SME Pentest Guide: Price, Duration and Scope
The most common question from SMEs is 'how much does a pentest cost?'. The answer isn't simple — it depends on scope, methodology and target complexity. Here's a transparent pricing map, time estimates and which scope fits which business.
Pentest Types: Black, Grey, White-Box
Black-box simulates an attacker with zero info — you provide a URL or IP range and we start from OSINT. Realistic but slow, most time goes into recon. Typical SME project: 2-3 weeks.
Grey-box is the balanced option: standard user credentials, external + internal perspectives. Best effort-to-value ratio. White-box includes source code + infra access — the most thorough, the most expensive. Fits larger enterprises.
Scope Examples: Typical SME Needs
Small e-commerce (10-50 products, one payment gateway): 5-7 days, TRY 35,000-60,000. Scope: web app, payment flow, admin panel, API, dependencies. Deliverable: ~15-25 findings with CVSS scores.
Mid-sized SaaS or B2B portal (50-200 users, multi-module): 10-15 days, TRY 90,000-180,000. Scope: all modules, API, mobile if present, cloud config. Deliverable: 30-50 findings, exec summary + technical report.
The Pentest Process, Phase by Phase
Phase 1 — Recon (OSINT): 1-2 days. Domain, subdomains, employee LinkedIn, GitHub leaks, public endpoints. Phase 2 — Vulnerability scanning: automated (Nuclei, ZAP, Burp) plus manual verification. 2-3 days.
Phase 3 — Exploitation: manual pentest, custom payloads, post-exploit. 3-5 days. Phase 4 — Reporting: 2-3 days. Each finding gets a PoC, CVSS 4.0 score and remediation guide. Phase 5 — Re-test: 1-2 days. Free.
What Should the Report Contain?
Executive summary (2-3 pages, non-technical business risk framing). Technical appendix (details, PoC screenshots, step-by-step exploit). CVSS 4.0-scored findings, ranked. Risk matrix (impact × likelihood). Remediation timeline.
A bad pentest report is an nmap dump — findings listed, action vague. A good one is a concrete plan your team can close on a Tuesday afternoon. VefaSec averages 3-5 pages of remediation content per finding.
How Often Should You Test?
At least annually, plus after critical changes (new modules, integrations, major framework upgrades). PCI-DSS regulated firms need 2+ tests per year.
Our recommendation: continuous scanning (VefaSec monthly retainer) + 1-2 manual pentests per year + targeted post-incident tests — a balanced maturity curve.
Red Flags: Identifying a Poor Pentest Firm
Warning signs: pricing by 'number of tests' (pentests are priced by time or scope, not count), no certified staff (OSCP, CEH, CISSP), running only automated scanners and writing a report (that's scanning, not pentesting), charging extra for re-test.
Good signs: transparent methodology (OWASP WSTG, PTES, NIST SP 800-115), certified senior team, anonymized sample reports, free re-test, PoC screenshots in deep remediation sections.
Talk to VefaSec about your project or audit needs.
Our Diyarbakır-based team delivers end-to-end software development, penetration testing and cybersecurity advisory to enterprise clients. The discovery call is free and non-binding.