← Back to Blog
Business10 min read

How to Price Security Services in 2026

Pricing is one of the hardest parts of running a security consultancy. Charge too little and you burn out on thin margins. Charge too much without justification and you lose deals. This guide covers the most common pricing models for penetration testing, vulnerability assessments, compliance audits, and incident response retainers. It includes current market rates in the UK and US, how to estimate effort for different engagement types, and how to avoid the mistakes that cost consultancies money.

Common Pricing Models

There is no single correct way to price security services. Most consultancies use one or a combination of these models depending on the client, scope, service type, and relationship stage. These apply equally to pentests, vulnerability assessments, compliance audits, and incident response work.

Day Rate

The most common model in the UK and across Europe. You estimate the number of testing days, multiply by your day rate, and add reporting time. This is transparent, easy to scope, and clients understand what they are paying for. The downside is that it caps your earnings per engagement since you are trading time for money.

Project-Based (Fixed Price)

You quote a flat fee for the entire engagement regardless of how long it takes. This works well when you have experience estimating similar scopes accurately. The risk is yours: if the engagement takes longer than expected, your effective day rate drops. The upside is that efficient testers earn more per day than their quoted rate.

Retainer

The client pays a monthly or quarterly fee for a set number of testing days or hours. This provides predictable revenue and builds long-term relationships. Retainers work best with clients who need ongoing testing for new features, quarterly vulnerability assessments, compliance audit preparation, incident response readiness, or continuous security assurance. Price retainer days at a 10 to 15 percent discount compared to ad-hoc rates to incentivise commitment.

Bug Bounty / Results-Based

You only get paid for validated findings. This model is common on bug bounty platforms but rarely used for formal engagements. The risk is entirely on you: if the application is well-secured, you may spend days testing and earn nothing. Most consultancies avoid this model for client work unless combined with a minimum base fee.

UK Market Rates (2026)

Day rates in the UK vary significantly based on experience, specialisation, service type, and whether you work independently or through a consultancy. These are typical ranges for direct client engagements across security services.

Junior Tester

1 to 3 years experience

£800 – £1,000/day
Mid-Level Tester

3 to 6 years experience

£1,000 – £1,200/day
Senior Tester

6+ years, CREST/OSCP/OSCE

£1,200 – £1,500/day
Specialist / Red Team Lead

Niche expertise, CBEST, STAR

£1,500 – £2,000+/day
Note: These are direct-to-client rates. If you subcontract through a larger consultancy, expect 30 to 50 percent less as the consultancy takes a margin.

US Market Rates (2026)

The US market generally commands higher rates due to larger enterprise budgets and compliance-driven demand. These figures are for independent consultants and boutique firms billing clients directly.

Junior Tester

1 to 3 years experience

$1,200 – $1,600/day
Mid-Level Tester

3 to 6 years experience

$1,600 – $2,000/day
Senior Tester

6+ years, OSCP/GPEN/GXPN

$2,000 – $2,500/day
Specialist / Red Team Lead

Niche expertise, CBEST equivalent

$2,500 – $3,500+/day

Factors That Affect Pricing

Your rate should not be a fixed number you apply to every engagement. Several factors should influence what you charge for a specific project.

Scope & Complexity

A single web application with basic CRUD is simpler than a microservices architecture with APIs, authentication flows, and role-based access control. More complex targets take longer and require deeper expertise.

Compliance Requirements

Engagements requiring PCI DSS, SOC 2, ISO 27001, or CREST-accredited testing command premium rates. Compliance work involves additional documentation, specific methodologies, and sometimes auditor liaison.

Urgency & Timeline

A client who needs testing completed within a week should expect to pay a 25 to 50 percent rush premium. Urgent engagements disrupt your schedule and limit your ability to take other work.

Client Size & Budget

A startup with a single application has different expectations and budgets than a financial services firm with regulatory obligations. Price according to the value you deliver, not just the time you spend.

Retesting Included

Some clients expect a free retest after remediation. Factor this into your quote upfront. A common approach is to include one retest of critical and high findings within 30 days, with additional retesting billed at your standard rate.

Reporting Depth

A basic findings list takes less time than a full report with executive summary, CVSS scoring, remediation roadmap, and branded PDF output. Be clear about what level of reporting is included.

Estimating Effort by Engagement Type

These are general guidelines for estimating effort across different security service types. Actual duration depends on scope, complexity, and methodology. Always include reporting time in your estimates as a separate line item.

Web Application Pentest

Standard authenticated web app

5 – 10 days
API Pentest

REST or GraphQL API, 20-50 endpoints

4 – 8 days
External Network Pentest

Perimeter scan, 10-50 IPs

3 – 7 days
Internal Network Pentest

Active Directory, lateral movement

5 – 10 days
Mobile Application Pentest

iOS or Android, with API backend

5 – 10 days
Red Team Engagement

Full adversary simulation

10 – 20+ days
Vulnerability Assessment

Scan, validate, and report

2 – 5 days
Compliance Gap Analysis

ISO 27001, SOC 2, PCI DSS

5 – 15 days
Incident Response Engagement

Active incident or tabletop exercise

3 – 15+ days
Social Engineering Assessment

Phishing, vishing, physical

3 – 10 days
Tip: Always add 1 to 2 days for report writing. Many testers underestimate reporting time, which erodes margins on fixed-price engagements.

