Most UK businesses paying for their first penetration test have the same problem: they do not know what they are buying until after they have bought it. The penetration test cost in the UK typically ranges from £2,500 for a focused external assessment to £12,000 or more for a thorough internal network review, but the number means little without understanding what is inside that price and what you actually need. Get the scope wrong in either direction and you either overspend or walk away with a report that misses your real exposure.
Table of Contents
What You Are Actually Paying For
A penetration test is a manual, adversarial assessment of a defined set of systems. A skilled tester probes your environment the way an attacker would: chaining misconfigurations, weak credentials, overpermissioned accounts, and unpatched software into access they should not have. The output is a technical report with evidence-backed findings, risk ratings, and remediation steps, plus an executive summary your board can read.
That is different from a vulnerability scan, which is an automated tool checking for known, unpatched software. Scans are fast and cheap. But they are not penetration tests, and the two are not interchangeable. If a quote looks very low and the provider asks few scoping questions, it is probably a scan with a different label on it.
The NCSC describes penetration testing as a method for “gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” It also notes that tests are “expensive operations”: not a warning to avoid them, but a reminder that a serious test costs what serious manual work costs.
Penetration Test Cost in the UK: Prices by Type
Penetration test cost UK figures vary widely because no two engagements are the same. The following ranges reflect typical market rates published by UK providers for manual engagements:
- Web application test: £2,500 to £8,000 (2 to 5 days). Covers a single application with its authenticated and unauthenticated attack surface. Price rises with the number of user roles, API endpoints, and application complexity.
- External network test: £3,000 to £6,000 (3 to 5 days). Targets internet-facing infrastructure: your public IP addresses, domains, VPN endpoints, and perimeter devices.
- Internal network test: £5,000 to £12,000 (5 to 8 days). Simulates what an attacker can do once inside your network. Deeper access means more time and cost.
- Cloud assessment: £4,000 to £10,000 (3 to 6 days). Reviews configuration and permissions on AWS, Azure, or similar platforms.
- Full security assessment: £12,500 to £25,000+ (10 to 20 days). Combines external, internal, and application testing. Appropriate for larger organisations or compliance-heavy environments.
Most mid-market UK engagements land between £3,750 and £10,000. The average test runs about seven working days from kick-off to final report.
Aardwolf Security starts from £750 per day, which sits below the rates charged by most competitors. Every one of our consultants is senior, so your testing is carried out by people with years of hands-on experience rather than juniors learning the trade on your systems.
How to Scope Your Test (Before You Ask for a Quote)
Scope defines the price. Before approaching any provider, work out the following:
- What systems are in scope? List specific IP ranges, domains, and applications. Vague descriptions produce vague (and usually inflated) quotes.
- How many user roles exist? A web application with three separate permission levels (admin, standard user, guest) takes longer to test. An application with a single role costs less.
- Internal or external, or both? An external test is less expensive and a sensible first step. Internal testing requires either remote access or an on-site visit, and reveals what an attacker can do if they get past the perimeter.
- Do you have a compliance requirement? PCI DSS, ISO 27001, and Cyber Essentials Plus each impose specific testing methodology and reporting requirements. This typically adds 15 to 25 per cent to the base cost. Know this before you budget.
- Do you need retesting? Most providers quote for the initial test only. A retest after you have fixed the findings usually costs one or two extra days at the same day rate.
Reading Day Rates
Penetration testing is priced on consultant day rates. The fair market rate for thorough manual testing in the UK sits at around £1,200 per day, with a credible range of £1,000 to £1,500. That covers testing, reporting, quality review, and project management.
Below £500 per day, however, you are almost certainly getting an automated scan, not a manual test. Providers quoting in that range are often running vulnerability scanning tools rather than conducting genuine adversarial testing. The less questions they ask at the scoping stage, the less likely you are to get an accurately scoped piece of work.
Providers above £2,000 per day are not necessarily better. Very high day rates sometimes reflect marketing spend, London overhead, or specialist niche work rather than better testers. So always ask what you are paying for at each price point.
The CREST Question
CREST is the UK’s main professional body for penetration testing. CREST-certified firms employ individually certified testers and are audited annually on their methodology. For UK public sector, NHS, defence, and most regulated-sector contracts, CREST accreditation is a hard requirement under the NCSC’s CHECK scheme.
For everyone else, CREST is a useful quality signal but not the only one. Testers holding OSCP, OSWE, or similar offensive security qualifications from respected providers are also credible. Ask who will be doing your test and check their qualifications. Request a sample report from a comparable engagement. Those three checks reveal more than any accreditation label alone.
Expect to pay roughly 15 to 25 per cent more for a CREST-accredited provider. For organisations with a compliance driver or a regulated-sector tender requirement, that premium is part of the cost of doing business.
What a Good Quote Looks Like
A credible provider will send you a formal statement of work before any money changes hands. It should specify the systems in scope, the testing methodology, and the named testers with their qualifications. It should also list the deliverables (technical report, executive summary, debrief call), the timeline, and what is excluded. If any of these are missing, ask for them.
Two other checks worth doing: ask for a sample report and look at the evidence quality, not just the layout. And confirm that the provider carries professional indemnity insurance that covers penetration testing activity.
What First-Time Buyers Should Start With
If your organisation has never commissioned a penetration test and you are not sure where to begin, an external network and web application test is the most practical starting point. It covers the systems exposed to the internet, it is accessible for most budgets, and it gives you a benchmark to compare future assessments against.
From there, most organisations move to an internal test once they have addressed the external findings. Red team engagements and full security assessments come later. Those are appropriate once the basics are solid and you want to test your detection and response capability too.
Questions about penetration test cost in the UK are often straightforward once you understand what the price pays for. Most organisations find that getting a clear scope defined early saves money and avoids the frustration of a test that did not cover what mattered.
If you want to talk through what scope makes sense for your environment, Aardwolf Security offers scoped penetration testing services for UK businesses and can give you a clear, honest picture of what the work involves before you commit to anything. You are welcome to get in touch with questions.
