Pen test scope

Web application pen test

External-facing web applications including authentication, session management, business logic, and OWASP Top 10 coverage. The most common pen test engagement type.

Small

3-5d

£3,000-£7,500 UK

Medium

5-10d

£5,000-£15,000 UK

Large

10-20d

£10,000-£30,000 UK

Standards typically applied

OWASP Web Security Testing GuideOWASP Top 10NIST 800-115

Considerations that move the day count

Authenticated vs unauthenticated scope — authenticated typically adds 30-50% to day count
Multi-tenant SaaS apps need cross-tenant isolation testing as a discrete stream
Complex business logic (financial workflows, multi-step approvals) often needs a custom test plan beyond OWASP

Source

OWASP Web Security Testing Guide v4.2 + Precursor Security 2026 scope ranges

Verified 2026-06-02

Other scopes

External infrastructure pen test4-8d Internal infrastructure pen test5-10d Mobile application pen test5-10d Cloud configuration / pen test5-10d API pen test4-8d Red team engagement20-40d