Get a real pen test quote in 60 seconds. On this page, not in your inbox.
A penetration testing quote is a written estimate of the time and cost required to test the security of a defined scope. At Precursor, a quote is day rate multiplied by the number of test days, plus any one-off scoping or compliance overhead. Our standard day rate is £1,200 ex VAT. Most engagements run 5 to 15 days. The estimate appears on this page. A signed quote, with the named lead tester and engagement window, is delivered within 24 hours when you ask for one.
A live calculator below that shows a number on this page. A signed quote within 24 hours, if you want one. Day rate £1,200 ex VAT, no POA, no platform signup.
Estimate your quote.
Tick what you need. Tell us the scope. See the number.
Estimate your quote
Tick what you need. Tell us the scope. See the number.
e.g. admin + standard user = 2. Authenticated testing adds 0.5 days per role above 2.
6 to 8 test days
Banded because final scope is confirmed in a 20-minute scoping call. Your actual quote may sit anywhere in this band. Most clients land at the midpoint.
Day rate £1,200 ex VAT. The full rate table is published in the "How we price" section below.
What goes in a penetration testing quote?
Day rate times days, plus a reporting overhead. £1,200 ex VAT, all grades. No POA, no email form before the price.
A penetration testing quote is a written estimate of the time and cost required to test the security of a defined scope. At Precursor, a quote is day rate multiplied by the number of test days, plus any one-off scoping or compliance overhead. Our standard day rate is £1,200 ex VAT. Most engagements run 5 to 15 days.
How a penetration test is scoped and priced.
A penetration test is priced by day rate multiplied by test days, plus a fixed reporting overhead. Test days are driven by the surface being tested, the asset count, the depth of authenticated coverage, and the environment. The same scope tests as either authenticated or unauthenticated will produce materially different day counts. For a deeper breakdown of day rates by engagement type, see our penetration testing cost guide.
The four variables that drive day count
Every scoping conversation starts with these four.
Web app, external network, internal network, API, cloud, mobile, wireless. Each surface has different methodology, different tool coverage, and different time-on-target. A web application takes more time per asset than an external IP because the attack surface is wider.
Number of web apps, IPs, internal hosts, accounts, SSIDs, or rulesets. Higher counts mean more days, but the relationship is not linear (see economy of scale below).
Authenticated testing accesses logic that is invisible from outside. Each additional user role adds incremental days because permission boundaries multiply.
Production tests carry more co-ordination overhead (change windows, monitoring suppression, rollback planning). Dev environments are faster to test but may carry less realistic data.
Economy of scale in pen testing
Why a 100-IP test does not cost ten times a 10-IP test.
Penetration tests scale sub-linearly with asset count. Tester setup, reconnaissance tooling, and reporting are fixed costs spread across the engagement. The marginal day count for each additional asset drops once the engagement is already running, particularly for surfaces where the methodology repeats per asset.
Surfaces with deeper per-asset methodology (web applications, REST APIs, cloud accounts) scale closer to linearly because each asset has its own business logic that must be tested in isolation. Three separate web apps are three full pen tests. Surfaces driven by reconnaissance and breadth (external IPs, internal hosts, wireless SSIDs) carry a higher fixed setup cost and a smaller marginal cost per additional asset, so the day count grows more slowly as scope expands.
Authenticated vs unauthenticated testing
The single largest scope variable after asset count.
Unauthenticated testing simulates an external attacker with no credentials. Authenticated testing tests what a logged-in user, partner, or compromised account can do once inside. Authenticated testing typically reveals an order of magnitude more findings than unauthenticated testing alone, because the majority of real-world attack paths involve credential abuse rather than perimeter bypass.
Smallest scope. Maps the attack surface a stranger sees. Common for external network tests, marketing sites, and PCI DSS Req 11.4 baseline coverage.
Tests the application as a logged-in user. Covers business logic, privilege escalation, and inter-role access controls. Each additional user role above 2 adds approximately half a test day.
Production-grade coverage. Authenticated and unauthenticated runs from the same tester, with reconnaissance findings informing authenticated session testing.
Compliance regimes are explicit about which mode they require. PCI DSS Requirement 11.4 requires both internal and external authenticated and unauthenticated testing for cardholder data environments. NCSC penetration testing guidance recommends authenticated coverage for applications handling regulated data.
Reporting overhead and retest
What the fixed-cost line items cover.
Every engagement carries a fixed reporting day. That covers the written report, the executive summary, the live walkthrough call, and the CVSS 4.0 scoring on findings. A retest day, scheduled 4 to 8 weeks after the original engagement, validates that remediation closed the findings. Retest is optional but recommended for compliance frameworks where evidence of closure is part of the audit trail.
1 day, fixed per engagement. Always in scope. Methodology follows the OWASP Web Security Testing Guide and the OWASP API Security Top 10.
1 day, optional. Scheduled 4 to 8 weeks post-remediation. Verifies that critical and high findings have been closed and produces a retest letter for procurement, insurance, or audit evidence.
What's in the quote, and what isn't.
