HomeBlog › Pricing
Pricing

How much does a penetration test cost?

By The SafeComs Team  ·  19 July 2026  ·  4 min read

Ask three security firms what a penetration test costs and you will get three answers that do not even live on the same planet. One says 30,000 baht. One says 250,000. One asks for a meeting before they will say a number at all.

You are not going crazy. The word "penetration test" covers work that ranges from a 20-minute automated scan to a team of specialists spending three weeks trying to break into your systems by hand. Same two words. Wildly different jobs.

So let me give you the honest version, with real numbers, and then help you work out what your business actually needs.

The short answer

For a small or medium business in Thailand that wants to know what it looks like from the outside, expect to pay somewhere between 30,000 and 300,000 THB for a proper external penetration test.

At Cydome we set a fixed price of 15,000 THB for an external attack-surface assessment, reviewed by a real security engineer, with the report in your inbox within 48 hours. I will explain below why we can do that and where the higher numbers come from, so you can judge for yourself.

Why the price moves so much

Three things drive the cost of any security test. Once you can see them, the quotes stop looking random.

Scope. Are we testing one website, or fifty servers, three mobile apps and a payment integration? Every asset added is more hours. A single external footprint is a small job. A full internal test of a bank is a large one.

Depth. An automated scanner can check a thousand things in an hour. A human trying to chain small weaknesses into a real break-in works slowly and carefully. Manual depth is where the hours pile up, and hours are the whole cost.

People. A skilled penetration tester in Asia-Pacific is expensive, and rightly so. When a quote climbs past 200,000 baht, you are mostly paying for senior human time. That is fair when your risk justifies it, and heavy when it does not.

What each price band actually buys you

Here is the rough map, so a number in an email means something to you.

Most SMEs think they need the third band. Most SMEs need the first, then the second only for the one system that would hurt if it fell.

The trap of "request a quote"

Notice how many security firms will not put a price on their website. There is a reason. When the number is hidden, they can size it to what they think you can pay, and you have nothing to compare it against.

I find that dishonest, so we do the opposite. A fixed 15,000 THB, published, no per-IP licensing games, no "enterprise" surcharge for asking a simple question. You know the price before you say hello.

A transparent price also does something quieter. It lets a CEO act without a three-week procurement dance. You see the risk, you fix the risk, you move on.

Where Cydome fits

Think of your business like a house. Before you hire an architect to redesign the whole security system, you want to walk around the outside and see which doors and windows are standing open. That walk-around is cheap, fast, and it tells you where the real problem is.

That is what the Cydome assessment does. We scan everything an attacker can see from the internet, a real engineer reviews every finding so you are not drowning in false alarms, and you get a plain-English report that says what to fix first. Fixed price, 48 hours, no jargon.

If that report shows one system that needs a deeper manual test, good. Now you are spending the big money on the one thing that deserves it, instead of paying for a full audit to discover what a 15,000 baht scan could have told you in two days.

So, what should you do

Start with the cheap, honest look from the outside. Almost every business has a door standing open that it does not know about, and finding it does not require a six-figure engagement.

See what an attacker sees first. Then, and only then, decide where the deeper money should go. That order saves you the most and protects you the fastest.

About Cydome: Cydome is the automated attack-surface scanner built by SafeComs, cybersecurity consultants with 25+ years protecting businesses across Asia-Pacific. Every finding is reviewed by a real security engineer before it reaches you. Meet the team.

See what attackers see

Run a free website security check and get an instant A–F grade, or get the full human-reviewed report for a fixed 15,000 THB.

Free security checkSee pricing