Penetration Testing Pricing in Spain: What Drives the Cost

When a security lead asks for a penetration testing quote in Spain, the first surprise is usually the price variance. Two vendors will quote the same scope with a difference that can reach three to one, and the only way to make sense of it is to stop comparing the final figure and start unpacking each proposal. The operational question is not "how much does it cost"; it's "what am I actually buying and how much technical depth do I get for that budget". Without that breakdown, comparing offers is comparing apples and oranges, and signing the cheapest one carries a hidden cost that shows up in the next cycle or in the first compliance audit.

This guide breaks down how a real-world offensive security engagement is priced in the Spanish market, which factors push the budget up or down, the warning signs of a suspiciously low quote, how effort is distributed across asset types and what the main compliance frameworks (NIS2, DORA, PCI DSS, ISO 27001) expect to see before you ask for a proposal.

What actually drives the price of a penetration test

The cost of a security audit is built on four variables that any serious vendor should be able to walk you through before quoting:

1. Person-days needed to cover the agreed scope at the agreed depth. This is the real engine of the budget. A web audit on a static corporate portal takes few days; a multi-tenant SaaS platform with SSO, public API, admin panel and an associated mobile app takes many more. If there is no prior scoping that lands on that number, the final figure is a blind estimate.
2. Technical profile of the assigned team. A day from a pentester with OSCP, OSWE and four years of hands-on work is worth more than a day from a junior who just got certified. The cost per person-day is the least obvious lever and the one that most changes the report you get back.
3. Methodology depth agreed up front. A black-box engagement without credentials covers less surface in the same days than a grey-box with test users and architecture documentation. For tight budgets, grey-box usually gives the best quality-to-cost ratio.
4. Deliverables included. Technical report, executive summary, documented retest, mapping to compliance controls, debrief session with the development team and follow-up during the remediation window. When any of these gets billed as an extra, the headline number looks lower but the total cost closes higher.

Ask the vendor for the breakdown by person-days and by profile. Two proposals with identical bottom lines can hide a factor of three in real hours worked, and that gap shows up in how many real bugs land in the report.

Pricing models in the Spanish market

Three models coexist in proposals a CISO receives in Spain:

Per person-day rate

The vendor publishes a day rate and the proposal consists of estimating how many days the agreed scope takes. It is the most transparent model because the real weight of the effort is visible and the day rate is comparable between vendors. Common in specialised boutiques.

Client upside: if the scoping reflects reality, overbilling is hard. If more scope appears than expected, extra days are renegotiated in a traceable way.

Fixed price by scope

The vendor delivers a single number for the whole project, taking on the scoping risk. Common in large consultancies, MSSPs and public tenders.

Client upside: budget certainty for finance. Risk: if the vendor overestimates to cover themselves, the client pays for days that never get executed. If they underestimate, depth gets squeezed to fit the budget.

Annual retainer or continuous program

The client books an annual volume of audits (typically split quarterly or biannually) and the vendor guarantees team availability. Increasingly common in organisations with several critical applications or recurring compliance demands (DORA, PCI DSS).

Upside: the team accumulates context on the architecture and the learning curve shortens with each cycle. The cost per individual audit drops compared to one-off bookings. It only makes sense from three or four projects a year onward; below that, ad-hoc engagements fit better.

Why each type of penetration test costs differently

Effort per asset varies a lot. A qualitative estimate that the Spanish market reflects fairly consistently:

• Web pentest. Low average cost per endpoint, but scope balloons when there are multiple roles, modules, third-party integrations or complex business logic. The real driver is the number of unique functionalities, not the number of pages.
• Mobile pentest. Usually needs more days than an equivalent web audit because you cover the iOS client, the Android client, the transport layer, local storage, certificate pinning and very often the API serving both. OWASP MASVS and MASTG set the depth.
• API pentest. Moderate cost per individual endpoint, but modern APIs ship with dozens or hundreds of endpoints with differentiated permissions. Object-level authorisation tests (BOLA, OWASP API Top 10) eat more time than they appear to.
• Internal and external infrastructure. External is cheaper because it sits on the Internet-facing surface. Internal scales with the size of the Active Directory, network segmentation, number of servers and exposed services. A mid-sized internal infra with a Windows domain takes more days than the equivalent web audit.
• Cloud pentest. Cost is driven by the number of accounts or subscriptions, the variety of services in use (IAM, S3, RDS, Lambda, EKS, etc.) and the complexity of the virtual network.
• IoT and OT pentest. Effort is high per device if firmware analysis, industrial protocols (Modbus, DNP3, BACnet) and hardware are included. It tends to be the highest cost per unit of scope.
• Red team. A several-week operation combining OSINT, initial intrusion, post-exploitation and lateral movement until agreed objectives are reached. The aggregate cost is high, but the scope is the whole organisation rather than a single application, and the findings are categorically different from a traditional pentest.

