You have three pentest quotes on your desk. One is ₹45,000, one is ₹75,000, and one is ₹2,50,000. All three say “penetration testing” in the proposal title. All three promise a report at the end.
They are not the same service. Not even close.
The difference between a good pentest and a bad one is the difference between knowing your real vulnerabilities and having a false sense of security. This guide will help you tell them apart.
1. Ask About Team Certifications (And Verify Them)
The single biggest factor in pentest quality is who does the work. Certifications matter because they indicate hands-on, practical testing ability, not just theoretical knowledge.
Certifications that signal real testing skill:
- OSCP (Offensive Security Certified Professional): The industry standard for manual exploitation. Requires a 24-hour hands-on exam where you break into multiple machines. You cannot pass this by memorizing a textbook.
- CREST CRT/CCT: UK-based certification with rigorous practical exams. Widely recognized in enterprise and financial services.
- CompTIA PenTest+: Covers planning, scoping, and reporting alongside technical testing. Good baseline.
- CEH (Certified Ethical Hacker): The most common certification. It tests knowledge, not practical skill. A CEH-only team can do basic testing but may miss complex business logic flaws.
What to ask: “Who will actually perform the testing on my engagement? What are their certifications?” If the answer is vague (“our team has various certifications”) or they can’t name the specific tester, that’s a signal. You want to know the person who will be hands-on with your application.
At Cyber Secify, every engagement is delivered by OSCP and CompTIA PenTest+ certified testers. Not managed by them. Delivered by them.
2. Understand What “Automated Scan + Manual Testing” Actually Means
Almost every pentest proposal includes the phrase “combination of automated scanning and manual testing.” This sounds reasonable. The problem is that for many firms, especially at the lower end of pricing, the split is 90% automated and 10% manual review of the scan output.
Here’s what that looks like in practice:
- Run Nessus or Acunetix against the target
- Export the findings
- A junior analyst reviews the output, removes obvious false positives
- The remaining findings get copied into a branded report template
- Total human effort: 4 to 8 hours
That is a vulnerability assessment, not a penetration test. The difference matters.
What to ask: “How many hours of manual testing will my engagement include? What tools does your team use for manual testing?” A legitimate pentest firm will mention Burp Suite Professional, custom scripts, manual API testing with tools like Postman or httpx, and they’ll describe their methodology for testing business logic.
Red flag: If the proposal doesn’t specify manual testing hours or methodology, you’re likely buying a scanner report with a nicer cover page.
3. Evaluate Report Quality Before You Buy
The pentest report is the deliverable. It’s what you show your investor, your enterprise client, your auditor. A bad report wastes the entire engagement.
What a good pentest report includes:
- Executive summary written for non-technical stakeholders (your CEO, your investor)
- Business impact assessment for each finding, not just CVSS scores but what it means for your company
- Detailed reproduction steps that your engineering team can follow to verify the issue
- Fix guidance with specific, actionable remediation advice (not just “apply the latest patch”)
- Compliance mapping showing which findings affect SOC 2, ISO 27001, or DPDP Act requirements
- Risk-rated findings using a standard framework (CVSS, OWASP Risk Rating)
What a bad report looks like: Scanner output with boilerplate descriptions, generic remediation advice (“improve input validation”), no business context, and findings sorted by CVSS score with no explanation of actual impact.
What to ask: “Can I see a sample report?” Any firm confident in their work will share one. Here’s ours.
4. Check the Retest Policy
You get the pentest report. Your team fixes the critical and high-severity findings. Now you need verification that the fixes actually work. This is the retest.
Industry reality: Most firms charge extra for retesting. Some charge 25 to 50% of the original engagement cost. Others offer a single “verification scan” (automated, not manual) and call it a retest.
What to ask: “Is a retest included in the engagement? Is it a full manual retest or an automated re-scan? What’s the validity window?”
At Cyber Secify, both our Startup and Growth pentest plans include one full manual retest at no additional cost. If your team fixes the findings and wants verification, you get it. No extra invoice.
5. Business Logic Testing: The Real Test of Quality
This is where the gap between a scanner-driven engagement and a real pentest becomes impossible to hide.
Business logic vulnerabilities are flaws in how your application implements its rules, not in the code’s syntax or known CVE patterns. Scanners cannot find them because they require understanding what your application is supposed to do.
Examples of business logic findings a manual pentest catches:
- IDOR (Insecure Direct Object Reference): Changing
/api/invoice/1234to/api/invoice/1235returns another customer’s invoice. The API works perfectly. The authorization check is missing. - BOLA (Broken Object-Level Authorization): A user with “viewer” role can access admin API endpoints because the role check only exists in the frontend React code, not on the server.
