Penetration testing is one of the most inconsistently quoted services in cybersecurity. Two businesses with a similar setup can receive quotes from $3,000 to $50,000 for what looks like the same thing on paper. That gap exists because they are often completely different products, and buying the wrong one can leave you more exposed than not testing at all.
What penetration testing is (and what it is not)
A pen test is an attempt by a trained security professional to find and exploit weaknesses in your systems before a real attacker does. They think like an adversary: probing for misconfigured services, weak credentials, unpatched software, and paths that should not exist between systems.
What it is not is an automated vulnerability scan. Tools like Nessus are useful, but they work from a database of known issues. They miss logic flaws, novel attack chains, and anything that requires a person to actually think. Most cheap pen test quotes are exactly that: automated scans with a branded report on top.
Types of pen tests
There are a few distinct products that fall under the "pen test" label, and which one you need drives the price more than almost anything else.
An external network test attacks your internet-facing assets from outside: firewalls, VPNs, publicly accessible servers. Most SMBs start here.
An internal network test puts the tester inside your network, simulating a device that has already been compromised or a malicious insider. It requires more logistics and costs accordingly.
A web application test targets a specific app or customer portal. Complexity and price scale with how much the application does.
A phishing simulation tests whether your staff hand over credentials or run malicious files when a convincing email lands in their inbox.
A red team exercise is a full-scope adversary simulation with no defined target list. The tester tries to reach a specific objective using any means available over weeks. These are designed for organisations with mature controls already in place. Running one against a business that has not addressed the basics is an expensive way to confirm what you probably already suspect.
The price bands and what you actually get
Under $5,000
At this price, you are almost certainly getting an automated scan. Entry-level fixed-price packages from most providers start at $2,500 to $5,000 and typically cover a two-day scan of your external firewall combined with an internal network sweep. The output is a list of known CVEs matched against your IP ranges, formatted into a PDF. Little or no manual testing involved.
That is not nothing. Knowing you have unpatched services exposed to the internet is useful. But it should not be called a penetration test, and plenty of providers call it exactly that.
The problem is the false confidence it creates. You receive a clean report because the scanner found nothing critical, while a human tester might have walked straight through your network via something the scanner does not check for.
$5,000 to $12,000
An external network test for a modest IP footprint typically sits in the $10,000 to $15,000 range. For web applications, a simple portal or informational site starts at around $8,000 to $12,000 for a proper manual test.
Before any work starts there should be a scoping call to define exactly what is being tested. The testing itself should be done by a human, not just a scanner running in the background. You should get a referenced methodology, a written report with severity ratings and actual fix guidance, and a debrief call to walk through what was found.
If those elements are missing from a quote, it is a scan.
$12,000 to $25,000
This range covers broader engagements. Medium web applications with multiple user roles and backend API integrations typically sit at $15,000 to $30,000. Combined internal and external network testing, or a test that includes social engineering components, also lands here. You should also see CREST-certified testers at this level.
CREST is the industry accreditation body for penetration testing in Australia. Getting certified means passing serious technical exams, not just paying a membership fee. It is not a guarantee the work will be good, but it is a meaningful filter. If insurance or a compliance requirement is driving this, ask specifically whether the lead tester holds a current CREST credential before you sign anything.
At this price you should also get proper remediation guidance beyond "patch this CVE" and a formal debrief that can be presented to your IT team or an auditor.
$25,000 and above
Once you are looking at large infrastructure, multiple applications, or compliance-grade testing for ISO 27001 or a regulated industry, quotes climb past $25,000 quickly.
Red team exercises are a different product. The tester works over an extended period, often weeks, with no defined target list, attempting to reach a specific objective by whatever means are available. If your business has not yet addressed fundamental security controls, a red team will find the same basic paths a standard test would, at three times the cost.
What drives the price up
CREST-certified testers cost more, and if a compliance requirement specifies certified testing, that is not negotiable. Internal testing adds logistics: someone needs to be on-site or connected via a pre-arranged device, which takes time to coordinate.
Scope is the biggest lever. A quote covering 50 external IP ranges costs more than one covering 10. Web applications are priced by complexity, not just by count. A single large application with dozens of authenticated user journeys takes longer to test than three simple portals.
The level of access you give the tester upfront also matters. A black-box test where the tester starts with no information is slower: billable hours go toward reconnaissance rather than finding actual vulnerabilities. Grey-box testing, where the tester starts with basic credentials and some network context, means the skilled hours go toward finding real issues rather than mapping what you already know exists. Unless you have a specific reason to simulate a completely blind attacker, it is usually the smarter spend.
If you want a re-test after remediation, budget for it explicitly. Some firms include one free retest within 30 to 45 days; others charge an additional 20 to 30 percent on top of the original fee. Report quality is similar: an executive summary written for a board alongside a detailed technical report takes significantly longer to produce than a raw findings export.
If the test needs to satisfy a compliance requirement, add 30 to 50 percent to whatever the base quote is. Testing aligned to PCI DSS, ISO 27001, or an insurance mandate requires findings mapped to specific control frameworks and documentation formatted for auditors. Compliance-driven testing in Australia rarely starts below $10,000 regardless of how small the environment is.
Urgent turnarounds carry a premium. A two-week window is normal. If you need results before a compliance deadline, expect to pay for the rush.
Red flags in a quote
No scoping call before the quote. A legitimate tester cannot give you an accurate price without understanding your environment. A fixed-price quote sent without any conversation about your setup is almost always built around a templated automated scan.
Turnaround under three days. Manual testing of any meaningful scope takes time. A firm promising a full report in 48 hours ran a scan.
No methodology referenced. Any credible firm will name OWASP for web applications, PTES, or a similar framework. If a quote has no methodology section, ask. If they cannot name one, keep looking.
No CREST credentials for compliance-required work. If this test needs to satisfy an insurance renewal, a client tender, or an ISO 27001 audit, confirm that the testing firm and the lead tester hold current CREST credentials. Most insurers and enterprise clients now specify it.
No rules of engagement document. A properly run engagement starts with a signed document that defines what is in scope, what is out, and what happens if the tester finds something unexpected outside the agreed boundaries. If it is not mentioned, ask before you sign.
When does a small business actually need a pen test?
Not every business needs annual penetration testing. Plenty commission one before they are ready for it to be useful.
The most common driver is insurance. Evidence of recent testing is now standard for businesses above $5 million in revenue, and expected in legal, financial services, and healthcare. Beyond that, a client or government tender may ask about pen test history, and that requirement is becoming more frequent.
After an incident or near-miss, a pen test helps confirm the entry point is actually closed and no related paths remain open. A major infrastructure change, such as a cloud migration or a new application launch, is worth testing before it carries production traffic. And if ISO 27001 certification or a PCI DSS milestone is coming up, testing is usually required.
If none of those apply, a vulnerability scanning programme combined with a security assessment is usually a better use of budget for a business under 50 staff.
Summary
A $3,000 pen test quote and a $15,000 pen test quote are usually not competing for the same job. One is a scan. One is a test.
For most Australian SMBs, the right starting point is a scoped external network or web application test from a CREST-certified firm, with manual testing, a clear methodology, and a debrief included. That typically lands between $5,000 and $12,000 for a modest attack surface.
If you are not sure whether you are ready for a pen test, a cybersecurity assessment is usually the right first step. It maps your actual exposure, ranks what needs fixing, and tells you exactly what scope a pen test should cover when you do need one. Most SMBs find the assessment resolves most of the risk at a fraction of the cost.