A pen test quote should be specific about what is excluded as much as what is included. The boundary is where most quote-shopping disputes start.
| Capability | In the standard quote | Bolt-on |
|---|---|---|
| Test execution | — | |
| Reproduction-quality findings report | — | |
| Executive summary report | — | |
| Live walkthrough call | — | |
| Retest day (one) | If selected | Additional retests at day rate |
| CVSS 4.0 scoring on findings | — | |
| 12 months reporting portal access | — | |
| Remediation guidance per finding | — | |
| Source code review | — | Quoted separately |
| Threat-led red team | — | 10 to 20 days, quoted separately |
| Social engineering / phishing | — | Priced by objective |
| Out-of-hours testing | — | +50% on day rate |
| On-site testing | — | Travel and accommodation at cost |
If a provider's quote is materially cheaper than ours, ask them what is bolted on. Often the answer is everything that does not fit in 3 days of execution.
Estimate now. Signed quote in 24 hours.
The calculator gives you a banded estimate. A signed quote with a named lead tester, engagement window, and exact day count needs a 20-minute scoping call. We deliver that within one working day of you asking.
You get an estimate
On this page, no email required. Use the calculator above, get a banded number for your scope.
20-minute scoping call
Named scoper, screen-share, agree the exact day count. You can book the slot when you ask for the signed quote.
Signed quote delivered
Within 24 hours of the call, ready for procurement. Day rate fixed, named lead tester, engagement window confirmed.
If 24 hours is not fast enough, say so on the call. We have shipped same-day quotes when the buyer's procurement window required it.
Who you'd be paying.
Three things our quote includes that not every provider's does.
CREST accredited, triple-scope
CREST member firm holding CREST Penetration Testing, CREST Vulnerability Assessment, and CREST SOC accreditations. Triple-CREST scope is held by a small number of UK firms.
UK Precursor employees, BPSS as standard
Every tester quoted is a UK Precursor employee. BPSS-cleared as standard. Higher clearance available where the engagement requires it. No offshoring.
Pen test feeds the SOC
Findings from your engagement, where applicable, become detection rules in our 24/7 SOC's detection library. If you ever extend into managed detection, the rules are already there. Most providers cannot say this.
Related
Deeper detail on day rates, the full pen test capability spec, and the accreditations we hold.
Penetration testing cost guide
Deeper detail on day rates, scoping factors, and worked examples.
Penetration testing pillar
The full pen test capability spec across web, network, cloud, API, mobile.
Web application pen test
OWASP Top 10, business logic, authenticated multi-role testing.
CREST accreditations
Audit history, accreditation scope, member directory link.
Estimate first. Talk later, if you want to.
Use the calculator. Get an estimate. If you want a signed quote, click the button under it. If you would rather just talk, the scoping call is 20 minutes and we do not require a deck.
Penetration testing quote: common questions.
Speed, scope, what a complete quote looks like, and how the estimate becomes a signed document.
An estimate on this page takes about 60 seconds. Fill in five inputs and the banded estimate appears under the calculator. A signed quote with a named tester, exact day count, and engagement window is delivered within 24 hours of a 20-minute scoping call. We do not gate the estimate behind an email form.
UK penetration testing day rates range from about £800 to £1,800 per day for CREST-accredited providers. Precursor's standard rate is £1,200 ex VAT, all tester grades. Most engagements run 5 to 15 days. A small web application typically lands at £6,000; mid-size network infrastructure at £8,000 to £10,000; multi-app with cloud at £12,000 to £18,000.
A complete quote contains: day rate, total cost, line-item day breakdown, named lead tester with certifications, exact test types in scope, what's excluded, reporting format and delivery timeline, retest provision, and payment and cancellation terms. POA is not a quote.
Day rate times days. The day count comes from a base allocation per test type plus a per-asset multiplier (e.g. 1.5 days per web app, 1 day per cloud account). Authentication scope, asset complexity, and environment add to the count. We publish the full rate table in the How we price a pen test section on this page.
No. The calculator produces a banded estimate (e.g. 6 to 9 days, £7,200 to £10,800). Your final signed quote sits somewhere in that band depending on the 20-minute scoping call confirming asset count, environment, and any out-of-hours or compliance overhead. Most clients land at the midpoint of the band.
No. The estimate appears on this page without any form. Email is captured only when you ask for a signed quote, and even then it's because we need to send you a contract, not because we want to add you to a sales cadence.
30 days from issue. Day rate fixed for that window. If procurement takes longer than 30 days we will reissue at the same rate provided the scope has not materially changed.
An estimate is the banded output from the calculator. A signed quote is a written, validity-dated document with the named lead tester, exact day count, total cost, scheduled test window, payment terms, and our Statement of Work attached. Estimates are free and on-page; signed quotes are produced after a 20-minute scoping call.
Yes. We add a compliance attestation letter (£400 fixed) for engagements where the test must align with PCI DSS, ISO 27001 Annex A.8.29, Cyber Essentials Plus, or SOC 2 Common Criteria. The test methodology itself does not change; the attestation lets your auditor or assessor count the test against a specific control.
Ask them what's bolted on. Quote-shopping disputes usually come down to scope rather than rate. A £4,000 quote with no retest, no reporting day, and a junior tester is more expensive than a £6,000 quote with all three.