Our pricing model is built on actual workload, not arbitrary counts or automated scans. Every engagement is scoped using Estimated Days of Effort (EDEs) – a transparent measure of the time our offensive security consultants spend performing real, hands‑on testing against your environment.
Traditional “count‑based” pricing (by IPs, URLs, or user accounts) turns penetration testing into a commodity. It rewards speed over depth and ignores the true complexity of your environment. Our workload‑based approach realigns incentives: you get investment in quality, realism, and risk‑based coverage, not shortcuts.
We start with a Project Intake Form (PIF) that captures the size, complexity, and testing requirements of your environment. You answer focused questions for each service module so we can understand your real attack surface in detail. We then corroborate that picture using targeted OSINT and reconnaissance to validate your public footprint and risk profile. From there, we scope the engagement in Estimated Days of Effort (EDEs) – each EDE is one full 8-hour day of focused, hands‑on testing by a senior offensive security consultant, not just a day on the calendar.
An EDE covers all of the expert work required to thoroughly test your scope: planning realistic attack scenarios, executing hands‑on testing against your environment, analyzing and validating findings, chaining vulnerabilities to show real business impact, and producing practical remediation guidance.
You are not billed for passive time like tool runs, waiting on systems or MFA, or project administration; those activities are absorbed into our delivery process so your budget goes directly to meaningful offensive security effort.
Different types of penetration tests require different levels of depth and time. External network tests can often be completed in just a few days, while web application tests usually take closer to a full week to complete. The starting prices below reflect the typical workload for each type of engagement and do not include optional add‑on modules such as OSINT, Social Engineering, Phishing, Stealth, Cloud Assessment, or Wi-Fi testing, which can increase overall cost depending on your needs.
| Company Size | Infrastructure Profile | Silver | Gold | Platinum |
|---|---|---|---|---|
|
Small |
|
Starting at $12,500 | Starting at $20,000 | Starting at $40,000 |
|
Medium |
|
Starting at $20,000 | Starting at $30,000 | Starting at $50,000 |
|
Large |
|
Starting at $30,000 | Starting at $40,000 | Starting at $60,000 |
Web application penetration tests typically require more depth than external network tests because they involve business logic, authentication flows, and APIs. A user role is simply a type of account with a distinct set of permissions and capabilities (for example, customer vs. admin vs. support), and each role needs to be tested separately to see what it can access and how it behaves. As you add more roles, complexity increases – there are more scenarios, workflows, and edge cases to validate – which is why engagements with additional roles require more effort.
| Web Application | Roles | Pricing |
|---|---|---|
| Unauthenticated | N/A | Starting at $12,500 |
| Authenticated | 1–2 User Roles | Starting at $18,000 |
| Additional user roles | Per extra role | + $3,000 |
By tuning scope and depth, we can right‑size the engagement, so your testing effort aligns with your risk, timeline, and internal budget realities.
Netragard’s multi-year services are specifically designed to improve the service quality and client experience without any commitment traps. Our multi-year services are risk-free, as clients have the liberty to withdraw at any time, for any reason, without any penalties. Multi-year services are offered for a minimum of three years (consecutive or every other year) with the option to roll into an evergreen contract after the third year.
By committing to a three-year service, we leverage reconnaissance data from the initial year to save time and reduce costs in subsequent years, passing those efficiency gains directly to our clients.
We bill annually at a reduced rate, invoicing 50% before project initiation and the remaining balance after report delivery.
Our dedicated project managers proactively manage scheduling, prioritize client needs, and optimize testing timing to align with your business requirements.
Each year a new tester is assigned to ensure our clients are meeting the latest requirements in vendor rotation and ensuring high-quality testing.
Accumulated knowledge enables us to deliver unparalleled testing efficiency, coverage, and threat simulation to grow with our clients’ maturity.
If you exit within the first three years, you will be invoiced the difference between the discounted rate and the full single-year price with no additional fees.
