The Pricing Problem
Penetration testing pricing is deliberately opaque. Most firms require a phone call before they will discuss numbers. You fill out a contact form, schedule a discovery call, wait for a custom proposal and then discover the price was 3x your budget. This process wastes everyone's time.
We publish our pricing because we believe transparency serves buyers better than sales theater. This article compares what companies actually charge for penetration testing in 2026, including our own rates and anonymized data from competitors.
The Pricing Spectrum
Penetration testing pricing in 2026 falls into five broad tiers:
| Tier | Price Range | What You Get | Who It Is For |
|---|---|---|---|
| Quick audit | $1,500-3,000 CAD | Focused assessment of a single target (one web app or a small external scope). 1-2 days of testing. Summary report with critical findings. | Startups, side projects, pre-launch checks |
| Standard pentest | $5,000-8,000 CAD | Thorough web application or infrastructure test. 3-5 days of testing. Full report with remediation guidance and a free retest. | SMBs, SaaS companies, compliance-driven assessments |
| Comprehensive assessment | $10,000-15,000 CAD | Multi-target engagement covering web apps, APIs, infrastructure and cloud. 1-2 weeks of testing. Detailed reporting with executive summary. | Mid-market companies, multi-app environments |
| Enterprise pentest | $20,000-35,000 CAD | Large-scope engagement with multiple testers, internal and external testing, segmentation validation. 2-4 weeks. | Enterprises, regulated industries |
| Red team engagement | $35,000-50,000+ CAD | Full adversary simulation including social engineering, physical testing, custom tooling. 3-6 weeks with multiple senior operators. | Large enterprises, government, financial institutions |
Anonymized Competitor Pricing
We collected pricing data from proposals, published rates and industry contacts for a standard web application penetration test (single app, authenticated and unauthenticated testing, API coverage, full report).
| Provider | Price (CAD) | Testing Days | Retest Included | Notes |
|---|---|---|---|---|
| Sherlock Forensics | $5,000 | 3-5 | Yes | Transparent pricing, self-serve purchase, CISSP tester |
| Company A (boutique) | $6,500 | 3-4 | Yes | Requires discovery call, proposal takes 1-2 weeks |
| Company B (mid-size) | $12,000 | 5 | Partial | Junior testers with senior review, compliance-focused |
| Company C (large MSSP) | $18,000 | 5-7 | No | Enterprise sales process, minimum engagement size |
| Company D (Big Four) | $25,000+ | 5-10 | No | Institutional credibility, high overhead, variable tester quality |
What Drives the Price Difference
A 5x price difference between providers for the same scope raises an obvious question. The answer comes down to six factors:
1. Overhead structure. A Big Four firm bills at $300-500/hour because they carry massive overhead: offices, partners, support staff, brand marketing and compliance infrastructure. A boutique firm bills at $150-250/hour because overhead is minimal. The tester doing the actual work may be equally skilled.
2. Tester seniority. Some firms staff engagements with junior analysts who follow scripts and escalate to seniors for review. Others put senior testers on every engagement. The output quality differs significantly. Ask who will actually test your application, not who will sign the report.
3. Sales process costs. Firms that require multi-week proposal processes, discovery calls and custom scoping documents build those costs into engagement pricing. Self-serve purchasing eliminates this overhead.
4. Scope definition. A "web application pentest" can mean wildly different things. Some firms test only the OWASP Top 10. Others include API testing, authentication bypass, business logic analysis and source code review. Clarify scope before comparing prices.
5. Report quality. Some reports are 100+ pages of scanner output with a cover page. Others are 20-30 pages of manually validated findings with attack narratives, business impact analysis and specific remediation guidance. The shorter report is usually more valuable.
6. Retesting. Retesting (verifying that fixes work) should be included. Some firms charge separately for retesting, which effectively increases the total cost by 20-30%.
Sherlock Forensics Pricing
We offer three transparent pricing tiers with no hidden fees:
- $1,500 CAD - Quick Security Audit. Focused assessment of a single web application or small external scope. 1-2 days of testing by a CISSP-certified consultant. Summary report with critical findings and remediation guidance.
- $5,000 CAD - Standard Penetration Test. Thorough web application pentest including authenticated testing, API coverage, business logic analysis and manual vulnerability validation. 3-5 days. Full report with free retest.
- $12,000 CAD - Comprehensive Assessment. Multi-target engagement covering web applications, APIs, infrastructure and cloud configurations. 1-2 weeks of testing. Executive summary, technical report, remediation roadmap and free retest.
All tiers include manual testing by Ryan Purita (CISSP, ISSAP, ISSMP) with 20+ years of experience. No junior analysts. No bait-and-switch. Self-serve purchasing available online.
How to Budget for a Pentest
If you are budgeting for penetration testing for the first time, start with these guidelines:
- Startups with a single app: Budget $1,500-5,000 CAD annually
- SMBs with 2-3 applications: Budget $5,000-12,000 CAD annually
- Mid-market with multiple targets: Budget $12,000-25,000 CAD annually
- Enterprise with complex infrastructure: Budget $25,000-50,000+ CAD annually
Spending less than $1,500 on a pentest means you are buying an automated scan, not a penetration test. That is fine for hygiene, but it will not satisfy compliance frameworks or find the vulnerabilities that matter.