Comparing absolute prices across different asset types tells you nothing useful. What matters is comparing day rate and proposed duration for equivalent scopes within the same type.

What pushes the cost up

Five variables that move the figure upward without much discussion:

• Aggressive timeline. An audit with kickoff two weeks out costs more than one planned two months ahead. The vendor has to reshuffle teams and cancel slack, and the rush premium is a fair price that most boutiques apply explicitly.
• Specific compliance. TLPT under DORA needs intelligence-led testing, a team separated from the SOC and TIBER-EU accreditation. PCI DSS requires organisational independence between the testing team and the asset owner. NIS2 demands reproducible evidence and explicit mapping to article 21. Each requirement adds hours of documentation, scoping and validation.
• Unstable pre-production scope. Auditing a version that changes every week forces the team to re-verify findings several times, drags the test out and pushes cost up. The sensible move is to audit a frozen version and leave new features for the next cycle.
• Multiple retests over long periods. Each retest burns days. A single retest at the four-week mark is standard and usually included. If the organisation needs to validate fixes over three or four iterations, the budget scales accordingly.
• Additional documentation. Reports for regulators, specific corporate templates, integration of findings with internal tools (Jira, ServiceNow, GRC platforms). Anything that departs from the standard technical report has an associated cost.

What can bring the cost down

Three legitimate levers to reduce the budget without losing depth:

• Grey-box instead of black-box. Providing test credentials, architecture documentation and one user per role lets the team cover more surface with fewer days. The typical difference is in the 20-30% range. More detail in white-box vs black-box vs grey-box testing.
• Narrow but recurring scope. The first audit of a given asset costs more than the second, because the team already knows the context and the learning curve disappears. It is a strong strategy for multi-year programs.
• Early planning. Locking dates two or three months out lets the vendor slot the project without rush premium and sometimes apply discounts for closed blocks.

Red flags in a suspiciously low quote

If the offer is clearly below the rest, three patterns explain almost every case:

1. Disguised automated scanner. The proposal promises an "exhaustive audit" but the real deliverable is a PDF generated by Nessus, Acunetix, Burp Pro, MobSF or Qualys with cosmetic edits. You spot it because findings mirror the scanner output, the proof of concept is generic and there are no manual tests of business logic.
2. Cascading subcontracting. The main company sells, a second company coordinates, freelancers from various countries execute. Each link cuts margin and quality. The way to detect it is to ask for the specific names of the assigned team and verify their public technical track record.
3. Junior staff without real supervision. A cheap day is almost always a junior day, which is fine when a senior actually supervises. If the supervision is nominal (a review of the final report, no hands-on company during execution), the audit loses depth.

Rule of thumb: if a quote is a third cheaper than the average, it is not buying the same thing the others are. Ask for the breakdown by days and profiles before signing.

In-house compared to external provider

Some organisations consider building an internal offensive capability instead of contracting outside. It makes sense for companies with several critical applications, continuous release cycles and an already mature security posture. It is a bad idea when done just to save money.

The total cost of an internal pentesting team is usually underestimated: salaries of senior profiles that are scarce in the Spanish market, continuous training (labs, certifications, conference travel), tooling (Burp Suite Pro, Cobalt Strike, phishing platforms, cloud lab subscriptions), and the high turnover that this profile has across the industry. Once all line items are added, the annual cost of a minimum viable internal team often exceeds two or three external boutique audits per year, while saddling the team with the difficulty of retaining roles that are in high demand.

The most efficient model for most mid-sized organisations is hybrid: a small internal team that coordinates, prioritises fixes and maintains the defensive posture, complemented with an external boutique for the technical audits in each cycle. The external party brings objectivity, does not compete for roadmap with the product team and accumulates offensive hours of practice that a mid-sized internal team rarely matches.

