sekura

The math on pentest cost per finding

Annual pentests cost $30k to $150k per engagement and run once a year. Continuous coverage changes the math. A spreadsheet-grade comparison of cost per verified finding.

Annual penetration tests are expensive and, by design, stop.

What an annual pentest actually costs

A typical engagement runs $30,000 to $150,000. That buys you two to four weeks of consultant time. The deliverable is a report.

That report ages immediately. The day the engagement ends, your team starts shipping code. New endpoints appear. Configurations change. Dependencies update.

By month three, the findings in the report describe a codebase you no longer have.

Here is what you are actually buying:

  1. A snapshot of one attack surface at one point in time.
  2. A PDF that answers questions from last quarter.
  3. A compliance checkbox that expires in twelve months.
  4. Remediation guidance that may not match your current architecture.
  5. A repeat purchase next year to start over.

The cost per finding looks reasonable until you account for time.

The cost-per-finding math

Let us make this concrete. A $60,000 engagement that surfaces 20 valid vulnerabilities costs $3,000 per finding. That sounds acceptable.

But the finding is already stale when you read it. If your team takes four weeks to remediate, and the consultant found it in week one of the engagement, that vulnerability sat open for five weeks during the window, plus the months since your previous engagement.

The real cost is not dollars per finding. It is dollar-weeks of exposure per finding.

Continuous coverage changes both variables.

A continuous approach surfaces findings within hours of a code change. Remediation happens in the same sprint the vulnerability was introduced. The exposure window collapses from months to days.

I think that is the metric security buyers should be quoting to finance: not cost per report, but cost per verified finding per week of exposure.

A side-by-side comparison

Here is how the two models compare across the variables that matter to a CFO:

Variable Annual engagement Continuous
Cost $30k to $150k per engagement Monthly or per-scan pricing
Coverage window 2 to 4 weeks per year Every commit
Findings freshness Stale by day 30 Current
Proof of exploit Varies by firm Required (Sekura reports nothing without a working exploit)
False positive rate 10 to 40 percent (manual triage varies) Near zero
Compliance Point-in-time pass or fail Continuous evidence
Ramp-up cost 1 to 2 weeks scoping per engagement One-time setup

The annual model makes sense for compliance checkboxes with a specific date requirement. SOC 2 auditors want a report. That report needs a date. An annual engagement produces one.

But compliance is not the same thing as security.

What changes when coverage is continuous

Three things shift when you stop treating pentests as events:

  1. Developers get feedback in the same sprint they introduced the issue. The context is fresh. The fix is faster.
  2. Finance can model security spend as a predictable monthly line item rather than a lumpy capital expense.
  3. The attack surface being tested is the one that exists right now, not the one that existed during last quarter's engagement.

I believe the annual pentest model persists not because it is the right answer, but because it is the familiar one. Buyers know how to evaluate a proposal from a consulting firm. The vendor selection process is legible. The invoice is predictable.

Continuous coverage requires a different mental model. The security team is no longer buying time from consultants. It is buying infrastructure.

That is a better trade. Infrastructure compounds. Time does not.

The flow below shows how Sekura handles the decision at scan time. No proof synthesized means no finding reported, which means no triage burden on your team.

flowchart TD A[Code change pushed] --> B[Scan triggered across 7 phases] B --> C{Exploit synthesized?} C -->|Yes| D[Finding reported with deterministic proof] C -->|No| E[Hypothesis discarded silently] D --> F[Developer fixes in same sprint] E --> G[No alert, no noise, no triage cost] F --> H[Verified remediation on next scan]

Choosing the right model

Annual engagements are not obsolete. Some use cases still warrant them.

If you need a human to attest to a specific scope for a specific compliance framework, a consulting firm is the right answer. PCI-DSS Qualified Security Assessors have specific credentialing requirements that autonomous tooling does not satisfy today.

If you are building a security program from scratch with no baseline, a single engagement can orient your team before you layer in continuous tooling.

The mistake is treating annual engagements as a substitute for continuous coverage rather than a complement. One snapshot per year is not a security posture. It is a compliance document.

The security posture comes from knowing what is exploitable right now.

Security spend, like any capital allocation, should be evaluated on return. The return on a pentest is verified findings and remediated risk. The question is how much exposure you are willing to accept between measurements. See how Sekura fits into your testing program at /vs/manual-pentest/.