How much does a pentest cost?

A single grey-box web app pentest is typically a few thousand USD and around 5-10 person-days. Enterprise, multi-scope engagements with compliance reporting cost considerably more. Use the calculator for a range, then request scoping for a firm quote.

What determines the price?

Scope size (apps, IPs, endpoints, roles), test depth (black/grey/white box), retest rounds, and compliance requirements such as PCI-DSS, ISO 27001 or KVKK are the main drivers.

How long does a penetration test take?

A small single-app test is often 4-10 person-days. Larger and multi-scope engagements run several weeks of effort. Reporting and a retest round add additional days.

Is the re-test paid separately?

A retest after you fix findings is real work and is usually priced separately, though many providers include one retest round in the initial scope. Always confirm this in the proposal.

Penetration Test Price Calculator

Get an honest, range-based estimate of what a penetration test could cost and how long it could take, based on your scope, size, test type and compliance needs. It is an estimate, real quotes need scoping.

Scope (choose all that apply)

Size (endpoint / app count)

Few apps / 50-250 endpoints

Test type

Partial info/user account

Compliance need (optional)

Estimated price range

$3,840 - $6,240

Approx. 157.440 TL - 255.840 TL (1 USD ~ 41 TL)

Estimated duration

8 - 12 person-days

What drove this estimate

Scope: Web app
Size: Medium (x1.6)
Test depth: Grey box (x1)
Compliance: none

This is an estimate, not a quote. Real pricing depends on scoping (asset count, complexity, retest rounds, depth and reporting requirements). Contact DSET for a firm proposal.

The factors that really move pentest price

Scope size: number of apps, IPs, endpoints and roles tested.
Depth: black box is faster/cheaper, white box is deeper and costs more.
Retest: a re-test round after fixes is a real, separately priced cost.
Compliance: PCI-DSS / ISO 27001 / KVKK reporting adds formal effort.

What determines pentest pricing

The biggest price driver is scope size: the number of applications, IP ranges, endpoints and user roles in scope. Test depth matters too, a white box test with source access finds more but takes longer. Compliance reporting for PCI-DSS, ISO 27001 or KVKK adds formal effort, and a retest round after fixes is real, separately scoped work. How cybersecurity pricing is set.

Black box vs grey box vs white box

Black box simulates an external attacker with no prior information and is usually the fastest. Grey box gives the tester a user account or partial knowledge and is the most common balance of cost and coverage. White box gives full information and source access, finding the most but costing the most. Choose the depth that matches your real risk and budget. Pentest process, price and timing.

When do you need a pentest

You typically need a penetration test before a major launch, after significant changes, on a recurring annual basis, or when a customer or regulation (PCI-DSS, ISO 27001, KVKK) requires it. Choosing the right provider matters as much as the price. How to choose a pentest firm.

Want a firm, scoped quote for your environment? Talk to DSET.

DSET · +90 536 662 38 09 · [email protected]