A manual penetration test for a web application costs between €5,000 and €25,000 in Europe in 2026. Autonomous pentest platforms shift that range down substantially: at DeepMantis, a focused pentest starts at €890 and a deep multi-vector test costs €7,500 — with a proof of concept for every finding. This article breaks down where those prices come from, which factors drive them, and when each approach pays off.
What does a pentest cost in 2026?
Manual penetration tests are priced by effort, and the published ranges across European providers cluster surprisingly tightly. The overview below is based on the public price guides from Yekta IT and Reepa Solutions and covers the common test types.
| Test type | Market price (manual) | Effort |
|---|---|---|
| Simple web application | €5,000–10,000 | 5–8 person-days |
| Complex web application | €10,000–25,000 | 8–15 person-days |
| External infrastructure | €3,000–15,000 | 2–8 person-days |
| Mobile app (iOS + Android) | €7,000–14,000 | 5–10 person-days |
| Red team engagement | €25,000–80,000 | 4–8 weeks |
Day rates for certified pentesters sit at €900–1,800 net in the DACH market, per Reepa Solutions, depending on experience and specialisation. A standard pentest for a mid-size company lands at €4,000–10,000 per test.
Autonomous platforms do not bill in person-days. The public DeepMantis price list names three tiers: €890 for a single-surface application (depth of a 1-week manual test), €3,800 for a connected product with sensitive data (depth of 2–4 weeks manual), and €7,500 for a distributed system with regulated data (depth of a 4-week manual test). Every finding ships with a reproducible proof of concept.
Which factors drive the price?
Four factors explain almost the entire price range of a penetration test: scope, test depth, the chosen methodology, and the reporting effort. When you evaluate a quote, check each of these four levers individually — that is where the difference between a €5,000 offer and a €25,000 offer for the same application comes from.
Scope is the biggest lever. An application with a login, a role system, and 20 functions is testable in 5 person-days. A multi-tenant platform with APIs, an admin console, and third-party integrations needs three times that.
Test depth decides whether vulnerabilities are merely identified or proven with an exploit. Germany's Federal Office for Information Security (BSI) recommends a moderate attack strength in its practitioner guide for IS penetration tests.
"An IS penetration test should be dimensioned so that vulnerabilities are demonstrated, but only actively exploited when unavoidable and the exploits have been sufficiently tested." (translated from German)
— BSI, practitioner guide for IS penetration tests (November 2016)
Methodology — blackbox, greybox, or whitebox — changes the effort significantly. The BSI is explicit here. It recommends "conducting whitebox tests as a rule, since a blackbox test can miss vulnerabilities due to information not being available" (translated from German). Blackbox tests are also more labour-intensive, and therefore more expensive — at lower coverage.
Reporting is routinely underestimated. A report that holds up as audit evidence for SOC 2, ISO 27001, or BSI C5 adds 1–3 person-days at manual providers. At DeepMantis, the audit-ready PDF report is included in every tier.
Why is the person-day model so expensive?
The billing model is the structural cost driver of a penetration test — not the technology in use. A person-day is eight hours of work by a certified tester, and every one of those hours ends up on the invoice. At €900–1,800 per day and 5–15 days per test, the familiar €5,000–25,000 range follows almost automatically.
The math scales linearly with the number of applications. Testing 5 products annually at €10,000 per test means €50,000 per year — for one snapshot per product. Published comparisons calculate roughly €1 million annually for 50 applications at €20,000 per manual test (freeCodeCamp, 2026).
Autonomous platforms decouple price from human hours. DeepMantis runs recon, fingerprinting, attack-chain analysis, and exploit verification autonomously; verification runs in isolated browser instances per finding. That is why an engagement with 4-week-test depth costs €7,500 instead of €20,000–25,000 — and completes in 7–10 business days instead of 4–6 weeks.
When is a manual pentest still worth the premium?
Autonomous tests cover web applications and APIs — not every conceivable scope. Knowing the limits means buying the right tool for the right target and paying the premium day rate only where it genuinely adds value.
Manual testers are the right choice for binary exploitation, mobile pentests, social engineering, physical access testing, and destructive scenarios. DeepMantis deliberately does not run these test types. A red team engagement at €25,000–80,000 remains the right answer when the target is the whole organisation — including people and processes.
The BSI also stresses tester independence as a quality criterion.
"IS penetration tests must always be carried out by professionally qualified persons who are independent of the areas under examination and who were not involved in the design, construction, or operation of the information network under examination." (translated from German)
— BSI, practitioner guide for IS penetration tests (November 2016)
That holds for humans and platforms alike: an external, independent test — manual or autonomous — produces more usable results than any internal review.
How do you plan frequency and recurring cost?
A single pentest is a snapshot, and every deployment after it can introduce new vulnerabilities. The BSI notes in the same guide that after every change to an IT system, it should be re-verified whether the required quality and security level is met. For teams shipping weekly, continuous testing has therefore become the standard.
Pentest-as-a-service offerings run at €1,500–5,000 per month plus €4,000–12,000 setup, per Reepa Solutions. DeepMantis offers monthly pentests from €99 per month (billed annually) — possible because no person-days accrue per run.
Plan the budget in three steps:
- One-off need — for example before an audit or vendor review: book an on-demand test, €890–7,500 depending on scope.
- Ongoing development with sensitive data: plan for monthly tests, €99–999 per month depending on tier.
- Whole organisation including social engineering: budget a manual red team, from €25,000 per engagement.
Frequently asked questions about pentest costs
Why do so few providers publish their prices?
Because person-day calculations vary per engagement and leave room for negotiation. A provider who only knows the effort after a scoping call cannot quote a price upfront. Platform pricing is standardisable — which is why DeepMantis prices are public on the pricing page.
Are cheap pentests automatically worse?
No — what matters is what is delivered. Check three things: Is every finding backed by a proof of concept? Does the report hold up as audit evidence? Are re-tests after remediation included? An €890 test with exploit evidence is more usable than a €5,000 scan report without verification.
What about hidden costs?
The most common add-ons at manual providers are re-tests after remediation (often 10–20% of the test price), express surcharges for short-notice scheduling, and paid reporting extras. DeepMantis includes 1–3 re-tests in the price, depending on tier.
Is an automated vulnerability scan enough instead of a pentest?
No. A scanner finds known patterns but does not verify them. The BSI classifies automated scans as a supplementary measure — a penetration test deliberately goes "one step further" and searches for ways "to bypass the security measures in place" (translated from German). The exploit evidence is what matters: only demonstrated exploitability turns an alert into a finding.
Pricing as of June 2026. DeepMantis prices per the public price list; market ranges per the linked sources. DeepMantis methodology and scope limits are documented on the security page.