There’s a moment in almost every scoping conversation where we ask something like, “Do you have a penetration test budget in mind?” And there’s a predictable pause on the other end.
We understand why. The assumption most people make is that asking for a budget is a negotiating tactic. That if you say $10,000, you’ll get a $10,000 proposal regardless of what the test realistically costs. It’s a reasonable concern, and frankly, it’s a fair description of how some vendors approach that question.
It’s not how we use it.
When MainNerve asks about your budget during scoping, we want to know what’s possible for your organization so we can build a test that delivers real security value within your budget, rather than a generic proposal that misses the mark in either direction.
Â
The Problem With Ignoring the Budget During Scoping
Penetration testing is not a fixed-price commodity. The cost of a test scales with the scope. The number of IP addresses, systems, applications, or other targets included in the engagement will affect the price. A small external network test is one price. A large internal network with hundreds of devices is a very different price. A full-scope engagement covering internal, external, web applications, and APIs is something else entirely.
When a firm scopes a penetration test without understanding what a client can spend, one of two things tends to happen. The first is that the proposal comes back at a number the client can’t afford, the engagement doesn’t happen, and the organization remains unprotected. The second is that the client stretches beyond what’s comfortable, gets a test they aren’t sure they needed at that scale, and walks away wondering whether they could have gotten something for less.
Neither of those outcomes serves the client. And since our goal is to make organizations more secure, not to close a deal, neither outcome serves us.
Knowing your budget lets us design the right engagement from the start. It’s the same reason a contractor asks what you’re looking to spend before drawing up renovation plans. They could design you a dream kitchen regardless of budget, but if you can’t afford to build it, the design is useless. The conversation that helps you is the one that starts with what’s realistic.
Â
What Budget Information Actually Tells Us
When you share a budget range with us, we’re using it to answer a specific set of practical questions about your environment.
The most common situation we encounter with small and mid-sized businesses is a large internal network with a limited budget. An organization might have 150 internal devices, including workstations, servers, printers, and other network equipment, and a budget that realistically covers testing 20 or 30 of them. Without knowing the budget, we’d scope the full network and send a proposal that the client can’t work with. With the budget, we can have an honest conversation about how to get the most security value from the available resources.
This is where a concept we use regularly becomes practical: sampling.
Â
Sampling: Getting Real Security Value from a Partial Test
If your organization runs a standardized desktop environment, meaning the same operating system image is deployed across all of your workstations, then a vulnerability we find on one of those machines almost certainly exists on all of them. Testing every device individually would tell us the same thing dozens of times over, at a cost that scales linearly with the number of devices. That’s not an efficient use of your security budget.
Instead, we can test a representative sample of devices, enough to cover the range of configurations, roles, and exposure levels in your environment, and the findings from that sample will give you meaningful insight into your overall posture. You can correlate what we find on the tested machines with the other devices that share the same build, apply the same remediations across the board, and walk away with actionable results at a fraction of the cost of full-scope testing.
This approach works especially well for organizations that use a standard desktop image across all their endpoints, have a relatively uniform server configuration, or have a clear sense of which systems are the highest priority. We help identify which targets will give you the most representative and useful results within your budget, not just the easiest or cheapest to test.
The goal is to make sure that whatever we test is genuinely informative, not just a checkbox. A small, well-chosen scope that produces actionable findings is worth far more than an exhaustive scope that produces a report nobody reads.
Â
We’d Rather Tailor the Test Than Lose the Client
This is the part we want to be direct about: we would much rather design a smaller, more targeted engagement that a client can afford than send a proposal for a comprehensive test they can’t budget for this year. A client who does a focused, affordable test with us learns something real about their security posture. A client who gets a proposal they can’t act on learns nothing and stays exposed.
Our pricing is designed with small and mid-sized businesses in mind, which means we’ve already built flexibility into how we scope and price work. We’re not starting from an enterprise rate card and discounting from there. We structure engagements around what clients truly need, and we’re genuinely working to make meaningful security testing more accessible.
Sometimes that means a sampling approach for a large internal network. Sometimes it means prioritizing external-facing systems because they are most immediately exposed. Sometimes it means a phased approach where we tackle the highest-risk areas now and expand the scope in a future engagement once the budget allows. Sometimes it means a vulnerability scan rather than a full penetration test, if that’s the appropriate level of assessment for the client’s current security program.
We can only have that conversation if we know what we’re working with.
Â
What We’re Not Doing with Your Budget
We want to be completely transparent about what happens when you share a budget number with us.
We’re not building a proposal that fills the budget. If a test that serves your needs costs less than what you mentioned, your proposal will reflect the lower number. We’re not adding services you don’t need to bring the price up to what you said you could spend. We’re not using the number to anchor a negotiation. The budget conversation is purely practical. It tells us the parameters within which we need to design something useful for you.
The way we think about it is that our business depends on clients coming back. The 80% average client retention rate we maintain isn’t the result of overselling people on their first engagement. It comes from doing work that helps them, at a price they feel was fair, and giving them a reason to call us again next year. A client who feels like they got squeezed on scope and pricing doesn’t come back. A client who got a test that genuinely fits their situation, at a price that made sense, calls us when they need the next one.
Â
How the Scoping Conversation Works
If you reach out to MainNerve about a penetration test, here’s what that first conversation looks like. We’ll ask about your environment, such as which systems you have, what you’re trying to protect, whether there are specific compliance requirements driving the test, and what you’re most concerned about from a security standpoint. We’ll ask about your budget and use it to shape our recommendations rather than what we can extract.
If your budget is tight, we’ll tell you what we can meaningfully accomplish within it and what that leaves uncovered. If your budget allows for something more comprehensive, we’ll explain what additional testing would look like and why it might be worth it. Either way, you’ll know exactly what you’re getting and why we scoped it the way we did.
If you’re not sure what to budget for a test, that’s also a conversation we’re glad to have. Understanding what drives penetration testing costs, such as the number and type of targets, the methodology required, and the complexity of the environment, helps you make a more informed decision about where to start, and we’re happy to walk through that without any obligation.
The goal of every engagement we scope is to make you genuinely more secure within your budget, not to maximize what we can bill. If that approach sounds like what you’re looking for in a security partner, we’d be glad to talk. Set up your free scoping call today.
