Penetration testing ("pentesting") is a controlled security assessment where ethical testers simulate real attacks to find vulnerabilities before criminals do. This article explains typical pricing, a standard end-to-end process, and what Finnish companies should expect when buying a professional test in 2026.
What penetration testing is (and isn't)
Penetration testing
- Manual, expert-led testing that attempts to exploit real weaknesses safely.
- Produces actionable findings: proof, impact, and exact fixes.
Not the same as vulnerability scanning
Automated scanners are useful, but they often miss business-logic flaws, generate false positives, and don't prove real impact. A high-quality pentest combines automation + manual verification and exploitation.
For web apps and APIs, many teams scope coverage using OWASP's Web Security Testing Guide (WSTG).
Typical pricing in Finland (2026)
Pricing varies by scope, but most professional pentests are priced by tester-days.
Common market ranges (EU/Western market)
- Day rate (manual testing): often around €1,200–€1,800/day
- Per engagement: commonly a few thousand up to €50k+ depending on scope
Practical examples (ballpark)
- Small web app / API (single app, limited roles): ~2–5 tester-days → ~€2.5k–€9k
- Typical web app (auth, roles, payments/integrations): ~5–10 tester-days → ~€6k–€18k
- Large scope (multiple apps/APIs, complex auth, cloud): 10+ tester-days → €15k–€40k+
What drives cost up
- Many user roles / permission models
- Complex integrations (payments, identity, data warehouses)
- Multiple environments (dev/stage/prod), many domains/APIs
- Tight deadlines / out-of-hours windows
- Compliance expectations and formal reporting requirements
The standard process (what good looks like)
Step 1: Scoping call (30–60 min)
You'll define assets in scope, test type (black/grey/white box), environment (staging vs production), success criteria and reporting format.
Step 2: Rules of Engagement (RoE) + permission
A professional provider will require written authorisation, contact persons + escalation path, rate limits / "do not touch" areas, and data handling requirements. This matters in Finland because unauthorised access is a criminal offence.
Step 3: Test preparation (you provide these)
- Test accounts for each role (admin/user/etc.)
- Known IPs to allowlist (if needed)
- Architecture notes (optional but speeds results)
- Logging enabled (so issues can be traced safely)
Step 4: Execution (usually 3–10 business days)
A typical web/app pentest includes recon + mapping, auth/session testing, input validation (injection, SSRF), access control / privilege escalation, business-logic abuse, and safe exploitation to prove impact.
Step 5: Reporting
A strong report includes executive summary, findings with severity/impact/likelihood, reproduction steps + evidence, and clear remediation guidance.
Step 6: Fix window + re-test (highly recommended)
Most value comes from fixing the top issues and re-testing to confirm closure.
What companies should expect
Typical deliverables
- Kickoff + scope document / RoE
- Final report (PDF + optional ticket-ready findings)
- Debrief meeting
- Re-test confirmation (optional add-on)
Typical timeline
- 1–5 days to scope and schedule
- 3–10 days testing (depending on scope)
- 2–5 days for reporting
- Re-test after fixes
Finland specifics: vulnerability disclosure
If your team discovers vulnerabilities in third-party products or services, Finland has established coordinated vulnerability disclosure (CVD) guidance through NCSC-FI (Traficom).
Buying checklist
Send vendors: what assets are in scope, environments (staging/prod), number of roles + test accounts, tech stack + auth method, any "no-go" actions, and deadline + whether re-test is needed.
Ask vendors: Is the test manual or scan-heavy? What methodology do you map to (e.g., OWASP WSTG)? What's included in reporting and re-test? How do you handle sensitive data and evidence?