Byte Optimizer

Manual Penetration Testing: A Buyer's Guide to Cost, Scope, and Reports

TL;DR

Manual penetration testing is a controlled, authorized assessment in which a skilled human tester attacks your application, API, or network the way a real adversary would, then proves each finding with evidence of exploitation. You need one to catch what scanners cannot (business logic flaws, chained exploits, broken access control) and to satisfy the security testing expectations of frameworks like SOC 2 and ISO 27001. Pricing is per engagement and driven by scope, and the deliverable is a report with severity scores, proof of exploit, remediation guidance, and a retest.

  • A credible engagement follows five phases: scoping under NDA, reconnaissance and exploitation, evidence and proof of exploit, reporting, and a retest that verifies fixes.
  • Cost depends on attack surface size, complexity, engagement type, and depth; there is no meaningful flat rate, and packages priced before scoping are a red flag.
  • Small single-application scopes mean days of active testing; larger scopes with multiple applications, APIs, and user roles run for weeks.

Manual penetration testing is a security assessment in which a skilled human tester actively attacks your application, API, or network the way a real adversary would, under controlled and authorized conditions. Instead of matching signatures against a database of known vulnerabilities, a penetration tester studies how your system actually behaves, forms hypotheses about where it can be abused, and then attempts to exploit those weaknesses to prove real impact. The output is not a raw list of alerts. It is a set of verified findings, each demonstrated with proof of exploitation, scored for severity, and paired with specific remediation guidance. Businesses buy manual penetration tests for two main reasons: to find the flaws that automated scanning cannot detect, and to satisfy the security testing expectations of compliance frameworks such as SOC 2 and ISO 27001.

If you are buying a penetration test for the first time, the market does not make it easy. Prices vary wildly, methodologies hide behind vague marketing language, and some vendors quietly sell rebranded scanner output as if a human ever touched your application. This guide covers what a real manual penetration test includes, how pricing works, how long an engagement takes, what a good report looks like, and the red flags that should make you walk away.

Why Can Humans Find What Scanners Cannot?

Automated scanning is genuinely useful. It catches known CVEs, missing security headers, weak TLS configurations, and exposed services at a speed no human can match. This is not an argument against tools. It is about what tools cannot see.

Three entire classes of vulnerability are essentially invisible to automation:

  • Business logic flaws. A scanner does not know that applying the same discount code twice should be impossible, or that skipping a step in your checkout flow bypasses payment. These flaws return perfectly valid HTTP responses, so there is no signature to match. Finding them takes a human who understands what the application is supposed to do.
  • Chained exploits. Real attackers rarely walk in through a single critical vulnerability. They chain smaller issues: a verbose error message here, a predictable identifier there, a permissive CORS policy somewhere else. Each looks minor on its own. Combined, they become an account takeover.
  • Authentication and authorization abuse. Can a regular user read another customer's invoices by changing an ID in a URL? Can an unprivileged account call an admin endpoint directly? Scanners miss broken access control because the server responds as if everything is fine. A tester answers these questions by actually trying.

We wrote a full comparison in automated scanning vs manual penetration testing. The short version: automation gives you breadth and frequency, humans give you depth and proof. A mature program uses both.

What Does a Penetration Test Include?

A penetration test is not one product. Scope determines everything, so the first decision is what kind of engagement you actually need:

  • Web application testing. Authentication, session management, access control, injection, file handling, and the business logic unique to your product. If your revenue flows through a web app, start here. Our companion pillar on web application security testing covers this discipline in depth.
  • API testing. APIs power mobile apps, partner integrations, and single-page frontends, and they often skip the protections the web layer enforces. Testing focuses on broken object-level authorization, mass assignment, rate limiting, and undocumented endpoints.
  • Network testing. External tests attack your internet-facing infrastructure: VPNs, mail servers, exposed services, and cloud entry points. Internal tests assume an attacker already has a foothold and measure how far they can move.
  • Mobile application testing. iOS and Android apps get reviewed for insecure local storage, weak transport security, and flaws in the backend APIs the app talks to.
Engagement typeWhat it coversTypical focus
Web applicationAuthentication, session management, access control, injection, file handling, and the business logic unique to your productProducts whose revenue flows through a web app
APIAPIs behind mobile apps, partner integrations, and single-page frontendsBroken object-level authorization, mass assignment, rate limiting, undocumented endpoints
NetworkExternal: internet-facing infrastructure such as VPNs, mail servers, exposed services, and cloud entry points. Internal: an attacker who already has a footholdHow far an attacker can get in, or move once inside
Mobile applicationiOS and Android apps and the backend APIs the app talks toInsecure local storage, weak transport security, backend API flaws

