How Much Does a Penetration Test Cost? Pricing & Quotes for SMBs in 2026

9 min read · AstraLoop Studio

If you're trying to figure out how much a penetration test costs, you've probably already gotten quotes ranging from €1,500 to €20,000 for what looks like the exact same service. You're not losing your mind. The Italian pentest market is full of offers that use the same name for fundamentally different things: on one hand, a relabeled automated scan; on the other, a manual test carried out by people who actually try to break into your systems.

In this guide you'll find the real price ranges for an SMB in 2026, what moves the quote up or down, and how to tell a real pentest from a product in disguise. The goal is to get you to the quote stage with clear criteria, so that when you ask for a proposal you know exactly what you're buying. If you want the full picture of how corporate security is structured, this article is part of a complete guide to IT security audits for SMBs you can come back to anytime.

Illustration of a magnifying glass examining a digital network revealing weak points, a metaphor for penetration testing

Real Price Ranges for a Penetration Test for SMBs

Let's start with concrete numbers. For an Italian SMB, a serious penetration test falls into the ranges shown below for 2026. These are market prices for manual work carried out by certified professionals, not for automated scans.

Test typeTypical scopePrice rangeDuration
Web application pentest (single site or management system)1 application, few user roles€3,500 - €7,0003-6 person-days
External infrastructure pentestPublic IPs, exposed services, VPN€4,000 - €9,0004-8 person-days
Internal pentest (post-compromise)LAN network, Active Directory, segmentation€5,000 - €12,0005-10 person-days
Combined pentest (web + infrastructure + internal)Full scope for a structured SMB€10,000 - €15,00010-18 person-days
Targeted test/retest after fixesVerification of previous fixes€1,200 - €3,0001-3 person-days

For most Italian SMBs, a realistic quote for a job done properly falls in the €5,000-15,000 range. Below €3,000, you're unlikely to be buying a full manual pentest: it's almost always an automated vulnerability assessment with a polished report. That's not necessarily useless, but it's not the same thing. We'll come back to this shortly.

Cost is almost always calculated in person-days. A day of work from a certified penetration tester in Italy costs between €700 and €1,200, depending on seniority and firm structure. Multiply the number of days by the day rate and you get the quote. This gives you a simple way to sanity-check any proposal: always ask how many days are planned and who's doing the work.

What Makes the Cost of a Penetration Test Vary

Two quotes can differ by three times for entirely legitimate reasons. Here are the factors that actually move the price, in order of impact.

1. Scope size

This is variable number one. A test on a single web application is a contained job. Testing your entire exposed infrastructure, plus the internal network, plus cloud applications multiplies the number of days. Before asking for a quote, define what you actually want tested: a site, a management system, the external perimeter, the internal network, or all of it. The clearer the scope, the more reliable the quote.

2. Test depth (black, grey, or white box)

  • Black box: the tester starts with no information, just like a real external attacker. Realistic but slower, so more expensive for the same coverage.
  • Grey box: the tester has the credentials of a standard user. It offers the best cost-to-coverage ratio for most SMBs and is the most common choice.
  • White box: full access to code, configurations, and architecture. Maximum coverage, higher cost, ideal for critical applications.

3. Manual vs. automated

This is where the biggest, most misunderstood price difference hides. An automated scan is cheap because software runs it in a few hours. A manual pentest costs more because a person thinks like an attacker: chaining vulnerabilities together, bypassing controls, and finding the logic flaws no automated tool ever catches. Competitors selling €990 packages are almost always selling you the first kind. If your goal is to genuinely find out whether someone can break in, you need the second.

4. Technical complexity

A custom application with complex business logic, APIs, third-party integrations, and multiple user roles takes far more time than a brochure website. The environment matters too: on-premise, cloud, hybrid environments, and segmented infrastructure all add days.

5. Retest and reporting

A good quote includes at least one retest to verify that fixes actually work. Some providers leave it out to bring down the headline figure, then charge for it later. Always check whether the retest and the executive report (the one readable by the business owner, not just the technician) are included.

Illustration comparing a broad automated scan with a targeted manual test, a metaphor for the difference between vulnerability assessment and penetration testing

Penetration Test or Vulnerability Assessment: the Difference That Changes the Price

This confusion is behind 90% of the discrepancies in quotes. These are two different services, with different costs, that answer different questions.

Vulnerability AssessmentPenetration Test
Question it answersWhat known vulnerabilities do I have?Can an attacker actually get in?
MethodBroad, automated scanManual, targeted test, with exploitation
False positivesMany, need validationZero: every finding is proven
Typical SMB cost€800 - €3,000€5,000 - €15,000
Recommended frequencyQuarterly or continuousAnnual or after major changes

In practice: a vulnerability assessment gives you a broad, frequent snapshot of known weaknesses, while a penetration test verifies whether those weaknesses (and others a scan can't see) are actually exploitable. If a €900 quote promises a pentest, you're almost certainly buying a VA under another name. We've covered this in more depth elsewhere: if you want to understand when you need one versus the other, read the difference between vulnerability assessment and penetration testing and our deep dive on what a vulnerability assessment is.

The smartest strategy for an SMB isn't choosing one over the other, but combining them: a recurring vulnerability assessment for continuous monitoring, and a penetration test once a year (or after a major infrastructure change) for in-depth verification.

Why Pentesting Costs Money: the Italian Context in 2026

The price of a penetration test isn't a luxury — it's the cost of finding out in advance what you'd otherwise discover during an actual attack. And 2026 isn't a quiet year. According to the Clusit Report, Italy accounts for roughly 10% of severe incidents worldwide, with a rise in serious attacks in the first quarter and vulnerability exploitation up more than 65% compared to 2024. SMBs aren't a secondary target: they account for around 72% of the victims.

