The typical enterprise penetration test costs between $15,000 and $50,000 for a week-long engagement. It takes 4-6 weeks to schedule after you sign the contract. The testers spend a week probing your systems, write a report that takes another 2-3 weeks to deliver, and the final document lands on your desk somewhere between 6-10 weeks after you decided to do the test. By that point, you've deployed code to production three or four times. The systems they tested aren't the systems you're running today.
That's not a bug in how pentesting firms operate. It's a structural feature of the model. Skilled security researchers are expensive, their time is limited, and they can only be in one engagement at a time. The economics produce exactly the service described above: periodic, expensive, and retrospective. For companies large enough to run quarterly engagements with multiple firms, this is manageable. For everyone else - which is most companies - an annual pentest is what the budget permits, and it's doing a lot less than people think.
The Point-in-Time Problem
A pentest report is a snapshot. It describes the vulnerabilities that existed in your systems during a specific window of time, as found by a specific team with a specific methodology. Two weeks after the engagement ends, your developers have pushed new features, updated dependencies, changed configurations, and onboarded new services. The report is already partially obsolete.
This matters more now than it did ten years ago because deployment velocity has accelerated. Companies running continuous deployment pipelines ship multiple times per day. The attack surface from Monday to Friday can change substantially. A vulnerability introduced on Tuesday won't appear in the pentest report that was based on last November's codebase.
Compliance frameworks have absorbed this problem by accepting annual pentests as adequate evidence. SOC 2, PCI DSS, and ISO 27001 all include pentesting requirements that can be satisfied with annual engagements. This creates a perverse incentive: companies do the minimum required for compliance and rationalize it as equivalent to adequate security testing. It isn't. It's the minimum required to check a box.
Quality Variability Is Real
The pentest industry has a quality problem that nobody in the industry likes to discuss. The difference in depth and creativity between a skilled tester and a mediocre one is enormous, and that difference is largely invisible to buyers. You can't tell from a proposal whether the lead tester will spend hours understanding your application's business logic or run Burp Suite and call it a day.
Some of this is firm-level quality - tier-one firms with high rates and long wait lists genuinely produce better work than commodity shops. But even within good firms, tester quality varies. The senior who leads the scoping call isn't necessarily the junior who does most of the actual testing. The client relationship management skills that win the contract are different from the technical skills that find vulnerabilities.
The SMB market gets the worst of this. Companies that can only afford a $15,000 engagement aren't getting boutique security researchers. They're getting a team running through a checklist - OWASP Top 10 items, common misconfigurations, automated scanner output reviewed by a human. That's better than nothing, but it's nowhere near what a determined attacker would find if they spent a week focused on your systems.
What Automated Testing Actually Delivers
Automated penetration testing platforms - scanners sophisticated enough to chain vulnerabilities, understand application context, and find issues beyond the obvious - aren't new. But they've gotten substantially more capable in the last three years. The best modern platforms can find a large percentage of common vulnerability classes more reliably than a junior tester running through a checklist, and they can do it continuously rather than annually.
The economics are dramatically different. A continuous automated testing program running against your production APIs costs a fraction of an annual pentest engagement. You get coverage every time you deploy, not coverage once a year. Vulnerabilities are found in days, not after a multi-month cycle of scheduling, engagement, and report delivery.
The coverage comparison is more nuanced. Automated tools are excellent at finding known vulnerability classes: injection flaws, authentication issues, misconfigurations, known CVEs in dependencies. They're genuinely better than most human testers at systematic coverage of these categories - they don't miss endpoints, they don't skip test cases because they're tired, and they can test at a scale that no human team can match.
Where Human Pentesting Still Wins
Business logic vulnerabilities are the clearest case where human expertise remains essential. Finding an authorization flaw that lets you escalate from a regular user to an admin because you understand the application's intended user flows - that requires comprehension that current automated tools don't have. Understanding that the checkout flow can be manipulated to apply a discount code multiple times, or that the API endpoint that returns "you don't have access" is actually returning the data anyway in an error response - these insights come from humans who can reason about intended behavior.
Social engineering is entirely outside automation's scope. Phishing simulations exist, but genuine red team work that tests whether your employees will plug in a USB drive left in the parking lot, or whether your help desk will reset credentials for someone who sounds authoritative on the phone, requires human creativity and real-time adaptation.
The right model for most companies isn't choosing between manual and automated - it's doing both. Continuous automated testing provides broad coverage, fast feedback, and catches the majority of common vulnerabilities before they reach production. Annual or semi-annual manual engagements fill in the logic layer and test things that automation misses. That combination costs less than twice-annual manual pentests and provides dramatically better coverage.
The industry is slow to acknowledge this because manual pentesting is a $4 billion market and the firms doing it have strong incentives to maintain the status quo. But the companies that have already shifted to a hybrid model are finding more vulnerabilities, finding them faster, and spending less money in aggregate. That's a trend that's going to keep accelerating.