Asking what a penetration test costs is like asking what a renovation costs: the honest answer starts with "it depends", but that's not a useful place to leave you. So here are the numbers we can stand behind, based on what the Australian market actually charges and what we quote ourselves.

The short answer: a focused test of a small web application typically starts around $6,000 to $8,000 AUD. Most single-application engagements land between $10,000 and $25,000. Large or multi-target programs run $30,000 and up. Almost everything else about pricing is an explanation of why a given engagement sits where it does in that range.

Diagram showing four cost drivers (scope size, complexity, depth and roles, reporting needs) feeding into typical Australian pentest price bands
// the four levers behind every quote, and where prices typically land

Typical prices by engagement type

EngagementTypical effortIndicative range (AUD, ex GST)
Small web app (one role, few screens)3-5 days$6,000 - $10,000
Standard web app + API (2-3 roles)5-10 days$10,000 - $20,000
Mobile app (iOS + Android + backend)7-12 days$14,000 - $25,000
External network (modest perimeter)3-5 days$6,000 - $12,000
Internal network / Active Directory5-10 days$10,000 - $22,000
Cloud security review (one platform)4-8 days$8,000 - $18,000
Multi-target annual programvaries$30,000 +

Treat these as calibration, not a menu. A quote outside these bands isn't automatically wrong, but the vendor should be able to explain why, specifically, in terms of your scope.

What actually drives the price

Pentesting is priced on effort: senior specialist time, mostly in day-rate terms of $1,500 to $2,500 per day in Australia, whether or not the quote shows it. Four things determine how many days your engagement needs:

  • Scope size. The number of screens, endpoints, hosts or cloud accounts. Testing 200 API endpoints properly takes longer than testing 20. This is the biggest lever.
  • Complexity. Multi-step workflows, payment flows, integrations, file handling and custom auth all take time to understand and attack well. A CRUD app and a trading platform with the same endpoint count are very different jobs.
  • Depth and roles. Each user role multiplies the access-control testing surface, and that's exactly where the serious findings live. Authenticated, multi-role testing costs more than anonymous poking, and is worth every dollar of the difference.
  • Reporting and follow-up. Audit-grade evidence, attestation letters, debrief workshops and retesting all add effort. (Retesting is included free at VAPT.COM.AU; many firms bill it separately, so check.)

Why quotes for "the same test" differ so much

When one quote says $7,000 and another says $22,000 for what looks like the same application, you're almost never comparing the same work. The usual differences:

  • Automation share. A quote built around a scanner run with light manual verification is cheap to deliver. It's also mostly a vulnerability scan wearing a pentest badge, and it will miss the findings that matter.
  • Who does the work. A senior tester finds in day two what a junior finds in day six, or never. Ask who is actually assigned, not who is on the website.
  • What's in scope. One role or all of them? API included or just the UI? Retest included or extra? Quiet exclusions are the classic way to hit a target price.
  • Reporting quality. A findings dump costs less to produce than a report your engineers can act on and your auditor will accept. Ask for a sample report and the difference becomes obvious in about ninety seconds.

Keeping the cost down without gutting the test

There are good ways to spend less, and bad ones. The good ones:

  • Narrow the scope honestly. Test the application that holds customer data this quarter; the marketing site can wait. A tight scope tested deeply beats a broad scope skimmed.
  • Prepare properly. Working test accounts for every role, a staging environment that mirrors production, API documentation and a responsive technical contact can save days of billable friction.
  • Fix the known stuff first. Run a scanner yourself and patch what it finds, so you're paying specialists for depth rather than a list of missing patches.
  • Plan annually. Testing on a predictable schedule is cheaper (and calmer) than emergency testing three weeks before an enterprise deal closes.

The bad way is choosing the cheapest quote without reading what it excludes. A $5,000 report that misses the flaw that leaks your customer database is the most expensive document you'll ever buy.

Getting a real number

Any serious firm will give you a fixed quote after a short scoping conversation: fifteen minutes and a questionnaire covering targets, roles, deadlines and what the report needs to prove. If the number arrives before the questions do, treat that as a finding.

If you're still deciding what kind of test you need in the first place, start with our plain-English guide to penetration testing, or look through the specific services we offer.