A penetration test (pen test) typically costs between €2,500 and €25,000 in Belgium, depending on the type of test, scope and complexity of your environment. Through the VLAIO KMO-portefeuille, as a small enterprise you recover up to 45% of the investment, and through a Cybersecurity Improvement Program even up to 50%. For example, for a €5,000 pen test, you effectively pay only €2,500 to €2,750.
You are considering a pen test for your company and want to know what it costs. A logical question, but the answer is nuanced: the price of a pen test depends on what exactly you are having tested, how complex your environment is and what certifications the testers bring. This article gives you transparent market rankings for the Belgian market, explains what factors determine the price and shows how Flemish subsidies reduce the investment by up to 50%.
What does a pen test cost in Belgium? Price overview by type
The price of a pen test is largely determined by the type of test. Below are the market ranges prevalent among professional Belgian cybersecurity firms in 2026. These are manual pen tests performed by certified ethical hackers, not automated scans.
| Type of pentest | Typical price range | Lead time |
|---|---|---|
| Infrastructure pentest (external) | €2.500 – €7.500 | 1 – 2 weeks |
| Infrastructure pentest (internal) | €4.500 – €15.000 | 1 – 3 weeks |
| Web application pentest | €3.500 – €25.000 | 1 – 3 weeks |
| Mobile app pentest | €3.000 – €20.000 | 2 – 3 weeks |
| API pentest | €3.000 – €15.000 | 1 – 2 weeks |
A remote infrastructure pen test (testing your Internet-enabled systems) is usually the most affordable option, while a comprehensive Web app pen test with complex user roles and API links is at the high end of the spectrum.
These ranges are indicative. The exact investment depends on your specific scope and complexity. A company with five remote IP addresses obviously pays differently than an organization with a complex SaaS environment with dozens of API endpoints.
6 factors that determine the price of a pen test
When comparing quotes, it is important to understand why prices vary. These six factors explain the difference.
1. Scope: how much are you testing?
The scope, the number of IP addresses, URLs, applications and user roles, is the primary cost factor. Testing two user roles for rights escalation takes significantly less time than vetting 20 roles with complex authorization rules. A detailed scope discussion up front prevents bill surprises.
2. Complexity of the environment
A simple ten-page corporate Web site is fundamentally different from a SaaS platform with payment integrations, role-based access controls and links to external systems. The more business logic, the more testing.
3. Type of test: black box, grey box or white box
In a black box test, the ethical hacker works without inside information, like a real attacker. In a grey box test (the most common form in Belgium), the tester is given limited information, such as login credentials. This usually provides the best ratio of depth to investment. A white box test, where the tester also analyzes the source code, is the most thorough but increases the budget by €5,000 to €15,000.
4. Compliance requirements
Does the pen test report need to meet specific requirements for NIS2, ISO 27001 or PCI-DSS? If so, additional documentation, a specific report format or formal validation is often required. This requires additional time and increases the price.
5. Retest: included or separate?
After a pen test, you want to know if the vulnerabilities found have been effectively fixed. Some providers charge an additional €2,000 to €5,000 for a re-test, while others include it in the total package. Always ask about this explicitly when comparing quotes.
6. Certifications of the team
A team with OSCP-certified testers (Offensive Security Certified Professional) offers more depth than a team that relies mostly on automated tools. Certified ethical hackers typically work at hourly rates between €125 and €200. This is more expensive, but the quality of the findings and the usability of the report are correspondingly higher.
Flemish subsidies that make your pen test up to 50% cheaper
What sets this article apart from any Dutch price comparison: in Flanders, the government helps pay for your pen test. There are two subsidy mechanisms you can combine.
SME portfolio (increased rate for cybersecurity)
Since Feb. 1, 2026, the SME Portfolio’s consulting grant has been reserved exclusively for cybersecurity. A pen test performed by a registered service provider, resulting in a written advisory report, is eligible. Small enterprises (less than 50 employees) receive 45% subsidy, medium-sized enterprises (50 to 249 employees) 35%. The maximum grant amount is €7,500 per year.
VLAIO Cybersecurity Improvement Projects.
