← All insights

The Hidden Cost of a Cheap Pentest: A Buyer's Checklist for Choosing a Vendor

A cheap penetration test is rarely cheap. It just moves the cost somewhere you cannot see until later: to the breach you did not get warned about, the deal you lost because the report did not hold up, or the second test you have to buy because the first one was a scan in a costume.

So before you sign with the lowest bidder, here is the direct answer to the real question: the price of a pentest is not what you pay the vendor. It is what you pay the vendor plus the cost of everything they miss. A vendor that charges half as much and finds a quarter as much is not a bargain. This piece is a practical checklist for telling the difference before you commit.

Why the cheapest quote is usually the most expensive

Penetration testing is a labor service. The cost is mostly skilled human time, so when a quote comes in dramatically below the others, something has been removed to get there. Usually it is the human.

The cheap end of this market is dominated by automated scans dressed up as penetration tests. A tool runs against your environment, spits out a list of potential issues, and the “report” is the tool’s output with a logo on the cover. Nobody validated whether the findings are real. Nobody tried to exploit them. Nobody chained two medium issues into the critical that actually gets you breached. You paid for a penetration test and received a vulnerability scan, and the two are not the same thing.

The hidden costs show up later. False positives waste your engineers’ time chasing issues that were never exploitable. False negatives, the dangerous ones, leave real vulnerabilities in place because no human looked hard enough to find them. And when a customer or auditor reads the report closely, a thin one can fail the review outright, which means you are buying a second test anyway, this time under deadline pressure.

A test that misses the finding that leads to a breach has a cost measured in incident response, downtime, legal exposure, and lost trust. Against that, the few thousand dollars you saved on the quote is a rounding error.

The buyer’s checklist

Use this when you evaluate any pentest vendor. You do not need every box checked perfectly, but a vendor who cannot answer these clearly is telling you something.

1. Who actually does the work, and how experienced are they? Ask for the experience level of the people on your engagement, not the company’s headline credentials. Some firms win the deal with big names and staff it with juniors. Ask directly: who is testing my environment, and how long have they been doing this? Experience is not a slogan. It is the difference between someone who recognizes a subtle business-logic flaw and someone who only reports what the tool flagged.

2. Is every finding validated by a human? This is the single most important question. A real pentest confirms that findings are genuinely exploitable, not just theoretically present. Ask whether each finding is manually verified, and whether they will show you proof of exploitation. If the answer is vague, you are probably buying scan output.

3. Can you see a sample report? A good report is readable, prioritized by real business risk, and specific enough to act on. It explains how a finding was exploited, what an attacker could do with it, and exactly how to fix it. A weak report is a wall of scanner severity ratings with no context. Ask for a redacted sample before you sign, and read it like the auditor or customer who will eventually read yours.

4. How do they scope, and how do they price? Be wary of a flat sticker price with no questions about your environment. Honest scoping requires understanding what you actually have: how many applications, what kind of infrastructure, how much is in the cloud, what matters most. Scope-based pricing is less convenient than a menu, but it is the only way to quote a real engagement. A vendor who quotes before understanding your environment is quoting a commodity, and a pentest is not one.

5. What happens after the report? Finding the issues is half the job. Ask whether retesting of fixes is included, whether you get a debrief with the actual testers, and whether you can ask questions as you remediate. A vendor who hands you a PDF and disappears has left the hardest part, actually fixing things, entirely to you.

6. What is their relationship with AI tooling, and are they honest about it? This matters in 2026 in both directions. A vendor pretending AI does not exist is probably charging you 2022 prices for work that is now more efficient. A vendor claiming AI does the whole test is selling you autonomous scanning with a markup. The honest answer is in the middle: AI handles the repetitive groundwork so experienced testers can spend their time on the judgment-heavy work that actually finds the dangerous flaws. Ask them to explain how they use it. The answer tells you whether they understand their own craft.

7. Will the report survive outside scrutiny? Your pentest report rarely stays internal. Customers, auditors, insurers, and partners will read it. Ask whether their reports are built to stand up to that scrutiny, and whether they have experience with the frameworks your stakeholders care about. A report that satisfies you but fails your biggest customer’s security review has cost you a deal.

The questions that reveal a body shop

A few quick tells separate a boutique that does the work from a body shop that resells volume.

Ask how many engagements a single tester runs at once. If the number is high, your test is one of many on an assembly line, and depth suffers. Ask whether you will talk to the people who actually tested your systems, or only to an account manager. Ask what they do when they find something that is not on the standard checklist, because the findings that matter most are usually the ones no checklist anticipated. A boutique leans into that. A body shop reports what the template expects and moves on.

What you are actually buying

When you buy a penetration test, you are not buying a document. You are buying confidence that someone skilled and motivated tried hard to break in and told you the truth about what they found. A cheap test that skips the human skips exactly the part you are paying for.

Spend the time on this checklist before you spend the money. The right vendor will welcome every one of these questions, because the answers are how they win on merit instead of on price.

If you want to put us to that test, that is exactly the conversation we like to have. Talk to an expert, and ask us all seven.

Get started

Find out what others missed.

A penetration test costs a fraction of a breach. Spend a few days finding the flaw, not millions recovering from it.

Not ready to scope a test? Just ask a question. Every message reaches an expert directly and gets a personal reply, not a sales call.