You probably have heard someone say we are going to get a penetration test (or pen test) at some point in your life. I have seen the confused look on faces when I have mentioned this verbiage throughout my career, so here is a quick explanation on what a penetration test is.

It is a form of ethical hacking (good) in which a team of cybersecurity experts simulate a cyberattack from a threat actor (bad) on a system or network. The goal of these tests is to evaluate just how far a threat actor can get into an information technology environment, be it just one system, or all the systems. These tests are essential for any business that depends on technology to operate. The tests can show an organization on how well their cyber defenses are and what damage a threat actor could cause.

Why should I care?

Make no mistake, even smaller sized organizations are under constant threat of attacks. Though the costs of doing penetration testing might not seem worth it, they are and then some. The cost is miniscule compared to the short and long-term price tags associated with hacks, security and data breaches, malware, Distributed Denial of Service (DDoS) attacks and a myriad of other cyber threats.

Conservatively estimated, the average business loses can range between $100K to millions depending on the type of cyber incident.

Show me the money!

Let’s use an analogy for this when we talk about the cost of a penetration test.

Imagine it, you have decided that it is time to build your own home on your own land. You are at the builder’s office, and the base price of the build (standard model) is going to be $175,000. However, you want to get all the bells and whistles, crown modeling, outdoor fireplace, with a pool, etc. That original $175K price tag is quickly shooting up.

Why do people add these features? Because they want to best value, the best experience from their new purchase, and they want to know that down the road they will easily return a profit should they sell their home. The same goes for a penetration test. You want to be certain that get the right technology package was purchased, that it shows a good return on value, and enhances the security of your organization once it is completed and remediation has taken place.

Choosing the right approach and components are as important for a penetration test as those optional packages are to the homeowner. A pen test reveals risk exposures that drive priorities in resources and funding.

So how do I know what bells and whistles I want to be included in my pen test?


Some of the most common factors to consider when selecting options and scoping a penetration test include:

  • Should your test include both external AND internal systems?
  • Are there applications included in the scope?
  • Do your testing needs involve regulatory compliance?
  • Are your systems on premise or in the cloud?
  • Do you want to include password cracking in the scope?
  • Do you want to include phishing in the test?
  • Do you want to test your physical security?


The price of a pen test can vary as I have already indicated, however, we can give a rough estimate:

  • $8,00 – Small Business (0-150 Employees)
  • $10,500 – Medium Business (150-500 Employees)
  • $15,000 – Mid-Size Business (500-2,500 Employees)
  • $22,500 – Large Business (2,500-5,000 Employees)
  • $50,000 – XL Business (5,000-10,000+ Employees)

In addition to the organization’s size and pen test options, the complexity of the technology landscape will affect the price; more points of entry may demand more complicated and comprehensive testing.

Conversant Group can answer any additional questions you may have. We can also administer a pen test. We want to help you prove that your investments in technology are having a positive, valuable impact on the security of your business and assist with resolving any issues that were discovered.