On top of that, there's the regulatory picture. With the NIS2 directive now in force, many supply-chain companies must demonstrate that they assess and test their own security, and responsibility falls directly on the CEO and board — it can no longer be delegated to the IT department. If you fall within the NIS2 scope, or you supply companies that do, a documented penetration test is no longer optional: it's part of what you're required to demonstrate. You can check where you stand starting from whether NIS2 applies to your company.

There's also a direct financial factor. The average cost of a ransomware attack for an Italian SMB ranges between €35,000 and €250,000, between ransom, downtime, and recovery. Compare that figure with an €8,000-10,000 pentest and the return on investment becomes obvious. We've broken this down in detail in our analysis of the real cost of a data breach and the ROI of prevention.

Want to find out what it would actually cost to test your systems and where your most exposed points are? Request a tailored analysis and quote: we'll define the scope together and tell you clearly what you need and what you don't.

How to Read a Penetration Test Quote Without Getting Ripped Off

A serious quote can be recognized by a few key elements. If they're missing, ask for clarification before signing anything.

  • Stated number of person-days and who's doing the work (junior, senior, certifications like OSCP, CEH, GWAPT). A real pentest is never sold as a flat fee without stating how much time it takes.
  • Scope written down in black and white: which IPs, which applications, which environments. If the scope is vague, the price is arbitrary.
  • A stated methodology: OWASP, PTES, OSSTMM. A serious provider will tell you which standard they follow.
  • Explicit mention of manual testing: the word "manual" needs to appear. If all you read is "scan" or "automated analysis," it's a VA.
  • Dual reporting: one technical report for whoever handles the fixes, one executive report for the business owner, with risks classified by severity.
  • Retest included: verification of the fixes should be included, or at least quoted separately and transparently.

A classic red flag is a price that's too low paired with promises that are too big. A "complete penetration test of your company for €490" simply doesn't exist as manual work: you can't buy that many person-days at that price. If the cost is low, either the scope is tiny or the work is automated.

Pentesting and Cyber Insurance: the Connection Almost Nobody Makes

There's one more reason to consider a penetration test, and most providers never mention it: insurability. Cyber insurance policies in 2026 increasingly ask, at underwriting stage, for evidence of periodic security testing. A recent, documented penetration test can lower the premium, unlock coverage, or stop a claim from being disputed on the grounds that "adequate measures had not been adopted."

In other words, some of what you spend on the pentest can be recovered on the insurance premium and, more importantly, it protects you exactly when it matters. It's worth working through with your broker: bringing a penetration test report to the negotiating table is a concrete argument, not a formality. For the bigger picture on defense, our 2026 cyber security guide for SMBs is still useful, and if you're also assessing your digital footprint, see our article on the cost of a website security audit.

How Much to Actually Spend: a Practical Rule of Thumb

If you run an SMB and need to set a budget, think of it this way. A company with a single exposed site or management system should start with a web application pentest in the €3,500-7,000 range, possibly paired with a recurring vulnerability assessment. A more structured company, with an internal network, multiple applications, and NIS2 obligations, sits in the €10,000-15,000 range for an annual combined test.

There's just one practical rule: the cost of a pentest should be a small fraction of what an incident would cost you. If a week of downtime costs you tens of thousands of euros, spending €8,000-10,000 a year to find out in advance where you're vulnerable is one of the security expenses with the clearest return. That cost, incidentally, should always be weighed against the alternative of discovering the same flaw through a data breach with the GDPR obligations that come with it.

The final piece of advice is simple: get at least two or three quotes, but compare them on the criteria in this guide (days, scope, manual vs. automated, retest) — not just the price tag. The lowest quote is almost always the one that tests the least.

Frequently asked questions

How much does a penetration test cost for an SMB in 2026?

For an Italian SMB, a serious manual penetration test typically costs between €5,000 and €15,000. A test on a single web application starts at €3,500-7,000, while a combined test covering web, infrastructure, and internal network reaches €10,000-15,000. Below €3,000, you're usually looking at an automated scan, not a full pentest.

Why do some penetration tests cost less than €1,000?

Because they aren't manual penetration tests. A very cheap offer is almost always an automated vulnerability assessment with a polished report. An automated scan is cheap because software runs it in a few hours, while a real pentest requires days of work from a certified tester who actually tries to break into the systems.

What's the cost difference between a vulnerability assessment and a penetration test?

A vulnerability assessment typically costs €800-3,000 because it's a broad automated scan of known vulnerabilities. A penetration test costs €5,000-15,000 because it's a manual test that verifies whether those vulnerabilities are actually exploitable. They're complementary services: the VA for continuous monitoring, the pentest for annual in-depth verification.

What has the biggest impact on the price of a penetration test?

Scope size is the main variable: testing a single site costs far less than testing your entire infrastructure plus the internal network. Next come test depth (black, grey, or white box), whether it's manual or automated, technical complexity, and whether a retest after fixes is included.

Do you need a penetration test for NIS2 compliance?

Yes, in many cases. With NIS2 in force, companies within its scope and their suppliers must demonstrate that they assess and test their own security, with direct responsibility on the CEO and board. A documented penetration test is one of the elements that helps demonstrate adequate measures have been adopted, though it's not the directive's only requirement.

How often should a penetration test be repeated?

The recommended frequency is annual, or after any major change to your infrastructure or applications (a new management system, cloud migration, new website). Alongside that, it's good practice to run recurring vulnerability assessments, even quarterly or continuous ones, to catch newly known vulnerabilities between one pentest and the next.

Before signing a penetration test quote, talk to us: we'll help you read the proposal, define the right scope for your SMB, and figure out whether you're buying a real test or a scan in disguise.