How much does a pentest cost for Brazilian companies?
Direct answer
A basic-scope pentest (external infrastructure, up to 10 IPs) starts at R$ 8,000–R$ 15,000 with regional firms. Full web application testing runs between R$ 18,000–R$ 45,000. A red team with advanced APT simulation costs R$ 60,000–R$ 150,000+. The price varies with scope, technical depth, analyst certifications (OSCP, CREST) and delivery timeline.
In short
- ›Basic external infrastructure pentest: R$ 8,000–R$ 25,000
- ›Web application testing with business logic: R$ 18,000–R$ 45,000
- ›Red team / APT simulation: R$ 60,000–R$ 150,000+
- ›Analysts with OSCP/CREST charge 40–70% more than non-certified ones — and deliver more value
- ›A low price with no documented methodology is a red flag: a generic report is worthless for an audit
- ›An annual pentest is a requirement of PCI DSS, ISO 27001 and contracts with financial institutions
Pentest price table in Brazil in 2026
The figures below reflect the Brazilian offensive security market in 2026, factoring in scope, depth and the credentials of the professionals involved. Firms in the South and Southeast with recognized brands tend to charge the upper end of each range; providers without international certifications sit at the lower end.
**External infrastructure (up to 10 IPs):** R$ 8,000–R$ 15,000 / up to 10 business days **Internal infrastructure (on-premise):** R$ 12,000–R$ 28,000 / 10–15 business days **Web application (OWASP Top 10):** R$ 18,000–R$ 35,000 / 10–15 business days **Web application (business logic + authentication):** R$ 30,000–R$ 55,000 / 15–20 business days **API security (REST/GraphQL):** R$ 15,000–R$ 30,000 / 7–12 business days **Mobile (iOS + Android):** R$ 20,000–R$ 40,000 / 10–15 business days **Cloud (AWS/Azure/GCP):** R$ 25,000–R$ 60,000 / 10–20 business days **Red team / APT simulation (open scope):** R$ 60,000–R$ 150,000+ / 30–60 days
What's included in the price of a pentest
A professional pentest includes five deliverables: (1) Executive report — risk summary, business impact and remediation priorities for leadership; (2) Technical report — vulnerabilities with CVSS scores, exploitation evidence, a reproducible PoC and remediation recommendations; (3) Kickoff meeting — alignment on scope, rules of engagement and testing windows; (4) Debriefing session — presentation of findings to the technical team and management; (5) Free retest — verification that critical/high vulnerabilities were remediated (serious firms include at least one free retest).
Providers that deliver only a PDF report with no debriefing and no retest are selling the bare minimum. Companies that need a pentest for compliance (PCI DSS, ISO 27001, LGPD) should require the report to state the methodology used (PTES, OWASP, OSSTMM or NIST SP 800-115) and to be signed by a certified analyst.
Does your environment have vulnerabilities a pentest would find? Decripte offers a free initial technical assessment to map your attack surface before you invest in a full test.
No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.
Annual pentest vs. continuous program: which makes more sense
An annual pentest meets compliance requirements (PCI DSS 11.3, ISO 27001 Annex A 8.8) but offers limited coverage: it identifies vulnerabilities in a single snapshot of the environment. An environment that changes monthly — new APIs, application releases, configuration changes — may have been exposed for 11 months before the next test.
A continuous offensive security program combines: a full annual pentest (broad scope) + quarterly pentests of new applications + a bug bounty for continuous discovery + monthly configuration review (CSPM in the cloud). The annual cost of a continuous program for mid-sized companies runs between R$ 80,000 and R$ 200,000 — and it cuts the time-to-detect of critical vulnerabilities from 12 months to weeks.
