How much does a penetration test cost?
Traditional pentests are priced on consultant hours, which pushes a single engagement into five figures. Here's the honest breakdown - and how an automated external pentest lands at $50.
What a traditional pentest costs
A traditional external web-application penetration test is commonly quoted in the low-to-mid five figures - often somewhere around $4,000 to $30,000+, depending on scope and firm. The price reflects labor, not software:
- Scoping calls and a written proposal before any testing starts.
- Days of a consultant's manual testing time.
- A hand-written report and a debrief.
- Re-tests billed as additional time.
That's the right model for a bespoke, deep engagement. For the recurring, external, audit-evidence pentest most SaaS teams actually need, most of that cost is commodity work.
What complyeah costs
A flat $50 runs one comprehensive external pentest on one verified domain, delivered as an auditor-ready, control-mapped report and a shareable certificate. The credit is valid for 12 months. No subscription, no seats - buy any number of credits, add any number of domains (verifying is free; running a pentest spends one credit). At 15 or more verified domains, every pentest is $30.
Why it's a fraction of the price
We automate the commodity scanning and the report assembly, run entirely external and self-serve, and reuse the same engine across every customer. The same audit-grade, control-mapped report lands at a fraction of the cost - you're paying for the report and the workflow, not billable hours. Where an auditor wants a human sign-off, you can add a reviewer attestation to any comprehensive report for $50.
Frequently asked
How much does a penetration test cost?
A traditional external web-app penetration test is commonly priced in the low-to-mid five figures - often around $4,000 to $30,000+ - because it's billed on consultant hours: scoping calls, manual testing, and a hand-written report. complyeah is a flat $50 per comprehensive external pentest of one verified domain, with the automated scanning and report assembly doing the commodity work.
Why is complyeah so much cheaper?
We automate the commodity scanning and the report assembly, run entirely external and self-serve, and reuse the same engine across every customer - so the same audit-grade, control-mapped report lands at a fraction of the cost. You're paying for the report and the workflow, not billable hours.
Are there hidden costs or subscriptions?
No. $50 buys one comprehensive pentest credit, valid for 12 months. No subscription, no seats. Verifying and adding domains is free; running a pentest spends one credit. At 15+ verified domains, every pentest is $30. A human sign-off, if an auditor wants one, is $50.
See your posture in a few minutes
Verify a domain and run a free posture scan. Upgrade to the full $50 external pentest whenever you need the auditor-ready report.