- Auth bypass: Password reset flow accepts any email address and sends the reset link, but the token is predictable (sequential, timestamp-based, or short enough to brute-force).
- Payment logic abuse: Applying a discount code, removing an item from the cart, then re-adding it applies the discount twice.
- Race conditions: Two simultaneous withdrawal requests against the same account balance both succeed because the balance check isn’t atomic.
What to ask: “Can you share examples of business logic vulnerabilities your team has found in past engagements?” A good firm will have stories. A firm that only runs scanners won’t.
6. Comparison: Freelancer vs Junior-Led Firm vs Senior-Led Firm
Not all pentest providers are structured the same way. Here’s what you’re actually getting at each tier:
| Factor | Freelancer (₹30K–50K) | Junior-Led Firm (₹50K–1L) | Senior-Led Firm (₹75K–2L+) |
|---|---|---|---|
| Who tests | Single freelancer, skill varies | Junior analysts (0–3 years), senior reviews output | OSCP/CREST certified seniors do hands-on testing |
| Methodology | Varies by individual | Mostly automated with some manual | Structured manual testing, OWASP, PTES |
| Business logic | Maybe, depends on the person | Rarely tested in depth | Core focus of the engagement |
| Report quality | Basic, often no business context | Template-driven, generic remediation | Business impact, fix guidance, compliance mapping |
| Retest | Usually not included | Automated re-scan or extra charge | Manual retest included |
| Compliance mapping | No | Sometimes | SOC 2, ISO 27001, DPDP Act mapping included |
| Consistency | Depends entirely on the individual | Varies by who’s assigned | Consistent because seniors do the work |
| Communication | Direct but informal | Account manager relays questions | Direct access to the tester |
The cheapest option is not always the worst. A skilled freelancer with OSCP can deliver excellent work. But there’s no quality assurance, no retest guarantee, and if they’re unavailable next quarter, you start from scratch with someone new.
The most expensive option is not always the best. Large firms charge ₹3L+ and assign the work to the same junior analysts you’d get at a mid-tier firm. You’re paying for the brand name on the report cover.
The sweet spot for most startups is a senior-led boutique firm with transparent pricing, proven certifications, and included retesting.
7. Red Flags When Evaluating a Pentest Firm
Watch for these signals that the engagement may not deliver what you need:
- “Contact us for a quote” with no public pricing. Transparency about pricing signals confidence. If a firm won’t tell you what they charge until they’ve had three sales calls, ask yourself why.
- Rotating analysts. “Your engagement will be assigned to one of our team members.” Which one? If they can’t tell you who will test your application, the work is being commoditized.
- No retest included. If the firm doesn’t include retesting, they’re optimizing for report delivery, not for actually improving your security.
- Automated-only “pentest” at suspiciously low prices. A 2-day “pentest” for ₹20,000 is a scanner report. Manual testing takes time. Time costs money.
- No sample report available. If they won’t show you what the deliverable looks like before you buy, the deliverable is probably not something they’re proud of.
- Vague methodology descriptions. “We use industry-standard tools and techniques” means nothing. Ask for specifics.
- No mention of business logic testing. If the proposal only covers OWASP Top 10 without mentioning authorization testing, IDOR, or workflow abuse, you’re getting surface-level coverage.
How to Make Your Decision
Here’s a simple evaluation checklist:
- Ask who will do the testing. Get a name and certifications.
- Ask for a sample report. Read the executive summary and fix guidance sections.
- Ask how many hours of manual testing are included.
- Ask if retesting is included and whether it’s manual or automated.
- Ask about business logic testing methodology.
- Compare the total cost, including retesting and compliance mapping, not just the headline price.
A ₹75,000 pentest with senior testers, included retesting, and compliance mapping is more valuable than a ₹45,000 engagement that misses your critical vulnerabilities and charges ₹30,000 for a retest.
One more tip: ask for references. A firm that has tested products similar to yours (SaaS, fintech, healthtech, whatever your vertical) will ramp up faster and find more relevant issues. Domain knowledge matters in security testing just as it does in engineering.
Our Approach
Our Startup Pentest plan is ₹74,999 for one scope with 7 days of testing, a full manual retest, and a Brand Protection Snapshot. Every engagement is delivered by OSCP and CompTIA PenTest+ certified testers. Not supervised by seniors. Delivered by them.
Want to see the quality before you commit? View our sample report or run your domain through Open EASD for a free external attack surface snapshot.
If you’re not sure whether you need a pentest or something else entirely, start with Security on Demand: 4 hours of founder-led assessment for ₹9,999 (refundable if you don’t continue).
See our penetration testing services for full scope details and what each engagement includes.
The right pentest firm won’t just hand you a report. They’ll make your product meaningfully harder to break.