How to hire a pentest without overpaying for too little
Five criteria for evaluating a pentest provider: (1) Analyst certifications — require at least one professional with OSCP (Offensive Security Certified Professional) or equivalent (CREST, CEH Practical, GPEN); (2) Documented methodology — the provider should cite PTES, OWASP Testing Guide, OSSTMM or NIST; (3) Sample report — ask for an anonymized example; generic reports ('Vulnerability X detected. We recommend fixing it.') are worthless for an audit; (4) Professional liability insurance (E&O) — serious professionals carry insurance to cover accidental damage during testing; (5) Formal rules of engagement — the contract must detail authorized IPs, the testing window, the emergency procedure and confidentiality.
No card, no commitment — understand your real risk before you invest.
No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.
Why a low price is a red flag in pentesting
Pentests advertised for R$ 1,000–R$ 5,000 are typically: an automated vulnerability scan (Nessus, OpenVAS) with a semi-automated report — no manual exploitation, no business logic analysis, no false-positive verification. This approach has limited value: automated tools identify 30–40% of the vulnerabilities a manual test finds; false positives reach 60% of unverified findings.
For compliance (PCI DSS, ISO 27001, BACEN), automated scanners do not replace a qualified manual pentest. The ANPD and compliance auditors ask for evidence of manual testing performed by a credentialed professional, not just scanner output. Buying on price and having your report rejected in the audit is the most expensive scenario possible.
Pentest and LGPD: what the law requires
The LGPD (Art. 46) requires controllers to adopt 'security, technical and administrative measures capable of protecting personal data.' Although the law does not mention pentesting explicitly, the ANPD interprets the absence of security testing on systems that process personal data as a lack of minimum diligence — especially after an incident.
Companies that suffered a data breach and did not run regular pentests have received aggravated penalties for negligence. Conversely, organizations that can demonstrate a documented periodic testing program have secured fine mitigation for good faith and accountability. The cost of an annual pentest (R$ 20,000–R$ 50,000 for an SMB) is trivial compared to the risk of an ANPD fine (up to R$ 50 million per infraction).
Comparison
| Type | Scope | Price (R$) | Timeline | Who it's for |
|---|---|---|---|---|
| Automated VA | Infrastructure | 1,500–5,000 | 1–3 days | Initial compliance |
| External Infra Pentest | Up to 10 external IPs | 8,000–25,000 | 1–2 weeks | SMB, contractual requirement |
| Web App Pentest | Full web application | 18,000–55,000 | 2–3 weeks | E-commerce, SaaS, fintech |
| Cloud Pentest | AWS / Azure / GCP | 25,000–60,000 | 2–3 weeks | Cloud-native, SaaS |
| Red Team | Open scope (APT) | 60,000–150,000+ | 4–8 weeks | Enterprise, governments, banks |
Key terms
- OSCP
- Offensive Security Certified Professional — a hands-on penetration testing certification from Offensive Security, considered the industry gold standard. It requires the real exploitation of 5 machines in 24 hours without the aid of automated tools.
- CVSSv3
- Common Vulnerability Scoring System version 3 — a 0–10 scale that measures the severity of vulnerabilities. Critical (9.0–10.0), High (7.0–8.9), Medium (4.0–6.9), Low (0.1–3.9).
- Red Team
- An advanced attack simulation that mimics the tactics, techniques and procedures (TTPs) of real APT groups. Open scope: the offensive team may use any vector (physical, social, technical) to reach the defined objectives.
- PTES
- Penetration Testing Execution Standard — an open methodology that defines the 7 phases of a professional pentest: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation and reporting.
How to decide and hire well
- Define scope and objectives: List the systems to be tested (IPs, URLs, applications), define the objectives (find critical vulnerabilities, test the detection process, validate controls) and clarify constraints (time windows, out-of-scope systems).
- Request quotes from at least 3 providers: Send the scope in writing and require a proposal that includes: methodology, analyst certifications, timeline, deliverables (executive and technical reports, retest) and liability insurance.
- Evaluate sample reports: Ask for an anonymized example report. Good reports include: business context of the risk, a documented exploitation chain with screenshots, CVSS per vulnerability and specific (not generic) recommendations.