Many engagements combine two or more of these: a typical SaaS scope pairs the web application with its APIs, because attackers do not respect that boundary.

What Are the Phases of a Professional Engagement?

A credible penetration test follows a defined process. If a vendor cannot describe theirs, treat that as a warning sign.

1. Scoping and threat modeling, under NDA

Before any testing begins, both sides sign a non-disclosure agreement and agree on scope in writing: which assets are in bounds, which are off limits, and what rules of engagement apply. Good vendors also build a lightweight threat model (what are your crown jewels, who would attack you) and shape the test around the answers instead of a generic checklist.

2. Reconnaissance and active exploitation

The tester maps the attack surface, then goes on the offensive: probing authentication flows, manipulating requests, escalating privileges, and chaining findings together. This is the phase automation cannot replicate, because every step is a judgment call informed by what the tester has already learned.

3. Evidence and proof of exploit

Every claimed vulnerability gets demonstrated, not asserted: screenshots, request and response captures, and reproduction steps showing what was accessed and how. Proof of exploit separates a finding you must act on from a theoretical alert you can argue about.

4. Reporting with remediation guidance

The findings are written up with severity ratings, business impact, and concrete fix instructions. More on that below: the report is the product you are actually paying for.

5. Retest

After your team fixes the findings, the tester verifies each one is actually closed. Some vendors charge extra for this or skip it entirely. Byte Optimizer includes the retest in every engagement, because an unverified fix is just a hope.

What Should a Pentest Report Contain?

The report outlives the engagement. Your engineers work from it, your executives make decisions from it, and your auditors read it. A good one contains:

  • An executive summary written in plain language for non-technical readers: what was tested, what was found, and what to prioritize.
  • Standardized scoring. Each finding should carry a CVSS severity score and a CWE classification for the underlying weakness. This lets you compare findings across vendors, and it is what auditors expect.
  • Proof of exploitation for every finding: reproduction steps, evidence, and the specific data or functionality that was exposed.
  • Line-by-line remediation guidance. Not "sanitize your inputs," but which parameter, in which endpoint, needs what specific change. Your developers should be able to open the report and start fixing without a follow-up meeting.
  • A retest section documenting which findings were verified as fixed and when.

How Much Does a Penetration Test Cost?

Manual penetration testing is priced per engagement, and the price is driven by scope. There is no meaningful flat rate, because a five-page brochure site and a multi-tenant SaaS platform with three user roles are completely different efforts. The main cost drivers:

  • Size of the attack surface: number of applications, endpoints, hosts, and environments in scope.
  • Complexity: user roles, workflows, integrations, and custom business logic all add testing time.
  • Engagement type: combined web, API, and network scopes cost more than a single target.
  • Depth and rigor: a thorough manual engagement with proof of exploit and a retest costs more than a quick assessment, because you are paying for skilled human hours.

Be cautious with prices that seem too good to be true. Deeply discounted "penetration tests" are usually automated scans with a new cover page. A legitimate vendor scopes your environment first and quotes the actual work, not a fixed package priced before asking a single question about your systems.

How Long Does a Penetration Test Take?

Duration follows scope the same way price does. A small, focused engagement against a single application means days of active testing. Larger scopes with multiple applications, APIs, and user roles run for weeks. Add time for scoping before, report writing after, and the retest once your team has remediated.