Writing Proposals That Justify Your Rates

A strong proposal does more than list a price. It explains the value the client receives and demonstrates that you understand their specific risks and requirements, whether the engagement is a pentest, a compliance audit, or an incident response retainer.

  • Lead with their problem, not your services. Start by summarising the client's goals: compliance requirement, upcoming launch, recent incident. Show you understand why they need testing.
  • Define the scope precisely. List every target, URL, IP range, and user role. Ambiguous scope leads to disputes. Be explicit about what is included and what is not.
  • Break down the effort. Show the estimated days for testing and reporting separately. Clients appreciate transparency and are less likely to negotiate when they see a clear breakdown.
  • Describe your methodology. Reference OWASP, PTES, or CREST methodology. This demonstrates professionalism and reassures compliance-conscious buyers.
  • Include deliverables. Specify what the client receives: technical report, executive summary, remediation call, retest window. Tangible deliverables justify higher rates.
  • Add a timeline. Show when testing starts, when the draft report is delivered, and when the final report is ready. Clients plan around these dates.

When to Increase Your Rates

Many security consultants stay at the same rate for years out of fear of losing clients. Here are clear signals that it is time to raise your prices.

  • You are fully booked 2+ months ahead. If clients are queuing to work with you, demand exceeds supply. Raise your rate by 10 to 20 percent.
  • You gained a new certification. CREST, OSCP, OSCE, GXPN, and similar certifications demonstrably increase your market value.
  • You developed a specialisation. Cloud security, OT/ICS, automotive, healthcare testing, or incident response forensics commands premium rates because fewer consultants operate in these niches.
  • Your close rate is above 80 percent. If almost every prospect becomes a client, you are probably underpriced. A healthy close rate is 50 to 70 percent.
  • You have not raised rates in 12+ months. Inflation, increased experience, and market growth all justify annual rate adjustments.

From the buyer's perspective, pricing is just one factor when evaluating providers. See our guide to choosing a security assessment provider for the full checklist.

Common Pricing Mistakes

These mistakes are surprisingly common, even among experienced security consultants and consultancy owners.

Undercharging to Win Work

Racing to the bottom on price attracts clients who do not value your work. These clients are more likely to dispute findings, delay payments, and churn. Compete on quality, methodology, and deliverables instead of price.

Not Billing for Reporting Time

Report writing typically takes 20 to 30 percent of the total engagement time. If you quote 5 days of testing but spend 2 more days writing the report for free, your effective day rate drops by nearly 30 percent. Always include reporting as a line item.

Scope Creep Without Change Orders

The client asks you to test "just one more endpoint" or adds an extra application mid-engagement. Without a formal change order process, you absorb the extra work for free. Define scope boundaries in the proposal and include a clause for additional work at your standard rate.

Ignoring Follow-Up Revenue

Retests, quarterly vulnerability assessments, compliance audit renewals, and IR retainers are recurring revenue streams. Many consultants treat each engagement as a one-off transaction. Build retesting, follow-up assessments, and retainer packages into your proposals to create predictable income.

Late or Unclear Invoicing

Sending invoices weeks after the engagement ends, or using inconsistent formats, creates friction and delays payment. Invoice promptly when the report is delivered, use clear line items, and set explicit payment terms (Net 14 or Net 30).

Managing Invoices & Payments

Professional invoicing is not just an administrative task. It directly impacts your cash flow and how clients perceive your consultancy. Late payments are one of the biggest frustrations for independent pentesters and small firms.

  • Invoice on delivery. Send the invoice when you deliver the final report, not weeks later. The value of your work is freshest in the client's mind at delivery.
  • Use clear payment terms. State "Net 14" or "Net 30" explicitly. For new clients, consider requesting 50 percent upfront before testing begins.
  • Itemise your invoices. Break down testing days, reporting, and any additional services. This prevents disputes and makes it easier for procurement teams to approve.
  • Automate where possible. Use a platform that lets you generate, send, and track invoices alongside your engagements, so nothing falls through the cracks.

Pricing Calculator: Quick Reference

Use this formula as a starting point for quoting fixed-price engagements.

Total Quote = (Testing Days + Reporting Days) x Day Rate x Complexity Multiplier

Testing Days: Based on scope and engagement type (see effort estimates above)

Reporting Days: Typically 1 to 2 days for standard engagements, 2 to 3 for complex ones

Complexity Multiplier: 1.0x for standard, 1.25x for compliance-driven, 1.5x for urgent or niche

Example: A web application pentest with 7 testing days + 2 reporting days at £1,200/day with a compliance requirement (1.25x) = 9 x £1,200 x 1.25 = £13,500.

Key Takeaways

  • Choose a pricing model that matches your client base, service mix, and risk tolerance. Day rates are safest for new consultancies.
  • Know your market. UK senior security consultants typically bill £1,200 to £1,500 per day. US equivalents bill $2,000 to $2,500.
  • Always include reporting time in your quotes. It is real work that deserves real compensation.
  • Raise your rates when demand consistently exceeds your capacity or when you gain new certifications.
  • Avoid scope creep by defining boundaries clearly in proposals and using change orders for additional work.
  • Invoice promptly, use clear terms, and automate your billing process to maintain healthy cash flow.

Manage engagements, invoicing, and client delivery in one platform

SecPortal helps security consultancies scope engagements, generate invoices, deliver reports through branded client portals, and track payments across pentests, vulnerability assessments, compliance audits, and more. Stop juggling spreadsheets and start running your consultancy professionally.

Get Started Free