Penetration Test Configurator

Pentest Configurator & Quote Generator

Secure, transparent and fast: Your pentest at a fixed price

Answer some questions about your planned pentest project, select additional services and receive your personal quote immediately.

Immediate cost estimate • Customized • No obligations

Customized
Configuration
Interactive
Tool
Free
Quote
Go to Planner
Quick Navigation
Start Configurator Benefits FAQ
Penetration Testing
Configurator
Tool
Secure
Verified
{{ index + 1 }}
{{ step.title }}
{{ step.description }}
{{ index + 1 }}
{{ step.title }}
{{ step.description }}
{{ index + 1 }}
{{ step.title }}
{{ step.description }}

How would you like to proceed?

Ready-made packages
Quick and easy - preconfigured solutions for common requirements
Customized configuration
Tailor-made - detailed adaptation to special requirements

Select your package

{{ package.badge }}
{{ package.name }}

{{ package.description }}

{{ formatPrice(package.price) }}
{{ package.priceNote }}
  • {{ feature }}
{{ package.timeframe }}

What service do you need?

{{ service.name }}

{{ service.description }}

You have already configured {{ cartItems.length }} service(s)

{{ currentPackage.name }} - Why do you need this pentest?

Your selected package:
  • {{ feature }}
{{ packageFitWarning }}
Why is the pentest important right now?

Pick every statement that resonates with your current situation.

Project notes (optional)

{{ currentConfiguration.service.name }} configuration

Additional services for {{ currentPackage.name }}

Package price: {{ formatPrice(currentPackage.price) }}
Price with selection: {{ formatPrice(getCurrentPackageTotalPrice()) }}
There are currently no additional services available for this package.

Additional services

Request a quote

Your configuration:
{{ item.name || item.service?.name }}
{{ formatPrice(item.price) }}
{{ item.description }}
Reasons selected: {{ formatPackagePriorities(item.packageConfig ? item.packageConfig.priorities : []) }}
{{ item.packageWarning || 'Compliance-driven projects usually need at least the Standard package. Our team will follow up.' }}
Details {{ expandedConfigs.includes(index) ? 'hide' : 'show' }}
{{ key }}: {{ value }}
Contact details

Thank you for your inquiry!

Your request has been successfully submitted. You will shortly receive a detailed offer by e-mail to {{ customerData.email }}.

Price overview
{{ item.name || item.service?.name }} #{{ index + 1 }}
Price: {{ formatPrice(item.price) }}
Additional services
Price: {{ formatPrice(getAdditionalServicesPrice()) }}
Savings
Saved: {{ formatPrice(getTotalSavings()) }}

No services configured yet

Current configuration:
{{ currentConfiguration.service.name }}
Estimated price: {{ formatPrice(currentConfiguration.price) }}
Package selected:
{{ currentPackage.name }}
Price: {{ formatPrice(currentPackage.price) }}
Total price: {{ formatPrice(getTotalPrice()) }}
plus VAT.
Price guarantee: The price shown is a reliable calculation. The final offer will usually confirm this price.

FAQ

How is it ensured that the pentest is conducted professionally and methodically sound?

Our penetration tests follow established standards such as the OWASP Testing Guidelines, ASVS (Application Security Verification Standard) as well as PTES (Penetration Testing Execution Standard). This ensures that both technical vulnerabilities and typical attack vectors (e.g. authentication, access control, API abuse) are covered. Additionally, we rely on manual testing by experienced security experts - not pure scanner reports.

Why is the test so configurable in detail? Doesn't this become too complex?

We offer these configuration options because every web application is unique. Through parameterization, we can assess the effort and risk landscape more precisely - and you only pay for what actually needs to be tested. For customers who don't know all the details, we also offer consulting for configuration as well as pre-configured "typical scenarios" (e.g. SaaS, e-commerce, internal business application).

Why is the re-test not always included?

In many cases, simple fixes are sufficient - in other cases, a complete re-test is necessary. Therefore, we offer the re-test as optional quality assurance - we explicitly recommend it especially for security-critical applications.

