UK penetration testing is quoted in tester-days, not by project. Rates in 2026 sit between £900 and £1,600 per day depending on the type of test, tester seniority and whether CREST accreditation is required. This guide breaks it down by scope.
Typical UK scopes and day counts
The right scope is the difference between a useful test and a compliance tick-box.
External infrastructure: 2-4 days per /24
Web application (small): 4-6 days per app
Web application (complex, authenticated, multi-role): 8-15 days
Cloud (AWS / Azure / GCP configuration review): 5-8 days
Internal network: 5-10 days depending on segmentation
Mobile app (iOS or Android): 6-10 days
CREST vs non-CREST
CREST-accredited firms cost 20-40% more but are usually required for CBEST, GBEST, financial services, and government supply chains. For most SaaS and B2B software, a well-scoped test from a qualified independent team is what your enterprise customers actually want to see in the report.
What drives cost up (and how to control it)
Poorly written scope, no pre-test environment, missing test accounts, and out-of-hours retesting all inflate day counts. A one-hour scoping call with a technical lead before the SoW usually saves 20-30% on the final invoice.
Frequently asked questions
How often should a UK company get a penetration test?
At minimum annually, and after any significant change to public-facing systems. Enterprise customers, ISO 27001, PCI DSS and SOC 2 all effectively require yearly external testing.
Do I need CREST for my pen test?
Required for CBEST, GBEST, some MoD and central government contracts. Not required for most private-sector procurement — a detailed methodology, named senior tester and a strong report matter more.
Get a fixed-price UK pen test quote
Talk to the GoaTech team. We'll map your current position and show what a tailored UK-focused programme looks like.