Pen test scope

API pen test

Standalone API testing (REST, GraphQL, gRPC) covering OWASP API Security Top 10. Increasingly scoped separately from the web/mobile front-end that uses the API.

Small

2-4d

£2,000-£6,000 UK

Medium

4-8d

£4,000-£12,000 UK

Large

8-15d

£8,000-£22,500 UK

Standards typically applied

OWASP API Security Top 10OWASP REST Security Cheat Sheet

Considerations that move the day count

GraphQL adds 20-40% to day count vs equivalent REST scope (introspection + query complexity testing)
Authorization (BOLA / function-level / object-level) is the dominant finding class
Rate limiting and abuse-resistance scoping rarely included by default — flag explicitly if needed

Source

OWASP API Security Top 10 2023 + Precursor Security 2026 scope ranges

Verified 2026-06-02

Other scopes

Web application pen test5-10d External infrastructure pen test4-8d Internal infrastructure pen test5-10d Mobile application pen test5-10d Cloud configuration / pen test5-10d Red team engagement20-40d