Penetration Testing: Complete Business Guide for 2026

Penetration testing is how organizations find out what their attackers would find out, before the attackers do. A penetration test is a controlled, time-boxed simulated attack against your applications, infrastructure, or people, performed by ethical hackers who write up everything they exploited and how to fix it.

This guide explains what penetration testing actually is, the major types, when each is appropriate, what a real test costs in 2026, and how to scope an engagement so you get findings you can actually act on.

Penetration testing is a regulatory requirement under PCI DSS, a strong recommendation under HIPAA, and a near-mandatory line item in any serious enterprise vendor risk assessment. It is also one of the easiest compliance line items to fake. The market is full of "pen tests" that are really automated vulnerability scans printed on letterhead. Knowing the difference is the most valuable skill you can have when buying a test.

💡 Pro Tip

Quick orientation: a penetration test simulates an attacker with a goal (steal data, escalate privilege, disrupt service). A vulnerability scan finds known weaknesses against a signature database. The two are not interchangeable. Most regulations require both; auditors want to see both. Pen tests cost $5,000 to $50,000 per engagement; vulnerability scans cost almost nothing if you run them yourself.

If you are looking specifically at web app testing, see the web application penetration testing checklist. For a buyer's view of test providers, see the best penetration testing companies of 2026. For the difference between pen testing and vulnerability assessment in detail, see penetration testing vs vulnerability assessment.

What a penetration test actually is

A penetration test is a goal-oriented, manual security assessment. The tester is given a defined scope (a list of in-scope IP addresses, URLs, or applications), a defined goal (gain admin access, exfiltrate sample data, achieve persistence on a server), and a defined window (usually 5 to 20 business days). The tester then attempts to achieve that goal using the same techniques real attackers would use: reconnaissance, vulnerability identification, exploitation, post-exploitation, and reporting.

The output is a written report containing:

An executive summary written for non-technical readers.
A detailed list of every finding, ranked by severity (Critical, High, Medium, Low, Informational).
Reproduction steps for each finding (how the tester exploited it).
Recommended remediation for each finding.
A scope and methodology section listing what was tested, what was not, and why.
Optionally, an attestation letter your auditors and prospects can use as evidence.

A real pen test takes a human being multiple days to perform. If a "pen test" report comes back in 24 hours, it is almost certainly a vulnerability scan with cosmetic edits.

Penetration testing types

Penetration testing is not one thing. The major types, organized by what they target:

Type	What gets tested	Typical cost	Typical duration
Web application	Public-facing or authenticated web apps	$8,000-$25,000	5-15 days
API	REST/GraphQL APIs, with and without auth	$6,000-$20,000	5-10 days
Mobile application	iOS or Android apps + their backends	$10,000-$30,000	7-15 days
External network	Internet-facing IPs and services	$3,000-$10,000	3-7 days
Internal network	Lateral movement after initial access	$8,000-$25,000	5-15 days
Cloud configuration	AWS/Azure/GCP IAM, network, services	$10,000-$30,000	5-10 days
Wireless	Wi-Fi networks at physical locations	$3,000-$8,000	2-5 days
Social engineering	Phishing, vishing, pretexting	$5,000-$15,000	2-4 weeks
Physical	Lock picking, badge cloning, on-site access	$8,000-$25,000	3-5 days
Red team engagement	Multi-vector, goal-driven, weeks-long	$50,000-$250,000	4-12 weeks

Most SMBs and startups need a web application or API pen test annually plus an external network pen test. Larger small business buyers usually need more. Some need internal and cloud pen tests too. Red team engagements are reserved for mature security programs at companies large enough to need them.

Smaller startup teams should focus on the type that matches their highest-risk surface (usually the web app for a SaaS, the cloud configuration for an infra-heavy startup). For a deeper look at the types, see types of penetration testing. For specific cost guidance, see how much does a penetration test cost.

Black box, gray box, and white box

Inside any pen test type, the engagement can be scoped in three ways based on how much information the tester is given up front:

Black box: The tester has no internal knowledge. They see what an external attacker would see. Most realistic, but slow and expensive because the tester spends most of the engagement on reconnaissance.
Gray box: The tester has limited internal knowledge: a low-privilege user account, an architecture diagram, an API spec. The most common scope in 2026 because it gets the best findings per dollar.
White box: The tester has full internal knowledge: source code, infrastructure-as-code, admin accounts, architecture documents. Best for finding deep flaws; least realistic to a random external attacker.