- Sign Rules of Engagement (RoE): Formalize authorized IPs/URLs, the testing window, the emergency point of contact, the procedure if a system goes down, confidentiality and destruction of data after the test.
- Attend the technical kickoff: Take part in the initial meeting with the internal technical team to align expectations, confirm scopes and define the communication channel for alerts during the test.
- Receive and prioritize the findings: Organize vulnerabilities by criticality (CVSS) × ease of exploitation × business impact. Critical vulnerabilities should be remediated within 30 days, high within 60 days, medium within 90 days.
- Request the retest: After remediating the critical and high vulnerabilities, request the retest included in the contract. The retest certificate is the document that proves to auditors that the problem was fixed.
Frequently asked questions
How long does a pentest take?
It depends on the scope. Basic external infrastructure: 3–5 business days of testing + 3–5 days of reporting = 1–2 weeks. Complex web application: 5–10 days of testing + 5 days of reporting = 2–3 weeks. Red team: 4–8 weeks of simulation + 2 weeks of reporting.
What is the difference between a pentest and a vulnerability assessment?
A vulnerability assessment (VA) uses automated tools to identify known vulnerabilities — it's fast, cheap and generates a lot of noise (false positives). A pentest is manual: the analyst exploits the vulnerabilities, chains them together and demonstrates real business impact. A VA identifies what exists; a pentest demonstrates what is exploitable.
Do small companies need a pentest?
It depends on the context. SMBs without sensitive data or financial transactions can start with a quarterly VA + basic hardening. SMBs that process personal data (LGPD), accept payments (PCI DSS) or work with the government or large enterprises usually need an annual pentest — whether due to a regulatory requirement or a client contract clause.
Do I need to notify someone internally before the pentest?
Yes — at least the IT/security manager, the CISO and the legal team should be aware. The SOC team (if there is one) can take part as a detection exercise (Purple Team) or be kept blind to the test to measure real detection capability. Communicating only on a need-to-know basis preserves the realism of the test.
Can I run a pentest in the production environment?
Yes, and it's recommended — testing in production is the only way to identify vulnerabilities in the real environment that attackers will find. The risk is managed through the Rules of Engagement: windows outside business hours, planned rollback controls and a defined emergency communication path. Testing only in staging can miss production misconfigurations.
What should I do if the pentest finds a critical vulnerability in production?
Professional providers report critical vulnerabilities immediately — they do not wait for the final report. The protocol is: the analyst documents and communicates it to the point of contact, the internal team assesses exposure and decides on immediate mitigation (patch, WAF rule, disable the feature) or accepts the risk under monitoring until a planned patch. The analyst stops exploiting that chain and awaits instructions.
Does a pentest cover cloud security?
An infrastructure pentest covers the application layer and protocols exposed in the cloud. But complete cloud security requires Cloud Security Posture Management (CSPM) — assessment of configurations (IAM, S3 permissions, Security Groups, logging). A dedicated cloud pentest tests: exploitable misconfigurations, IAM privilege escalation, metadata exposure and pivoting between services. Cost: R$ 25,000–R$ 60,000 depending on depth.
How do I justify the cost of a pentest to leadership?
Use the formula: (probability of an incident × average financial impact) > cost of the pentest. For a company with R$ 20 million in revenue, a ransomware incident costs on average R$ 1.4 million (ransom + IR + LGPD + lost profits). Estimated annual probability: 15–20%. Value at risk: R$ 210,000–R$ 280,000/year. Pentest cost: R$ 20,000–R$ 40,000. The ROI is evident. Add that a pentest is an increasing requirement of enterprise clients and insurers — not doing one can cost you contracts.
References
How Decripte solves this
From the free assessment to the managed service — pick the right entry point.
Does your environment have vulnerabilities a pentest would find? Decripte offers a free initial technical assessment to map your attack surface before you invest in a full test.
Start free with Threat Management and see what is already exposed. Move up to the managed plans when it makes sense — without building an in-house team.
