How Much Does a Penetration Test Cost in Kenya?
What drives the cost of a VAPT in Kenya — scope, testing depth, methodology and retest terms — plus how to compare quotes, what a suspiciously cheap pentest is hiding, and the questions to ask before you sign.
There is no price list for penetration testing, in Kenya or anywhere else, and any firm that quotes you a figure before understanding your environment is selling you an automated scan with a report template on top. That distinction matters, because those two things differ in price by an order of magnitude and in value by considerably more.
What follows is how the number is actually built. Read it and you will be able to interrogate any quote you receive — including ours — and understand what you are paying for rather than comparing two totals at the bottom of two PDFs.
The six variables that set the price
Effectively every legitimate quote is a function of tester-days. Everything below changes how many days the work honestly requires.
- Scope size — how many applications, IP ranges, APIs and user roles are in play. A single web app with three roles is not comparable to a platform with twelve.
- Testing depth — black-box (no credentials) is faster and finds less; grey-box (credentialed, given a walkthrough) finds far more per day and is what most buyers should actually purchase.
- Asset type — web, mobile, internal network, cloud configuration and social engineering are distinct skill sets. A combined engagement costs more because it genuinely is more work.
- Manual effort ratio — the single biggest differentiator. Running a scanner takes hours. Manually chaining an access-control flaw into full account takeover takes days, and it is the only part that finds what matters.
- Reporting depth — an executive summary plus a developer-ready technical report with reproduction steps takes real time to write. Exported scanner output takes none.
- Retest terms — whether verifying your fixes is included, or billed again as a second engagement.
Why we will not publish a number on this page
Because it would be a lie of convenience. A figure with no scope attached anchors your expectations against work that may bear no resemblance to what you need, and every firm that publishes one relies on that anchor being wrong in their favour once scoping reveals the real requirement.
What we do instead is scope on a call, then quote a fixed price against a fixed scope before any work begins. If the scope changes, we tell you before the cost does. There are no hourly overruns, because you did not buy hours — you bought a defined engagement with a defined deliverable.
What a suspiciously cheap penetration test is actually hiding
The low quote is rarely a bargain; it is usually a different product wearing the same name. Before you take it, establish which of these you have been sold.
- It is a vulnerability scan. A tool was pointed at your systems and its output was reformatted. No human attempted to exploit anything.
- There is no manual testing, so nothing was found that a scanner cannot find — meaning no business-logic flaws, no privilege escalation, no chained exploits. These are the findings that matter.
- The report has no proof of impact. Findings are theoretical severities lifted from a CVE database rather than demonstrations of what an attacker could do to you specifically.
- Retesting is excluded, so you cannot prove to a customer or an auditor that anything was actually fixed.
- The testers are junior and unsupervised. Ask directly who will do the testing, what they hold, and to see a redacted sample report before you sign anything.
How to compare two quotes fairly
Put the totals aside and compare the inputs. Ask each firm for the number of tester-days, the ratio of manual to automated effort, the named methodology they follow (OWASP Testing Guide, PTES, OSSTMM), the seniority of the people actually assigned, whether a retest is included, and whether you will receive an attestation letter you can pass to customers and insurers.
Then ask for a redacted sample report. Ten minutes reading one tells you more about what you are buying than any conversation about price. If a firm will not produce one, you have your answer.
Budgeting for it properly
Treat the test as one line in a larger figure, because the test itself is not where most of the money or the value sits. Budget for the remediation work the findings will require — that is the point of testing, and it will consume engineering time you have not currently allocated. Budget for a retest to prove closure. Budget for a repeat engagement after any material change to your systems, and annually as a baseline.
The organisations that get least value from penetration testing are the ones that budget for the report and nothing else. The report is not the deliverable. The fixed system is.
Key takeaways
- There is no honest price list — cost is a function of scope, depth and manual effort.
- Grey-box (credentialed) testing finds substantially more per day than black-box, and usually costs less per finding.
- A cheap quote is normally a vulnerability scan renamed. Ask for tester-days and the manual/automated ratio.
- Always confirm whether a retest and an attestation letter are included before comparing totals.
- Budget for remediation and a retest, not just the report.
Frequently asked questions
Is a penetration test worth it for a small business?
It depends on what you would lose. If a breach would expose customer personal data, halt your operations, or cost you a contract with an enterprise client who asks for a recent report, then yes — and the cost of the test is a fraction of the cost of the breach or the lost contract. If you are a five-person business with no customer data and no compliance obligation, your money is better spent first on the fundamentals: multi-factor authentication, patching, backups and endpoint protection. We will tell you honestly which of those two situations you are in, and we have talked prospects out of testing they did not yet need.
How is a VAPT priced — fixed fee or hourly?
We price fixed-fee against a scope agreed in writing before testing begins, and we recommend you insist on the same from anyone you engage. Hourly pricing transfers the risk of a bad estimate from the vendor to you, and it creates an incentive to spend longer rather than to find more. If the scope genuinely changes mid-engagement — you disclose an application that was not in the original inventory, which happens more often than you would think — we come back to you with a revised scope and a revised price before doing the work, never after.
Does the cost include fixing the vulnerabilities you find?
No, and be cautious of any firm where it does. There is an inherent conflict of interest in the same party being paid to find flaws and paid again to fix them. Our engagement includes the report, a live debrief where your developers can ask questions directly, remediation guidance as your team implements fixes, and a free retest to verify closure. Where you have no internal capacity to remediate, we can quote that work separately and transparently — but you should know that is a separate commercial decision, not a line quietly folded into a test.
How often should we budget for penetration testing?
Annually as a baseline, plus after any material change to your systems: a significant new feature, a cloud migration, a merger, or a change in the sensitivity of the data you hold. Organisations shipping code continuously often move to a lighter quarterly test against their highest-risk components with one deep annual engagement. Between tests, continuous vulnerability management covers the gap at a far lower cost than repeated full engagements.