Most regulated industries default to gray box. PCI DSS does not mandate any specific approach, but most QSAs will accept gray box as the default. SOC 2 auditors care more about the report and the scope than the box color.

When you need a penetration test

A penetration test is required, recommended, or strongly expected in these situations:

PCI DSS: Annual external + annual internal pen test, plus tests after any significant change. Required by PCI DSS Requirement 11.4.
HIPAA: Not explicitly required, but the HIPAA Security Rule requires "evaluation" of technical and non-technical controls. Most OCR settlement agreements expect a pen test as part of a serious security program.
SOC 2 Type 2: Not required by the AICPA standard, but auditors increasingly expect to see one. Most enterprise prospects ask for a pen test report alongside the SOC 2 report.
ISO 27001: Annex A.12.6.1 requires technical vulnerability management; A.18.2.3 requires technical compliance review. A pen test is the standard way to satisfy both.
NIST 800-53: Requires CA-8 (Penetration Testing) for moderate and high impact systems.
CMMC Level 2 and Level 3: Pen testing is not explicitly required, but the practice of "test the resilience of the system" lines up with several controls.
Cyber insurance underwriting: Most carriers now require an annual pen test report before binding a policy with $1M+ in coverage. See cyber insurance requirements.
Enterprise procurement: Large buyers (hospitals, payers, banks, government) ask for the pen test executive summary before signing master service agreements.

If two or more of these apply to your business, you should plan for at least one pen test per year, every year.

How often should you pen test?

The default is annually. Beyond that, the frequency depends on what you ship and where:

Public-facing web app or API: Annual full test, plus delta tests after any significant architectural change (new auth system, new payment flow, major framework upgrade).
Mobile app: Annual, plus a delta test if you add a major feature or change the backend authentication model.
Internal network: Annual, plus after a major identity infrastructure change (new SSO, new VPN).
Cloud configuration: Annual, but the gap between tests should be filled by continuous configuration monitoring (a CSPM tool — see the best CSPM tools list).
Wireless and physical: Every 2 to 3 years unless you operate physical retail or healthcare locations with regulatory exposure.

Some PCI DSS scopes require pen tests every 6 months. Some FedRAMP scopes require them more often. Always check the specific framework requirement before defaulting to annual. For specific cadence guidance, see how often you should pen test.

⚠ Warning

"Annual pen test" does not mean "test once and forget for 12 months." Every significant change (new feature deployed, new auth method, new third-party integration, new region rolled out) should be re-tested. The biggest pen test mistake we see is companies treating the annual test as a once-a-year event instead of a baseline they re-validate after every architectural change.

What separates a real pen test from a vulnerability scan dressed up

A few clear markers a pen test is real:

Named testers with credentials. A real report lists the testers (usually first name and last initial) with relevant certifications: OSCP, OSCE, OSWE, GPEN, GXPN, CRTP, GCPN, etc.
Manual exploitation steps. Real findings include reproduction steps that involve manual decisions, not just "tool X reported CVE-Y."
Logic flaws in the report. Automated scanners find known CVEs. Humans find logic flaws (broken access controls, IDOR, race conditions, business-logic bypasses). A pen test report with zero logic flaws is suspicious.
Scoped time and effort. A real report has a kickoff date, a testing window, and an end date. Multiple days of hands-on testing.
Findings ranked by exploitability AND impact. Vulnerability scanners only know severity from the CVE database. Real testers rate severity in your context (e.g., "this Critical CVE is actually Low because the affected component is not exposed").
Retest evidence. Real testers retest the fixes you deployed and update the report status from Open to Remediated.

For a buyer's view of how to evaluate firms on these criteria, see the best penetration testing companies guide.

How to scope a pen test for the best findings

Three rules that separate engagements that produce useful findings from ones that produce noise:

Pick the smallest scope that fits your risk. A 50-application monolith pen test in 5 days produces shallow findings. A single critical app, 3 endpoints, in 5 days produces deep findings. Most companies should pick 1 to 3 high-risk targets per engagement.
Give the tester credentials. Most real-world attacks come from authenticated users (insider threats, credential theft, supply chain compromises). Always include at least one authenticated test path, ideally two or three at different privilege levels.
Include the retest in the contract. A test without a retest leaves you with a snapshot. A test with a retest leaves you with confirmed remediation, which is what auditors actually want to see.

