All articles
#pentest#price#penetration-testing#sweden#budget

Pentest price 2026, what does a penetration test cost in Sweden?

Alexander Norman

Price guide for pentest in Sweden 2026, automated scanning, web app test, network test, red team. We share concrete price ranges from the Swedish market, what drives prices up, and where you can save money without compromising on quality.

Price ranges in brief

Type Lowest Common High end Frequency
Automated continuous scanning 249 SEK/mo 990 SEK/mo 5,000+ SEK/mo Daily
Vibecode audit (AI-built apps) 5,000 SEK 15,000 SEK 30,000 SEK One-off
Web application pentest 15,000 SEK 50,000 SEK 250,000 SEK Annual
External network test 25,000 SEK 75,000 SEK 200,000 SEK Annual
Internal network test 40,000 SEK 100,000 SEK 300,000 SEK Every 2 years
Mobile app test (per app) 30,000 SEK 75,000 SEK 200,000 SEK Per release
API pentest 25,000 SEK 60,000 SEK 200,000 SEK Per major API version
Cloud pentest (AWS/Azure/GCP) 35,000 SEK 100,000 SEK 350,000 SEK Annual
OT/ICS/SCADA pentest 75,000 SEK 200,000 SEK 800,000 SEK Every 2–3 years
Red Team engagement 200,000 SEK 500,000 SEK 1,500,000 SEK Every 2–3 years
Social engineering / phishing 25,000 SEK 60,000 SEK 200,000 SEK Quarterly-annually

Prices excl. VAT. Source: pentesting.se price list + the industry's open price lists (Sentor, Truesec, Knowit, Asurgent, Squirrel Security, Cyloq, Opsio, eBuilder Security) as of 2026-05.

What drives the price up?

1. Number of tests and scope

A pentest of one web app can cost 15,000 SEK. The same plus mobile app + API = 60,000-100,000 SEK. Price doesn't scale linearly, there's a setup threshold of 1-2 days regardless of scope.

2. Depth (black box vs white box)

Black box test takes 30-50% longer because much time goes to mapping. White box test (tester gets source code) is more efficient but requires the customer to share sensitive code under NDA.

3. Time pressure

"We need it by Friday" → often 50-100% price surcharge. Standard pre-booking window is 4-8 weeks.

4. Compliance reporting

ISO 27001, NIS2, PCI DSS or SOC 2 tailored reports require extra hours in mapping + documentation. Expect +20-40%.

5. Retest after remediation

Included by serious providers (we include it). If a quote says "retest from 15,000 SEK extra", ask why.

6. Seniority of tester

Junior pentester (1-3 years experience) ~1,200 SEK/h. Mid-level (3-7 years) ~1,800 SEK/h. Senior (7+ years) 2,500-4,500 SEK/h. Specialized red teamers / hardware hackers even more.

7. Geographic factor

Stockholm-based consulting firms often 10-20% more expensive than Gothenburg/Malmö. Remote-based (including us) often cheaper than large consulting firms' enterprise prices.

What should NOT drive up the price?

  • General vulnerability scanners (Tenable, Qualys licenses) shouldn't be invoiced separately, only the consulting hours
  • Initial scope meeting, should be included, not invoiced
  • Standard tooling (nuclei, burp, nmap), part of the service, not separate
  • Tool setup, if someone wants to take 8 hours of consulting to "set up tools", that's waste. An experienced tester has their setup ready.

Why our automated prices are lower

Our automated continuous scanning starts at 249 SEK/month, which is 30-100x less per year than a single manual pentest. This is possible because:

  1. Costs scale across all customers, the same scan infrastructure runs against 50+ target environments
  2. AI-driven false positive elimination, our self-learning Verification Engine reduces manual verification time by 80-90%
  3. 30+ tools per scan, instead of paying for one consultant's tool setup, all customers get the same
  4. Daily frequency provides marginal value, after the first scan, 90% of subsequent scans' value is in delta detection, not rediscovery

For manual pentests we compete more on standard pricing because human expertise doesn't scale the same way.

Concrete examples, what does it cost?

Small SaaS company (10-30 employees, 1 product)

Need: Show customers we take security seriously. Solution: Pentesting.se Standard plan (990 SEK/mo) + annual web app test (40,000 SEK). Total year 1: ~52,000 SEK.

Mid-sized company (100-500 employees, NIS2-scoped)

Need: NIS2 compliance + audit-ready documentation. Solution: Pentesting.se Premium plan (custom, ~3,000 SEK/mo) with compliance mapping + annual network test (75,000 SEK) + annual web app test (50,000 SEK) + annual API test (45,000 SEK). Total year 1: ~206,000 SEK. This covers at least 80% of NIS2-related technical measures per art. 21.

Bank / insurance (PCI DSS / DORA / NIS2)

Need: Full coverage, quarterly reports, dedicated CISO contact. Solution: Premium plan + annual internal network test (150,000 SEK) + annual external (100,000 SEK) + 4x/year web app test (4×40,000 = 160,000 SEK) + annual social engineering (60,000 SEK) + Red Team every other year (500,000 SEK / 2 = 250,000 SEK/year amortized). Total year 1: ~720,000 SEK.

Small webshop (5-20 employees)

Need: Not under NIS2 (below threshold), but WooCommerce/Magento security matters for card data. Solution: Pentesting.se Basic (249 SEK/mo), daily automated scanning is enough until revenue or incident requires more. Total year 1: ~3,000 SEK.

Questions to ask before ordering

  1. What's included exactly? List of scope, number of pages/endpoints, what's tested and what's not.
  2. How many hours? Price per day is common; ask for hours to compare.
  3. Who's the tester? Senior or junior? Which certifications? Ask for anonymized sample report.
  4. What's included in retest? How many months valid? How many retests?
  5. What happens if an incident occurs during the test? Stop plan? Liability?
  6. Data storage, where does test data end up? How long is it kept? GDPR-safe?
  7. Compliance mapping, do I get a NIS2/ISO 27001-mapped report or just generic?
  8. How often do I get reports? For manual test: one final report. For continuous monitoring: daily or incident-based?

Best combination for the money

For the vast majority of organizations in Sweden today:

  1. Continuous automated scanning (249-990 SEK/month) → catches 80% of issues daily
  2. Manual pentest annually (40,000-100,000 SEK) → catches deeper bugs
  3. Retest after remediation (included) → confirms fix

Total cost 50,000-110,000 SEK/year covers at least 90% of risk. Add-on packages (red team, social engineering, mobile, API) only if they match specific risk.

Pentesting.se price list

See the services page for current prices. We're open about what's included, if you're comparing quotes, we're happy to answer directly via email what our hours include and what they don't.

Run a free healthcheck to see your current exposure before investing in a full pentest.

See also in the glossary: ISO 27001, NIS2, DORA, GDPR, pentest, Red Team, false positive.

Want to see what your external attack surface actually looks like? Free health check, no credit card, two minutes.

More articlesRun health check