Penetration testing (often shortened to “pentesting”) helps companies find and fix security vulnerabilities through ethical hackers launching planned attacks. A certain level of pentesting maintenance can also be automated thanks to advances in technology that allow for automatic vulnerability scanning around the clock. In this guide, we dive deep into the features, pros, and cons of the top six penetration companies to help you decide which one is the right choice for your business and budget.
Besides pricing, there are many other factors that you should consider when choosing the best penetration testing company for your needs. Here are some of the most important criteria to investigate:
| Starting price | Pentest capacity | Scan behind logins | Compliance | Expert remediation | |
|---|---|---|---|---|---|
| Astra Security | $1,999 per year | Web and mobile applications, cloud infrastructure, API, and networks | Yes | PCI-DSS, HIPAA, SOC2, ISO 27001 | Yes |
| Intruder | $157 per month billed annually | Websites, servers, and cloud | Yes | PCI-DSS, HIPAA, SOC2, ISO 27001 | No |
| Cobalt | Contact for quote | Web and mobile applications, APIs, networks, and cloud | No | SOC2, PCI-DSS, HIPAA, ISO 27001, CREST, NEST | Yes |
| Acunetix | Contact for quote | Web applications | Yes | OWASP, ISO 27001, PCI-DSS, HIPAA | Yes |
| Invicti | Contact for quote | Web applications and APIs | Yes | OWASP, ISO 27001, PCI-DSS, HIPAA | Yes |
| Breachlock | $2,000 for a one-time test | Web applications, cloud, and networks | Yes | SOC 2, PCI DSS, HIPAA, ISO 27001, NIST, CREST, GDPR | Yes |
Astra Security provides a range of pentesting options to suit a wide variety of needs, including web applications, mobile applications, cloud security infrastructure, APIs, and networks. It also offers a vulnerability scanner that provides more than 8,000 tests and can even scan behind logged-in pages. Smaller companies can purchase scanners and pentests à la carte according to the transparent pricing plans, while larger companies can opt for the bundled enterprise plan or request a custom quote for the exact services they need.
SEE: What Is Cloud Penetration Testing & Why Is it Important? (TechRepublic)
I chose Astra Security because it offers one of the largest pentest capacities of all the penetration testing companies I considered. This wide variety of offerings means both small businesses and large companies will likely be able to find an Astra pentest option to suit their needs, whether they’re a startup that only needs one target to be tested or a large business with a diverse infrastructure to protect.
| Pros | Cons |
|---|---|
|
|
In addition to its continuous pentesting services, Intruder also harnesses the power of automation to offer both external and internal vulnerability scanning for around-the-clock coverage. This approach helps clients find and fix critical vulnerabilities, even if it’s not yet time for the next scheduled pentest. If you need vulnerability scanning in addition to pentesting, then you can get it all from the same company with Intruder.
I selected Intruder because of its internal and external vulnerability scanning tools, which are relatively affordable. Do note that you’ll need the Premium plan if you want to add-on the continuous penetration testing tool. I also appreciated that Intruder offers a 14-day free trial as well as integrations with popular tools like Slack and GitHub.
| Pros | Cons |
|---|---|
|
|
Cobalt takes a Pentest-as-a-Service approach, providing on-demand penetration to companies as needed. Depending on which plan you opt for and the type of testing engagement, Cobalt can sometimes start pentesting in as little as 1-3 business days. Its flexible, credits-based model allows each company to distribute the work based on their business priorities or asset complexities (credits are purchased in yearly packages).
I chose Cobalt because of its fast response times and flexible pricing model. This unique model helps businesses save time and money, which is always a positive since penetration testing can be lengthy and costly. If you need on-demand pentesting fast, this is definitely a penetration testing company worth checking out.
Cobalt offers three pricing tiers — Standard, Premium, and Enterprise — but doesn’t disclose how much each one costs or how many credits they get. For pricing details, contact the sales team for a quote.
| Pros | Cons |
|---|---|
|
|
Acunetix is a web application security product owned by Invicti that is geared towards small businesses that don’t need the bells and whistles of enterprise-grade pentesting. Acunetix is meant for web applications, so it can’t be used to test other infrastructure like networks and APIs. Acunetix’s vulnerability scanner can detect 7,000+ web vulnerabilities and combines both DAST and IAST scan results for extremely thorough reporting.
I chose Acunetix because its automated pentesting will help small businesses save time while searching for thousands of potential vulnerabilities. I also liked that it provides unlimited users and unlimited scans as opposed to charging for each seat or scan, which will help to save smaller companies money and hassle.
Acunetix does not disclose pricing, so you’ll need to contact the sales team for a quote.
| Pros | Cons |
|---|---|
|
|
Invicti (formerly Netsparker) is similar to Acunetix, but it’s designed for large companies and enterprises as opposed to small businesses. Invicti’s proof-based scanner harnesses the power of automation to quickly identify vulnerabilities and deliver actionable data. Invicti’s automation and scalability allow enterprise cybersecurity teams to secure hundreds or even thousands of sites at once.
I picked Invicti because its automated vulnerability scanner is specifically designed with the needs and scope of large companies in mind. I also like that it offers a healthy selection of integrations, connecting to many popular developer and communication tools.
Invicti does not disclose pricing — contact the sales team for a quote.
| Pros | Cons |
|---|---|
|
|
BreachLock provides three different pentesting frequencies to choose from, so you can select the one that works for your business. Select either one-time security validation, annual security validation, or continuous security validation according to your needs. All three types of tests are run in-house by Breachlock’s pentesting team and come with unlimited online remediation support as well as audit-ready reports.
I selected BreachLock because of the many different pentesting options it provides, which makes it one of the most flexible penetration testing companies out there. I also appreciate that its pricing is transparent and clearly lays out what level of service you will get with each of the different pentesting packages.
| Pros | Cons |
|---|---|
|
|
To select the best penetration testing company for your needs, you first need to decide what kind of support you are looking for. Do you want automated scanning, manual testing, or both? Next, make a list of all the targets, applications, and asset types that you need tested. Also consider the frequency of pentesting that you want: Do you only need a one-off test or around-the-clock surveying for your entire infrastructure?
SEE: How to Run a Cybersecurity Risk Assessment in 5 Steps (TechRepublic Premium)
Once you’ve got a clear idea of these parameters, reach out to your top choices to begin gathering pricing quotes. Many pentesting companies use a quote-only pricing model because each pentesting engagement is unique. Each sales team has an in-depth conversation with you about your needs and budget and creates a quote based on what you tell them. You might also be able to access a free trial or demo of a vulnerability scanner, depending on the pentesting company.
Once you’ve vetted all your top choices and received your pricing quotes, it’s time to make your final selection of the best penetration testing company for your business. If you’re on the fence, you may be able to first engage the company for a limited-time, scope-limited project so you can see how they work in action without committing to an annual contract right out of the gate.
To select the best penetration testing companies, I consulted service documentation and customer reviews. During the writing of this review, I considered features such as pentest capacity, compliance standards, and expert remediation. I also weighed additional factors such as pricing, customer service, and turnaround time.