Add to that a clear out-of-scope list (production data, customer-impacting endpoints, off-hours testing windows) and you will get a useful report.

What to do with a pen test report

The report is not the goal. Closing the findings is the goal. A working post-test workflow:

Triage within 5 business days. Confirm Critical and High findings are reproducible. Push Medium and Low to the backlog with target SLAs (e.g., 30/60/90 days).
Assign owners. Every finding gets a specific human and a target date. "Engineering" is not an owner.
Track in your ticket system. Pull the report findings into Jira, Linear, or whatever your team lives in. Do not leave findings in the PDF.
Schedule the retest. Most firms include a retest within 60 to 90 days. Use it.
Update your evidence library. Drop the report and the retest letter into your compliance tool (best GRC software platforms covers options) so it is ready when an auditor or prospect asks.
Track trend lines. Year over year, your Critical and High count should drop. If it does not, your test scope is wrong, your remediation process is broken, or both.

Cost reality check

A rough budget guide for 2026:

Single web app pen test, ~5 days, gray box: $8,000 to $15,000.
Web app + API + mobile, ~15 days: $25,000 to $50,000.
Annual full-spectrum (external + internal + cloud + web app): $40,000 to $90,000.
Red team engagement: $50,000 to $250,000 depending on scope and goals.

A few things that move the price:

US-based testers cost more than offshore. Quality is mostly correlated with credentials and reputation, not geography, but US-only is sometimes mandated by FedRAMP and similar.
Senior testers are 1.5 to 2 times the cost of junior testers and typically find 3 to 5 times the issues.
"Boutique" firms with named testers cost more than mid-market firms with rotating staff. The output is often dramatically better.
Bundles (annual contract for multiple tests + continuous attack surface monitoring) typically cut per-test cost by 20 to 30 percent.

For specific provider recommendations and the full cost breakdown, see how much does a penetration test cost and the best penetration testing companies of 2026.

Penetration testing in a working compliance program

A pen test is one input into a broader compliance program. The full picture includes vulnerability scanning (continuous), pen testing (annual or more), red teaming (mature programs), bug bounty programs (mature programs), threat modeling (during design), and code review (continuous in CI/CD).

Compliance frameworks that matter most for healthcare, fintech, and SaaS companies are covered in the SOC 2 compliance guide, the HIPAA compliance guide, the PCI DSS compliance guide, and the ISO 27001 certification guide.

Frequently Asked Questions

What is the difference between a penetration test and a vulnerability scan?

A vulnerability scan is automated and checks against a database of known issues. It runs in minutes and costs almost nothing. A penetration test is manual, goal-driven, and performed by a human tester over multiple days. A vulnerability scan finds CVE-Y on host X. A penetration test finds that an attacker can chain CVE-Y with logic flaw Z to take over admin accounts.

How long does a penetration test take?

Most engagements are 5 to 15 business days of testing, plus 5 to 10 business days for the report and 2 to 5 days for client review. Plan 4 to 6 weeks calendar time end to end. Red team engagements run 4 to 12 weeks.

How much does a penetration test cost in 2026?

Most companies spend $8,000 to $25,000 per engagement for a single targeted test. A full annual program covering external, internal, web app, and cloud usually runs $40,000 to $90,000. Red team engagements start at $50,000 and can exceed $250,000.

Do small businesses need penetration testing?

Yes if you handle regulated data (PHI, payment card data, government data) or sell to enterprises that demand it. Below that threshold, an annual external network pen test ($3,000 to $8,000) is a strong baseline. See do small businesses need penetration testing for full guidance.

Is penetration testing required for SOC 2?

SOC 2 does not formally require it, but most auditors expect it and most enterprise prospects ask for it. Treating an annual pen test as part of your SOC 2 program is the standard expectation in 2026.

Is penetration testing required for HIPAA?

HIPAA does not explicitly require it. The HIPAA Security Rule requires "evaluation" of safeguards (45 CFR 164.308(a)(8)). Most OCR settlement agreements after breaches reference pen testing as part of a "reasonable" security program, which is the relevant standard.

What credentials should a penetration tester have?

The most respected credentials in 2026 are OSCP, OSCE, OSWE (Offensive Security), GPEN, GXPN, GCPN (GIAC/SANS), and CREST CRT or CCT (UK/EU). For cloud-specific work, GCP/AWS/Azure security certifications plus offensive cloud certs (Pentester Academy CRTP, etc.) are common.