Penetration test cost UK can range from £800 to £50,000 or more, and the price alone tells you almost nothing useful. The most common mistake organisations make when buying security testing is treating it like commodity procurement: compare quotes, choose the cheapest firm that mentions “CREST” somewhere in the proposal, and sign. The result is a report that satisfies a compliance checkbox but leaves the real vulnerabilities untouched.
Table of Contents
Penetration Test Cost UK: What Credible Testing Actually Costs
For manually led, properly scoped testing by CREST-certified consultants, expect to pay in the following ranges depending on the type of assessment:
- External infrastructure (perimeter, VPN, mail servers): £3,000 to £6,000
- Web application (authenticated and unauthenticated, single application): £2,500 to £8,000
- Internal network assessment: £5,000 to £12,000
- Cloud environment review: £4,000 to £10,000
- Red team exercise: £20,000 to £50,000 or beyond
The word “credible” matters in that sentence. These figures assume a consultant spending most of the engagement on manual analysis, not running automated tools and presenting the output as penetration test findings.
CREST-certified consultants in the UK typically charge between £1,000 and £1,500 per day. Research from the UK Cyber Security Council in 2024 found the average engagement runs about seven working days. Approximately 60% of organisations use at least two testers. A five-day, single-consultant external test at £1,200 per day costs £6,000. A seven-day, two-consultant internal test costs £16,800. Penetration test cost in the UK at the upper end reflects skilled technical labour, not a padded profit margin.
Why Buyers End Up With the Wrong Test
Three pressures push organisations toward poor-value testing, and all three are understandable.
First, compliance deadlines. A customer questionnaire or an insurance renewal says “annual penetration test required.” The buyer needs a document by a specific date. A firm offering a two-day assessment for £1,200 meets the letter of that requirement. The buyer signs, the box is ticked, and the underlying risk stays exactly where it was.
Second, unclear scope. Without knowing whether they need external or internal testing, one application or three, basic or compliance-grade reporting, buyers cannot compare quotes fairly. A £3,000 quote for a single-application web test is reasonable. A £3,000 quote for “your entire environment” is a red flag. Without understanding what you are buying, you cannot tell which is which.
Third, opaque provider claims. “Penetration testing” is not a regulated term. Many firms apply it to automated scanning with minimal manual follow-up, and their marketing is indistinguishable from providers doing genuine manual work. The price difference between those two offerings is the entire point.
What a Cheap Penetration Test Actually Delivers
Day rates below £500 almost always mean a tool-heavy engagement. The report structure makes it obvious: findings listed by CVSS score, descriptions largely copied from scanner databases, prioritisation by severity band rather than by what an attacker could actually do with each issue in your specific environment.
However, a manually led report looks different. It demonstrates proof-of-concept exploitation where appropriate. It then describes the realistic attack chain from initial access to business impact, and flags which findings are serious in your specific context. So the practical difference is this: one answer tells you a flaw exists, the other shows whether an attacker could use it to reach your customer records.
Some low-cost providers are transparent about what they offer and price it accordingly. The problem arises when a scan report is presented as a penetration test. Real compliance requirements expect manual work; an automated output does not satisfy that expectation. That gap, between what was promised and what was delivered, is where the actual risk lives.
Accreditation: a Baseline Check, Not a Guarantee
CREST membership is the most widely recognised professional standard for UK penetration testing. It also requires consultants to pass technical examinations and firms to undergo operational audits. Most quality providers hold CREST approval, and most procurement processes now ask for it as a minimum.
But CREST membership confirms that a firm meets certain minimum standards. It does not tell you whether the assigned consultant is junior or a seasoned specialist. Nor does it say how much of the engagement will actually be manual. Ask directly: which certifications do the individuals performing this test hold? CREST Registered Tester is the entry level. CREST Certified Infrastructure Tester or CREST Certified Web Application Tester are higher standards. For government and critical infrastructure work, the NCSC’s CHECK scheme applies, and CHECK testers operate under stricter controls than standard CREST.
What a Quality Engagement Actually Includes
A well-structured penetration test covers several stages that cheap alternatives often skip or compress. Understanding what those stages are helps you evaluate whether a quote is realistic.
Scoping and planning come first: a conversation about your environment, your threat model, and what the test should cover. Reconnaissance follows, establishing what is visible from the outside before active testing begins. The active testing phase is where manual skill matters most. A skilled consultant does not just identify known vulnerabilities: they try to exploit them, chain them together, and show what the real impact would be. Reporting then translates the technical findings into something actionable, with a debrief call and a retest to confirm fixes worked.
Cheap engagements take shortcuts throughout. Scoping becomes a form. Reconnaissance is skipped. The report comes from scanner output rather than real exploitation, with no debrief and no retest. That is a different product at a similar price, not a bargain.
Building a Realistic Testing Budget
Start with a risk question rather than a budget figure: what are you most concerned about? External attackers reaching public-facing applications? A compromised internal account moving laterally through the network? A misconfigured cloud environment leaking data? The answer determines the scope, and the scope ultimately determines what you should spend.
For most UK small and mid-sized businesses, a sensible annual programme covers the public-facing attack surface. That typically means a combined external infrastructure and web application test. Organisations holding personal data, processing payments, or working in regulated sectors should also consider an internal network assessment. It brings the simulation closer to the threats that actually matter.
Penetration test cost UK for that kind of programme runs between £6,000 and £20,000 for a typical mid-market business, depending on environment size and complexity. Set against the cost of discovering those same vulnerabilities during a real incident, that is not an unreasonable number.
Before approaching firms, Aardwolf Security can help you work out what scope makes sense for your environment. The initial conversation carries no obligation, and the aim is the right test rather than the most expensive one. Get in touch to talk through what makes sense for your situation.
Frequently Asked Questions
What is a realistic penetration test cost for a UK small business?
For a small business with a public website and limited infrastructure, a combined external infrastructure and web application test typically costs between £4,000 and £8,000. That covers the most likely attack surface. It avoids over-scoping into internal work that may not be necessary at your stage of growth. As your infrastructure and exposure grow, the scope should grow with them.
Can I do remote testing or does it need to be on-site?
Most external and web application testing is done remotely. Internal network assessments, which were once almost always on-site, are now routinely conducted via a temporary VPN arrangement. On-site work is still appropriate for some physical security components or where data handling requirements prevent external connectivity. On-site engagements add travel and accommodation costs, so confirm whether remote testing meets your requirements before assuming you need a team on-site.
How does a penetration test report help with cyber insurance?
Insurers increasingly ask for evidence of annual penetration testing during policy renewal. This is especially common for higher-value policies and organisations handling personal data. A report showing findings were identified and remediated demonstrates active security management. That carries more weight than an absence of testing. Some insurers specify that testing must be by a CREST-approved firm, so confirm the requirement before choosing your provider.
What happens if the test finds serious vulnerabilities?
The testing firm pauses active exploitation when critical findings are confirmed and notifies your team. The report details each finding with evidence, impact assessment and recommended remediation. Your team works through the fixes, starting with critical and high-severity issues. A retest then confirms the fixes are effective. This cycle, from finding to fix to confirmation, is the actual security value of the engagement, not the report itself.
Is annual testing enough, or should I test more frequently?
Annual testing is a floor, not a ceiling. Any significant change to your environment warrants a targeted assessment. New applications, cloud migrations, and major redesigns each introduce fresh risk. Do not wait for the next annual test when a specific change has materially altered your attack surface. Organisations in higher-risk sectors often move to twice-yearly testing. Others supplement continuous vulnerability management with annual manual penetration tests.