Can I skip the PDF report? What do I get then?

Yes, you can consciously skip a formatted PDF report if you have, for example, an internal security team or prefer technical exports. In this case, we deliver the results in structured format (Excel / Markdown / JSON) - functionally equivalent, but without visual formatting. Important: The management summary is independent of this and can be booked separately.

How do the three package options differ?

Mini-Pentest: Focus on critical vulnerabilities, 1 business day, compact email report
Standard-Pentest: Comprehensive OWASP Top10 review, 5 business days, detailed PDF report with results discussion
Extended Pentest: Full-scope testing including external attack surface, 9 business days, management summary

What does "OWASP Top10" mean?

The OWASP Top10 is a list of the ten most common and critical security risks for web applications, updated annually by the Open Web Application Security Project (OWASP). It serves as an international standard for web security testing.

What is CVSS scoring?

The Common Vulnerability Scoring System (CVSS) is an international standard for rating the severity of security vulnerabilities. Values above 7.0 are considered critical and require immediate attention.

Can I combine multiple services?

Yes, you can add any number of services to your cart. For example, you can simultaneously commission a web application, an API, and a phishing test.

Why does a CMS-based system cost less than a custom development?

CMS systems like WordPress or Drupal have known structures and common vulnerabilities, making the test more efficient. Custom developments require more analysis and individual testing approaches.

What is a test/staging environment and why is it important?

A test environment is a copy of your production application where testing can be performed safely. Tests on production systems are riskier and require more caution, leading to higher costs.

What does "external attack surface" mean?

These are all systems of your company accessible from outside (Internet): websites, email servers, VPN access, etc. An analysis helps identify forgotten or unknown systems.

What is a "retest"?

After fixing identified vulnerabilities, we verify that the fixes have been correctly implemented and no new problems have emerged. This also includes tests for bypass possibilities.

What is "Argos EASM"?

External Attack Surface Monitoring (EASM) continuously monitors your external attack surface and notifies you of new systems or vulnerabilities. Argos is our proprietary tool for this.

When do I need a management summary?

A management summary summarizes technical findings in understandable language for executives and shows business risks as well as recommended actions.

Are the displayed prices fixed prices?

Yes, all displayed prices are fixed prices including all services. Additional costs only occur if you commission additional services or the test object differs significantly from your specifications.

Why are some features charged extra?

Certain features significantly increase the testing effort.

What happens if my application is more complex than expected?

With fixed prices, we take on the risk. Should unforeseen complexities occur, we discuss possible adjustments with you before additional costs arise. This usually happens before the pentest starts.

How does a pentest work?

1. Preliminary discussion: Clarification of details and access
2. Test execution: Analysis and tests according to defined methods
3. Report creation: Documentation of all findings
4. Results discussion: Explanation of findings and recommendations
5. Optional: Retest after implementation of fixes

Do you need access credentials?

Yes, for authenticated tests we need valid access credentials for various user roles. These are handled securely and deleted after the test.

Can you also test outside business hours?

Yes, this is possible and often sensible to avoid disrupting ongoing operations. We arrange this individually.

Does a pentest help with ISO 27001 or other standards?

Yes, regular penetration tests are required or recommended in many standards like ISO 27001, PCI DSS, or GDPR. Our reports can serve as evidence.

Will I receive a certificate or confirmation?

You receive a detailed test report. With the extended pentest, a confirmation letter for customers/suppliers is additionally included.

Is a pentest legally required?

Not directly, but GDPR and other laws require "appropriate technical measures". Penetration tests are considered best practice for demonstrating due diligence.

Do you offer support with remediation?

We explain all findings thoroughly and provide concrete recommendations for action. The implementation is usually handled by your internal teams or service providers.

How current are your testing methods?

Our methods are continuously adapted to new threats. We use current tools and techniques according to international standards.

What if the effort turns out to be less than expected?

Our prices are maximum prices - if it turns out that the pentest will be finished faster, you naturally pay a lower price.