← All insights
AI & Economics June 15, 2026 7 min read

If Your Pentest Costs the Same as Last Year, You're Paying Too Much

By Bill Terwilliger

In 2025, the most precedent-bound corner of professional services repriced itself around AI. Audit fees, which for decades had only ever gone up, started coming down. The security industry watched it happen and, so far, has done nothing of the kind.

Here is what happened. KPMG looked at its own auditor, Grant Thornton, and asked a simple question: you are using AI now, so why does the audit cost the same? Then they did something auditors’ clients almost never do. They demanded a price cut, threatened to take the work elsewhere, and got a 14 percent reduction. PwC’s leadership has since acknowledged publicly that clients everywhere are demanding a share of AI-driven efficiencies, and that firms are giving ground.

Think about what that means. The conservative, buttoned-up audit world looked at AI and decided the savings belonged, at least in part, to the client. If even the auditors have reached that conclusion, penetration testing is overdue for the same one.

If your testing firm is still charging you what it charged before AI, for the same scope, you should be asking the question KPMG asked.

The math has changed underneath you

Security testing has always been labor-intensive. Reconnaissance, enumeration, triage, retesting, reporting: hours and hours of skilled human time, billed accordingly. That labor model is why a quality manual penetration test has typically run from the low five figures up to fifty thousand dollars or more.

AI changed the input costs. Modern tooling can now perform broad reconnaissance, surface likely weaknesses, triage scanner output, and draft documentation at a fraction of historic cost. Carnegie Mellon researchers benchmarked an AI system against equivalent human-performed security scenarios and measured a 156x cost difference. Commercial AI-driven testing runs cost cents to tens of dollars per execution against targets that once consumed billable days.

None of this means AI can replace a senior penetration tester. It cannot, and we will get to that. But it does mean that any firm doing this work in 2026 the way they did it in 2022 is either ignoring the most significant efficiency tool in the industry’s history, or using it and quietly keeping the savings.

The two honest models

A testing firm that has genuinely adopted AI can do one of two honest things with the efficiency:

Same price, more coverage. The hours AI saves on reconnaissance and triage go back into your engagement. Your testers spend their time on the deep work: chaining vulnerabilities, attacking business logic, proving real impact. You pay what you paid last year and get meaningfully more security for it.

Same coverage, lower price. The engagement that needed three weeks of billable effort now needs less, and your invoice reflects that.

Either is fair. Different clients prefer different trades, and a good firm will let you choose.

What is not honest is the third model, the one much of the industry is quietly running: same price, same coverage, and an efficiency dividend that never reaches you. That is the model KPMG refused to fund. You should refuse too.

The catch: not all AI testing is testing

Here is where buyers need to be careful, because there is a failure mode on the other side.

Some vendors heard “AI” and built the opposite problem: fully automated products marketed as penetration tests, with no meaningful human judgment anywhere in the loop. Those tools are fine at finding known, scannable issues. They are blind to the vulnerabilities that actually cause breaches: broken business logic, chained misconfigurations, authorization flaws that only make sense when a human understands what the application is supposed to do. An AI-only test is a vulnerability scan with better marketing.

The model that works, the one we run at Alpha Defense, is human-led and AI-amplified. AI expands coverage, works the breadth of the attack surface, and eliminates the rote hours. Senior engineers direct the work, validate every finding, perform the exploitation, and apply the judgment that machines do not have. The efficiency is real, and so is the depth. That combination is exactly what makes it possible to give clients more for less without cutting a single corner.

Questions to ask your current provider

You do not need to be technical to hold your testing firm accountable. Ask three questions:

  1. How are you using AI in our engagements? A confident firm has a specific answer. Vague gestures at “advanced tooling” mean no.
  2. Since you adopted it, did our scope grow or our price drop? If the answer is neither, ask where the efficiency went.
  3. Who validates the findings, a person or a model? The right answer is a senior human, every finding, every time.

A firm with good answers is a keeper. A firm without them is charging 2022 prices for 2022 work, in 2026.

The bottom line

A penetration test still costs a fraction of what a breach costs. IBM puts the average US breach at over ten million dollars. That asymmetry has not changed, and it is still the best money in your security budget.

But within that bargain, the bar has moved. AI made high-quality testing cheaper to deliver. The only question is whether your firm passes that to you, in scope or in price, or keeps it.

We made our choice. Engagements at Alpha Defense are scoped to what you actually need, led by senior engineers, amplified by our own AI tooling, and priced to reflect it. If your current provider’s invoice has not changed since before AI, we should talk.

Sources: public reporting on the KPMG and Grant Thornton fee reduction (2025) and PwC statements on client demand for AI savings; Carnegie Mellon AI security benchmark; IBM Cost of a Data Breach Report 2025.

Get started

Find out what others missed.

A penetration test costs a fraction of a breach. Spend a few days finding the flaw, not millions recovering from it.

Book an Assessment Explore Services