When a Galway professional services firm asked three separate vendors to quote for a penetration test earlier this year, the numbers they got back ranged from €1,800 to €14,000 — all for what appeared, on paper, to be the same scope. The firm's operations director was baffled. Were they being undercharged by one vendor and overcharged by another, or was something fundamentally different being offered? Without the context to compare like for like, they nearly walked away from the exercise altogether. That is a common problem. Penetration testing in Ireland is poorly understood, inconsistently quoted, and too often either skipped as too expensive or purchased cheaply in a way that produces little useful output.
This post explains what a penetration test actually is, what the main types cost in the Irish market, what you should expect to get for your money, and how to choose a vendor who will give you genuine security value rather than a thick PDF you will never act on.
WHAT
A penetration test — commonly called a pentest — is a structured attempt to find and exploit vulnerabilities in your systems before a real attacker does. It is carried out by security professionals who use the same techniques as attackers, but within agreed boundaries and with your knowledge. The goal is not to produce a list of theoretical weaknesses: it is to demonstrate actual exploitability, show you the potential impact, and give you a prioritised remediation plan.
There are several distinct types of penetration test, and each has a different price range in the Irish market.
An external network penetration test looks at what an attacker can do from the internet — probing your public-facing IP addresses, web services, email infrastructure, and VPN endpoints. For an Irish SME with a typical perimeter, you should expect to pay between €3,000 and €8,000 for a well-scoped external test. The lower end applies to smaller targets with limited IP ranges; the upper end reflects more complex environments or longer engagement windows that allow deeper exploitation of chained vulnerabilities.
An internal network penetration test simulates what happens when an attacker is already inside your network — perhaps through a phishing attack, a compromised remote access credential, or a rogue device. This type of test is more expensive because it takes more time and requires access to your internal environment, either on-site or via a persistent VPN connection. Expect to pay €4,000 to €10,000 depending on the size and complexity of your internal network.
A web application penetration test focuses on a specific web application — your customer portal, booking system, online store, or internal tool. This is the type of test most frequently purchased by Irish businesses and is often the most directly useful. A well-scoped web application test for a single application will typically cost between €2,500 and €6,000. That range widens if the application has a large attack surface (many endpoints, complex authentication flows, file upload functionality) or if you need authenticated and unauthenticated testing both covered in depth.
Does your business know which of its systems are actually exposed to the internet — and whether any of those have been tested in the last 12 months? Book a free 20-minute strategy call — we can help you scope the right type of test for your risk profile and budget.
WHAT NOW
Understanding what is included in the quoted price matters as much as the price itself. A credible penetration test engagement should include a scoping call before the test begins, written rules of engagement, active testing by a qualified consultant (not an automated scanner), a debrief meeting to walk through findings, and a written report that distinguishes between critical, high, medium, and low-risk findings with clear remediation steps.
What is often not included — and where you need to ask explicitly — is a retest. Many vendors charge separately to re-run testing after you have fixed the vulnerabilities identified in the initial engagement. For Irish SMEs who want to verify their fixes, budget an additional €500–€1,500 for a targeted retest, or negotiate it into the initial scope.
Automated scanning tools — the kind that run vulnerability scanners across your network and produce a report — are not a penetration test. They are a useful starting point, but they do not demonstrate exploitability, they cannot chain vulnerabilities together, and they miss logic-layer weaknesses entirely. Be cautious of any quote below €1,500 for what is described as a pentest: at that price point you are almost certainly getting an automated scan with a report wrapper.
The NCSC Ireland recommends that organisations regularly test the security of their systems through independent assessment.[^1] For businesses operating under NIS2 — which applies to a growing number of Irish firms across energy, transport, digital infrastructure, and managed services sectors — penetration testing forms part of the expected technical controls under Article 21.
When choosing a vendor, look for certified testers. CREST membership, OSCP-certified consultants, or CHECK-qualified individuals are reasonable indicators of technical quality. Ask for a sample report before you commit. A good penetration test report is readable by a non-technical manager but detailed enough for your IT team to act on directly.
WHY IT MATTERS
The Garda National Cyber Crime Bureau has noted a consistent rise in opportunistic attacks against Irish businesses, particularly those with unpatched internet-facing services and weak credential policies.[^2] A penetration test is the most direct way to understand whether your business is one of those targets.
For professional services firms, solicitors, accountants, and financial advisors operating in Galway, Dublin, or Letterkenny, a pentest also carries weight with professional indemnity insurers. Many cyber insurance policies now ask whether independent security testing has been carried out in the last 12 months. If the answer is no, you may face higher premiums or reduced coverage limits.
The Data Protection Commission has the authority to investigate Irish businesses following a data breach, and demonstrating that reasonable technical measures were in place — including independent testing — forms part of any credible defence.[^3] A pentest report, acted on and remediated, is exactly the kind of documented evidence that demonstrates a proactive security posture.
If your business suffered a data breach tomorrow, could you demonstrate to the DPC that you had taken reasonable technical measures to test and secure your systems? Book a free 20-minute strategy call — a vCISO engagement can help you build that evidential trail systematically.
WHAT NEXT
First, decide which type of test you need. If you have web-facing applications handling customer data or payments, start there — a web application test is usually the highest-value first engagement for an Irish SME. If your primary concern is remote access, phishing, or insider risk, an internal network test will be more revealing.
Second, get at least two quotes and ask each vendor the same three questions: What will your testers' qualifications be? Will you provide a debrief call? Does the quote include a retest after remediation? The answers will tell you whether you are buying genuine security assurance or a compliance checkbox.
Third, treat the report as the beginning, not the end. The value of a penetration test is not the document — it is the remediation work that follows. Assign a responsible owner to each finding, set a deadline for critical and high-risk items (no longer than 30 days), and schedule a follow-up to verify fixes.
A penetration test is not a luxury for large enterprises. For an Irish SME handling client data, processing payments, or operating in a regulated sector, it is one of the most direct investments you can make in understanding your actual exposure — not your theoretical one.
Related Reading
- 10 Questions Every Irish Director Should Ask Their IT Team About Cybersecurity
- Building a Security Culture: A vCISO's Approach
- The Fractional vCISO Model for Donegal Businesses
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission — Ireland: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.