not on this site. Same principle applies to any other figure we cannot trace to a primary source.

The US pen test market is structurally quote-only. The Intruder.io 2026 cost guide is the single independent source we could verify today with a published US range ($1,000-$3,000/day). The wider band than UK reflects genuine variance in US engagement scope rather than a wider true distribution. For US procurement, the honest advice is to get at least three written quotes — the calculator gives a starting band, not a procurement-grade number.

Day-count ranges per scope are synthesised from Precursor Security's published scope ranges plus cross-reference against OWASP testing-guide depth and NIST SP 800-115 structured-testing recommendations. Small / Medium / Large bands are deliberately wide because real engagement sizing depends on multiple factors (asset count, authentication complexity, test methodology depth) that no aggregated benchmark captures cleanly.

Vulnerability assessment, pen test, red team, and PtaaS-continuous engagements have different day-count footprints. Multipliers in the calculator are derived from CREST methodology + industry consensus: vuln assessment ~0.5×, pen test 1.0× baseline, red team 2.5×, PtaaS continuous 0.7× per quarterly cycle. The 2.5× for red team reflects senior consultant rates + longer engagements.

Both certifications were verified today against the CREST member directory and NCSC CHECK provider listing — not the vendor's own claims. Where a provider claims certification we could not independently verify, we flag with a verificationNote and exclude the claim from the certification column.

The remediation statistics on the home page (48% all-vuln resolve rate, 67d median MTTR, 37d serious MTTR, 21% LLM-vuln remediation) are sourced from Cobalt's free annual report — primary source, not aggregator citation. We include this because pen test budgets routinely under-cost the remediation effort that follows the report.

Every provider and benchmark row is re-checked at least quarterly. The verifiedOn date next to each row is the most recent re-check. Pre-deploy CI gate refuses to publish any data file with rows missing a verifiedOn or older than 90 days.

pentestcostcalculator.com is published by Digital Signet. Digital Signet does not sell pen testing, security consultancy, or PtaaS services. We do not accept sponsored placements that influence pricing claims or methodology. The advertiser exclusion list specifically forbids pen test provider and PtaaS ads on this property.

Stale price, broken source URL, missing CREST/CHECK certification claim? Email hello@digitalsignet.com with the source URL. Updates land within seven days.