TL;DR For many mid-market companies up to 500 employees, penetration tests are still a black box: unclear when they make sense, what they cost, and what to look for in vendor selection. Methodology explained plainly, realistic price ranges, and a selection framework for management and CIO.
When a pentest makes sense
Three triggers justify a pentest almost always:
- 1. Regulatory trigger. NIS 2 (Article 21(d)), ISO 27001 Annex A.5.34, DORA (Threat-Led Penetration Testing), B3S for hospitals, TISAX for automotive. Anyone in one of these regimes cannot avoid regular tests.
- 2. Specific security event. After an incident or near miss: targeted pentest on affected systems, plus environment scan for comparable attack paths.
- 3. Significant architecture change. New web application, cloud migration, merger, new ERP. Before production launch, test what the architecture actually withstands.
"Pentest for insurance reasons without clear scope" is mostly wasted money. Pentest with clear trigger and well-defined scope delivers concrete, actionable findings.
The three methodology categories
Black Box. Tester has no prior information, only the public attack surface. Simulates an external attacker.
- - Strength: realistic, covers what a real attacker would see
- - Weakness: time-intensive reconnaissance phase, less depth in limited time
- - Typical use: external perimeter, web applications
Grey Box. Tester gets partial information (architecture diagram, test user account, limited documentation). Balance of realism and efficiency.
- - Strength: best cost-benefit ratio for most mid-market companies
- - Weakness: less realistic than Black Box
- - Typical use: authenticated web applications, internal networks
White Box. Full transparency: source code, full architecture, admin access. Focus on depth.
- - Strength: highest finding rate, uncovers hidden vulnerabilities
- - Weakness: not realistic, highest cost
- - Typical use: critical in-house development, regulatory mandatory tests
For most mid-market companies, Grey Box on the most important 2-3 applications is the pragmatic entry point.
Methodology: what a good pentest contains
A complete pentest follows five phases:
- 1. Reconnaissance. Footprinting, asset inventory, gather public information
- 2. Analysis. Vulnerability scan, architecture review, identify potential attack paths
- 3. Controlled exploitation. Exploit attempts under documented conditions, without causing damage
- 4. Path assessment. How critical is each finding? What privilege escalation is possible? Which business processes would be affected?
- 5. Documented findings. Audit-ready report with risk classification (CVSS or in-house scheme), reproduction instructions per finding, concrete recommendations for remediation
Beware vendors advertising "1-day pentest, done". A serious pentest on a mid-sized web application takes 5-15 net tester-days, depending on scope.
Realistic price ranges
In the German market we see the following ranges (as of 2026, excluding VAT):
| Scope | Day Rate | Effort | Total Budget |
|---|---|---|---|
| External perimeter scan, small org | 1,200-1,800 EUR | 3-5 days | 4,000-9,000 EUR |
| Web application, Grey Box, medium scope | 1,400-2,000 EUR | 5-10 days | 7,000-20,000 EUR |
| Internal network, Grey Box | 1,400-2,000 EUR | 8-15 days | 12,000-30,000 EUR |
| Cloud environment (AWS/Azure), Grey Box | 1,600-2,400 EUR | 8-15 days | 13,000-36,000 EUR |
| White-Box pentest with source-code review | 1,800-2,800 EUR | 10-20 days | 18,000-56,000 EUR |
| Red Team Engagement (multi-week, goal-oriented) | 1,800-3,000 EUR | 15-40 days | 27,000-120,000 EUR |
Flat-rate offers under 4,000 EUR labelled "pentest" are usually just automated vulnerability scans. They have their place but are no substitute for a manual pentest.
Vendor selection criteria
- 1. Tester certifications. OSCP, OSWE, CRTO, GPEN, GXPN. At least OSCP is industry standard. Request sample reports.
- 2. Methodology frameworks. OWASP Testing Guide, NIST SP 800-115, PTES (Penetration Testing Execution Standard), MITRE ATT&CK. Vendors without reference to established frameworks are a warning sign.
- 3. Sample report. Before signing, request an anonymised sample report. How deep is the analysis? Are findings traceable? Are reproduction instructions concrete?
- 4. Re-test included. Serious vendors offer a re-test after remediation to verify fixes hold. Often part of the flat rate or at a discounted day rate.
- 5. Data protection and confidentiality. Data-processing agreement, NDA, secure report transmission. For sensitive data: where are test artifacts stored?
- 6. Locally reachable. Vendors based in Germany are an advantage for sensitive tests. On-site meetings, clear legal regime, no third-country jurisdiction risk on report storage.
What should happen after the pentest
A pentest without remediation is useless. We recommend:
- 1. Prioritise findings (risk × effort)
- 2. Action plan with clear owners and deadlines
- 3. Re-test after critical findings are remediated
- 4. Lessons learned woven into security architecture, not just the specific findings
- 5. Repeat every 12-24 months, or trigger-based on major architecture changes
How GermanAI Defense supports
We offer pentests for web applications, cloud environments, internal networks and critical in-house developments. Methodology per OWASP and PTES, testers with OSCP+, audit-ready reporting standard. Plus RedMind, our AI-orchestrated security validation that closes the gap between annual pentests and continuous threat.
→ More on RedMind and Penetration Testing: germanaidefense.com/redmind