Compliance and its impact on cost

Four frameworks change the figure with specific requirements about the audit:

• NIS2 (article 21). Demonstrated effectiveness of technical measures for essential or important services. The audit must document methodology, representative scope and reproducible evidence. INCIBE can request the report during an inspection. The additional cost comes from control mapping and documentary traceability. More in NIS2 in Spain: a compliance guide for 2026.
• DORA (articles 24-25). Annual technical tests for financial entities and triennial TLPT under TIBER-EU for significant financial entities designated by the competent authority (not automatic by size). TLPT requires a provider accredited by the ECB or the corresponding central bank, intelligence-led testing, a team separated from the SOC and validation of the threat profile. It is the most expensive type of test in the European regulated market.
• ISO 27001:2022 (control 8.29). Security testing in the software lifecycle. A documented audit with methodology, findings, fixes and retest is direct evidence for the control. Additional cost is low if the vendor report already meets the format.
• PCI DSS v4.0 (requirement 11.4). Internal and external penetration testing annually and after any significant change. "Industry-accepted" methodology (PTES, OWASP, NIST 800-115) and organisational independence from the asset owner. The cost rises because of the mandatory frequency and the report detail required.

Asking the vendor to indicate which specific controls the deliverable maps to simplifies the subsequent compliance audit and avoids re-running tests because they do not fit the framework.

Frequently asked questions

Why do two vendors quote the same scope so differently?

Because of the day rate of the assigned profile, the number of days each one estimates and the deliverables included. A senior profile costs more per day but usually needs fewer days to find the same things, and delivers a more useful report. Asking for the breakdown by days and profile lets you compare.

How long does it take to receive a serious proposal?

Between one and two weeks from the first email if the scoping needs a technical meeting, which is normal for non-trivial scopes. If you get a closed proposal back within 24 hours and without any technical question, the scope hasn't been thought through.

Is it a good idea to book a pentest "to get it over with" before an audit?

Understandable but risky. If the vendor just runs the bare minimum to produce a certificate, the compliance auditor may ask for details that are not there and reject the evidence. The efficient move is to plan the audit with enough lead time to find and fix issues before the external review, not to produce a justifying PDF.

Does the retest always cost extra?

In serious boutiques a documented retest a few weeks after the report is usually included. If it gets billed as a separate project without that being agreed in advance, review the original proposal. More than one retest typically does get billed as additional days.

How is a red team priced compared to a traditional pentest?

A red team is a longer operation (weeks to months) with a smaller but more senior team and is usually quoted as a fixed price per scenario or block. The aggregate cost is higher than a one-off pentest, but the scope is the entire organisation (people, processes, technology) and the result is a realistic validation of the defensive posture, not a list of bugs.

Can small and medium businesses afford a pentest?

Yes, by adjusting scope and depth. An SME with one critical web application does not need a full annual program; it needs a properly executed one-off audit on the asset that really matters. Spanish boutiques usually have scaled proposals for different sizes. More in cybersecurity for SMEs: where to start.

How much does a retainer save compared to one-off bookings?

It depends on the vendor and the volume, but a closed program of several projects per year usually reduces the cost per project between 10% and 25% compared to ad-hoc bookings, on top of guaranteeing team availability for critical dates.

Related resources

• What is a penetration test: operational definition and how it compares with red team and bug bounty.
• White-box vs black-box vs grey-box testing: the methodology factor that moves the cost the most.
• NIS2 in Spain: compliance guide for 2026: the regulatory context that drives much of the demand.
• OWASP Top 10 2025 business vulnerabilities: the catalogue against which most web audits are scoped.
• Cybersecurity for SMEs: where to start: when a full pentest is overkill and what to do instead.

How we work at Secra

At Secra we quote every audit with an explicit breakdown of person-days and assigned profile, no opaque sealed proposals. Identifiable team with original research (CVE-2025-40652 in CoverManager and CVE-2023-3512 in Setelsa ConacWin CB published in NVD and INCIBE-CERT), traceable methodology (OWASP WSTG, MASVS, API Security Top 10, PTES, MITRE ATT&CK), reports with reproducible proof of concept and a documented retest included in the original scope. We map findings to NIS2, DORA, ENS, ISO 27001 or PCI DSS when applicable. If you want a proposal with priced breakdown for your real scope, get in touch through contact or check the detail of our services for web and mobile application audits, infrastructure audits, cloud audits and red team.