Pricing

Transparent pricing.
No surprises.

Every engagement is scoped before it is priced. Our starting point is $6,000 for a standard web application penetration test. The final quote depends on three things we work through with you on the discovery call.

Book a Free Scoping Call See a Sample Report

What determines your final quote

Four variables shape every engagement. We go through all four on the discovery call before any number is issued. No hidden fees, no scope surprises, and no add-ons you did not agree to.

Application complexity

Endpoints, APIs, auth flows, and user roles drive testing hours. A 3-role SaaS with 40 endpoints is a fundamentally different scope than a multi-tenant platform with 200 endpoints and custom SSO.

Compliance framework mapping

HIPAA, SOC 2, PCI DSS, ISO 27001, and DPDP each require specific control coverage in the final report. A compliance-mapped report is structured evidence your auditor can cite directly.

One-time vs. retainer

A single engagement covers that scope alone. Retainers for quarterly or annual testing carry lower per-engagement cost, priority scheduling, and continuous coverage between compliance cycles.

Time. How long it takes.

Testing duration scales directly with scope. A focused 40-endpoint app completes active testing in 1 week. A 200-endpoint multi-tenant platform with custom SSO takes 2–3 weeks. Priced accordingly.

Lower complexity

Single-tenant, 2–3 roles, under 60 endpoints, standard auth flows.

Higher complexity

Multi-tenant, 5+ roles, 100+ endpoints, custom SSO, OAuth, and MFA flows.

How an engagement is delivered

Every engagement follows four phases: scoping, active testing, report delivery, and retest. Active testing duration scales with scope and complexity. Everything else — report, debrief, and retest — is fixed overhead included in every quote.

Concrete example — standard 40-endpoint SaaS app Scoping and authorization finalize in days 1–2. Active testing runs for 1 week. Report delivered and debrief call held within days of testing completing. Retest scheduled within 1 week after you fix the findings. Standard engagement closed in about 2–3 weeks total.

Days 1–2

Scoping & Authorization

Scope documented, targets agreed, rules of engagement signed. Nothing is tested until authorization is in writing.

1 Week

Active Testing

Manual testing against all agreed targets. Real attack paths, chained vulnerabilities. Larger or more complex apps may take 2–3 weeks.

Days after testing

Report & Debrief

Full report delivered. Debrief call for your technical team and, if needed, your auditors or compliance officer.

↻

+1 week

Retest Window

Fix the findings. We verify. Must be scheduled within 1 week of remediation confirmation. Always included.

What is included

Always included

Manual penetration testing by a certified tester
Full written report with every finding documented
CVSS severity ratings on all findings
Proof-of-concept exploits for critical and high findings
Executive summary for leadership and board
Technical findings section for your engineering team
Remediation guidance for every finding
One retest within 1 week of remediation confirmation
Debrief call
Compliance framework mapping if specified at scoping

Add-ons — priced separately

Additional retests beyond the included one
Social engineering and phishing simulation
Physical security assessments
Mobile application testing
Hardware and firmware testing
Red team simulation engagements
Ongoing continuous monitoring

These can be added to any engagement. Scope and pricing for add-ons are agreed before the engagement begins.

Pricing questions

$6,000 reflects a standard-scope web application with moderate complexity: under 60 endpoints, 2 to 3 user roles, and standard authentication flows. This covers the full engagement including testing, report, debrief, and retest. Applications with higher complexity, additional compliance documentation requirements, or wider scope are priced higher, and we scope that on the discovery call before quoting.

It is the starting point for a standard-scope web application engagement. The final quote depends on application complexity, compliance framework mapping requirements, and whether you are scoping a single engagement or a retainer. We do not issue a final quote before completing a scoping call.

Scoping and authorization take 1 to 2 days — nothing is tested until authorization is in writing. Active testing runs 1 week for a standard engagement; larger or more complex apps take 2 to 3 weeks. The report is delivered within days of testing completing, followed by a debrief call. You then have 1 week from remediation confirmation to schedule the included retest. Total calendar time for a standard engagement is roughly 2 to 3 weeks from signed agreement to completed retest.

Yes. Quarterly and annual retainer agreements are available for organizations that need continuous coverage between compliance cycles. Retainer clients receive reduced per-engagement cost, priority scheduling, and a dedicated contact for all engagements. Retainer terms are discussed on the discovery call and formalized in the engagement agreement.

Framework mapping, such as mapping findings to HIPAA technical safeguard requirements or SOC 2 CC6.1 controls, is included when you specify the framework at scoping. It is part of the report documentation work and is built into the quoted price, not an add-on billed separately.

Yes. Compliance consultants, evidence collection platforms, and security firms that refer clients or subcontract pentest work to NullStrike receive 15 to 20 percent off standard engagement pricing under a signed partnership agreement. See the Partners page for details and to apply.

Transparent pricing.No surprises.