PentestPlannerAll posts
Published·7 min read

How pentest man-days are actually calculated

Most pentest quotes are a black box. Here is what a defensible MD calculation actually looks like — surface units, role multipliers, gating and overhead.

Every offensive security team is asked the same question: "How many man-days will this cost?" The answer is too often pulled from gut feel, anchored by a previous quote, or worse — reverse-engineered from a target budget. None of those produce a number you can defend in a procurement meeting.

What a man-day actually represents

A man-day (MD) is 8 hours of focused testing capacity by one qualified pentester. It is not project management, not reporting overhead, not retesting. Those are separate budget lines. Conflating them is the first place estimates drift.

The four inputs that decide the number

  • Surface units — pages, modules, endpoints, hosts, BSSIDs. The unit must match the asset type. Counting "pages" for an API is meaningless.
  • Roles & data segregation — each authenticated role adds a multiplier because authorisation matrices must be re-walked.
  • Knowledge mode — black-box, grey-box or white-box. This is a gate, not a slider. Black-box without credentials caps the achievable depth at the perimeter.
  • Compliance & reporting overhead — PCI, DORA, NIS2, executive read-outs. Fixed per-engagement adders, not per-scope.

Why ranges, not single numbers

A serious estimate always returns a range (P50 / P90). A single number hides the variance that comes from finding density, environment stability and re-test loops. If a vendor gives you "exactly 9 MDs" for a complex web app, they are either rounding or guessing.

Where most quotes go wrong

  1. Overhead is bundled into scope MDs, so the real testing budget is smaller than it appears.
  2. Roles are ignored — a 5-role B2B SaaS is quoted the same as a single-role marketing site.
  3. Black-box is treated as "cheap grey-box" — but without credentials you cannot reach 70 % of the application.
  4. Overlap between scopes is not deducted — two scopes sharing the same IdP should not pay for the same recon twice.

What a defensible calculation looks like

Deterministic. Reproducible. Explainable line-by-line. The same inputs must always produce the same MDs. PentestPlanner's engine is built on exactly that principle — every MD is traceable to a baseline, a multiplier or a documented overhead rule. You can open the methodology and see the math.

If your supplier cannot show you the math, you are not buying a pentest — you are buying confidence theatre.

All posts