Two planning notes. Book ahead: good teams schedule in advance, and compliance deadlines arrive fast. And have your side ready: test accounts, environment access, and a technical contact. Access delays are the most common reason engagements slip past their window.

How Do You Choose a Penetration Testing Vendor?

The market has excellent firms and it has vendors selling scan results in a nicer font. Walk away when you see:

  • Scanner output rebranded as a pentest. If the sample report reads like a tool export, with generic descriptions and no evidence of manual exploitation, that is exactly what it is.
  • No retest. A vendor who finds problems but never verifies your fixes is leaving the engagement half finished.
  • Vague methodology. "Proprietary techniques" is not a methodology. Look for testing aligned with recognized frameworks such as the OWASP Testing Guide, plus clear, written rules of engagement.
  • No proof of exploit. Findings without reproduction steps and evidence force your team to re-verify everything, which defeats the purpose.
  • Packages priced before scoping. If they can quote you without asking about your environment, they are not planning to look at it very closely.

On the positive side: ask for a sanitized sample report, ask who will perform the testing, and confirm the retest is included. See how Byte Optimizer structures its own manual penetration testing engagements, and how testing fits alongside our broader security services, as a reference point for evaluating any vendor, including us.

How Does a Pentest Satisfy SOC 2 and ISO 27001 Auditors?

For many buyers, the trigger for a penetration test is an audit. Enterprise customers ask for a SOC 2 report, the auditor asks how you test your controls, and a pentest is the clearest answer.

Under SOC 2, a penetration test is strong evidence for the monitoring and risk mitigation criteria: it shows you proactively identify vulnerabilities and act on them. Under ISO 27001, it supports the technical vulnerability management controls in Annex A. GDPR points the same direction, requiring regular testing of your security measures. In every case, the auditor wants the full cycle: a scoped test by a qualified party, documented findings, remediation, and verification that fixes landed. This is why the retest matters. A report full of open findings with no follow-up raises more audit questions than it answers.

If you are working toward one of these frameworks, pair the technical test with the policy and evidence work they require. Our compliance and policy solutions cover that side, and our guide to SOC 2, ISO 27001, and GDPR compliance explains how the frameworks fit together.

Frequently asked questions

Is an automated scan the same as a penetration test?

No. An automated scan matches signatures against known vulnerability patterns, while a manual penetration test puts a human against your system to find business logic flaws, chained exploits, and broken access control. Deeply discounted penetration tests are usually automated scans with a new cover page: if a sample report reads like a tool export with no evidence of manual exploitation, that is exactly what you are buying.

How much does a manual penetration test cost?

Pricing is per engagement and driven by scope: the size of the attack surface, the complexity of user roles and workflows, the engagement type, and the depth and rigor of the testing. There is no meaningful flat rate. A legitimate vendor scopes your environment first and quotes the actual work, so be cautious with packages priced before anyone asks about your systems.

How long does a penetration test take?

A small, focused engagement against a single application means days of active testing, while larger scopes with multiple applications, APIs, and user roles run for weeks. Add time for scoping beforehand, report writing afterward, and the retest once your team has remediated. Have test accounts and environment access ready, because access delays are the most common reason engagements slip past their window.

Do I need a penetration test for SOC 2?

SOC 2 auditors routinely ask for a recent penetration test report as evidence for the monitoring and risk mitigation criteria. ISO 27001 supports the same through its technical vulnerability management controls in Annex A, and GDPR requires regular testing of security measures. In every case, auditors want the full cycle: a scoped test by a qualified party, documented findings, remediation, and verification that fixes landed.

The Bottom Line

A manual penetration test is an investment in knowing, not assuming, that your defenses hold. Insist on a scoped engagement under NDA, a defined methodology, proof of exploit for every finding, a report your engineers can act on, and a retest that closes the loop. Keep automated scanning running between engagements for continuous coverage, and bring in human testers for the depth machines cannot reach. The attackers probing your systems for free will not cut corners, and neither should the people you pay to beat them to it.

Was this useful?
Loves help us write more like this.

Comments

0 discussions
Be kind. Cite sources. No spam.

No comments yet. Be the first to share your thoughts.