Most companies discover their vulnerabilities in one of two ways: by running a pentest, or by suffering an attack. The second option usually turns out considerably more expensive.
What is a pentest (and what it is not)
A pentest, or penetration test, is a controlled simulation of a real cyberattack against your infrastructure, applications or people. The goal is to identify exploitable vulnerabilities before a real attacker does.
What a pentest is not:
- An automated vulnerability scan (cheaper, far less informative).
- A compliance audit (which checks whether controls exist, not whether they work).
- A security policy review.
A pentest is performed by a specialist team that actively tries to compromise your systems using the same techniques a real attacker would use. The difference is they have a signed contract and deliver a report at the end.
Key stat: 93% of corporate networks are vulnerable to internal attacks according to the Positive Technologies 2024 report. A pentest is the only way to know this before someone else finds out.
Types of pentest by objective
By information level
The team attacks with no prior information, simulating an external attacker who knows nothing about your infrastructure. The most realistic scenario for simulating an internet-based attack.
The most common scenario. The team has limited access (basic user credentials, partial documentation) to simulate a compromised employee, a supplier with partial access, or an attacker who has already obtained initial access. Best cost-to-value ratio.
Full access: source code, architecture, admin credentials. Allows the most thorough review possible. Ideal for critical applications where you want complete certainty, not just an attack simulation.
By scope
| Type | What is evaluated | For whom |
|---|---|---|
| Network pentest | Network infrastructure, servers, firewalls, VPN, segmentation | Any company with own or cloud infrastructure |
| Web application pentest | Websites, APIs, customer portals, own SaaS | E-commerce, fintech, healthtech, any company with web presence |
| Mobile app pentest | iOS and Android apps: authentication, encryption, communications | Companies with their own mobile app |
| Social engineering | People: simulated phishing, vishing, pretexting | Companies wanting to evaluate the human factor |
| Red team engagement | Full attack: network, systems, people, physical | High-maturity organizations wanting realistic simulation |
How much does a pentest cost in Spain
Watch out for abnormally low prices: A pentest under 2,000 EUR is usually an automated scan with a tool report on top. It does not carry the same value. A real pentest requires human time from an experienced specialist.
Cost breakdown by modality
| Modality | Price range | Typical duration |
|---|---|---|
| Web pentest (1 app, grey box) | 3,000 - 6,000 EUR | 3-5 days |
| Web pentest (multiple apps or complex API) | 6,000 - 12,000 EUR | 5-10 days |
| Internal network pentest | 5,000 - 15,000 EUR | 3-7 days |
| Full infrastructure pentest | 12,000 - 25,000 EUR | 2-4 weeks |
| Simulated phishing campaign | 2,000 - 5,000 EUR | 2-4 weeks |
| Red team engagement | 25,000 - 60,000+ EUR | 4-12 weeks |
When does your company need a pentest
Certifying bodies expect you to have actively evaluated your vulnerabilities. A pre-audit pentest reduces the risk of surprises and demonstrates maturity in the risk management process.
NIS2 requires critical and important entities to implement security measures that include regular technical assessments. Pentests are the most objective proof that those assessments are real.
If you are about to launch a web application with customer data, a public API or a payment system, running a pentest before launch is the difference between finding the problem yourself or having someone on the internet find it for you.
Every cloud migration, every new integration, every architecture change can introduce new vulnerabilities. Post-change pentests are shorter and cheaper because the scope is more contained.
NIS2 and ISO 27001: when pentesting is no longer optional
ISO 27001 does not explicitly mandate a pentest, but control A.8.8 (management of technical vulnerabilities) and the risk assessment process make it very difficult to obtain certification without having actively evaluated your systems in practice.
NIS2 is more direct. Article 21 of the directive requires affected entities to implement measures that include periodic security tests and audits. Companies that cannot demonstrate they are conducting these tests face fines of up to 10 million EUR or 2% of global annual turnover.
Sectors most affected by NIS2: Energy, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure, transport, public administration, space. If your company operates in any of these sectors, regular pentests are practically mandatory.
How to choose a pentesting provider
- Methodology: What standards do they follow: OWASP Testing Guide, PTES, NIST SP 800-115, OSSTMM. A serious provider has documented methodology.
- Team certifications: OSCP, CEH, GPEN, CREST. Not mandatory but a signal of real technical level.
- Sector experience: A hospital pentest has different implications than an e-commerce one. The provider should have references in your sector.
- Report quality: Ask for a sample report. It should include: findings with severity (CVSS), exploitation evidence, real impact, prioritized recommendations and an executive summary for non-technical readers.
- Retesting included: A serious provider includes a retesting round to verify that identified vulnerabilities have been fixed.
Free security assessment
Before launching a pentest process, we do a first review of your attack surface: what systems are exposed, what vectors are most critical and what type of test makes most sense for your situation. No commitment required.
Request free assessmentFrequently asked questions
How much does a pentest cost in Spain?
It depends on scope. A basic web application pentest is between 3,000 and 6,000 EUR. A full infrastructure test for a company of 50-200 employees is typically between 8,000 and 20,000 EUR. Complete red team engagements can exceed 40,000 EUR.
How often should a company do a pentest?
At least once a year as standard practice. Plus after major infrastructure changes, before certifications (ISO 27001, ENS) and after incidents. For companies subject to NIS2, regular testing is practically mandatory.
Does NIS2 require pentests?
NIS2 requires regular security testing. Pentests are the most objective way to satisfy that requirement. For critical entities (healthcare, banking, energy, digital infrastructure), the absence of regular security testing can lead to fines of up to 10 million EUR or 2% of global turnover.