For an integrated approach, VLAIO offers improvement trajectories in which the government bears 50% of the costs. These trajectories include a technical analysis, an action plan and guidance on implementation. Prices range from €7,100 (START package) to €39,900 (PLUS package).
Calculation example: what do you effectively pay?
An infrastructure pen test for a company with 75 employees costs €5,000.
Via the SME portfolio (45% for small business): you pay €2,750
Through an Improvement Program (50% subsidy): you pay €2,500
As an approved VLAIO service provider, Cyberplan will also guide you through the grant application process.
Learn more about the grant programs in our article on the VLAIO Cybersecurity Improvement Program.
Is a pen test worth the investment? The ROI calculation
A pen test costs €3,000 to €15,000. But what does it cost if you don’t do it?
According to the IBM Cost of a Data Breach Report 2025, the average cost of a data breach in the Benelux is about $5.9 million (about €5.4 million). For Flemish SMEs the amounts are obviously lower, but even a limited incident quickly entails €50,000 to €200,000 in direct costs: forensic investigation, remedial work, lost revenue due to downtime and possible fines.
Under NIS2, essential entities also risk administrative fines of up to €10 million or 2% of annual global turnover. The Belgian NIS2 law explicitly requires organizations to take “appropriate and proportionate technical and organizational measures,” including testing the effectiveness of those measures.
A pen test costs a fraction of what an incident costs. And after subsidies, that fraction gets even smaller. Those who want to estimate annual costs can consult our guide on pen test frequency.
What should you look for in pentest quotes?
Not every pen test is equivalent. A €1,500 quote for testing your entire network? Ask through. Chances are it’s an automated vulnerability scan sold as a pen test. The difference between a true pen test and a vulnerability scan is fundamental: a scan detects known vulnerabilities, a pen test actually tries to exploit them and also detects logical flaws that no scanner finds.
Checklist for a solid pen testing quote:
- Scope clearly defined. What systems, applications and networks are being tested? How many IP addresses and URLs are within scope?
- Certifications of the testers listed. Ask for OSCP, CREST or equivalent certifications. This ensures that your test is performed by professionals, not a junior with a scanner tool.
- Retest included or priced separately. You want to know after remediation whether the vulnerabilities have been effectively closed.
- Reporting in understandable language. A technical report for your IT team is essential, but a management summary in human language is just as important. As a business manager or director, you need to understand what the findings mean for your business.
Unsure how to select the right pentest company? Then read our guide on how to choose a pentest company in Belgium.
Frequently asked questions about pentest costs
What does a pen test cost in Belgium?
A professional pen test in Belgium typically costs between €2,500 and €25,000, depending on the type of test and the complexity of your environment. An external infrastructure pen test starts around €2,500, while an extensive web app pen test with complex business logic can go up to €25,000.
Can I get funding for a pen test?
Yes. Through the VLAIO SME portfolio, small enterprises receive 45% and medium-sized enterprises 35% subsidy on cybersecurity advice, including pen tests. Through a VLAIO Cybersecurity Improvement Program, even a 50% subsidy is possible.
Is an expensive pen test better than a cheap one?
Not automated, but a remarkably low price is a warning sign. A €1,500 pen test for an entire corporate network is almost certainly an automated scan, not a manual test. Look at the team’s certifications, scope delineation and whether a retest is included.
How often should I have a pen test performed and what does it cost per year?
Most companies have a pen test performed at least annually, and more often after major changes to their IT environment. On an annual basis, this amounts to an investment of €3,000 to €15,000, of which you can recover 35% to 50% through subsidies.
Does my cyber insurance cover the cost of a pen test?
Most cyber insurance policies do not cover the cost of a pen test as a preventive measure. However, an increasing number of insurers do require a recent pen test report as a condition of coverage or for more favorable premiums. So a pen test can indirectly lower your insurance costs.
What is the difference in price between a black box and a white box pen test?
A black box pen test (with no prior knowledge) and a gray box pen test (with limited information) generally fall into the same price range. A white box pen test, which also analyzes the source code, costs €5,000 to €15,000 more because of the additional analysis time.
Want to know what a pen test will cost for your specific situation? Our OSCP-certified pen testers are happy to discuss your scope and provide a transparent quote. Schedule a no-obligation consultation.
