PentestPlannerAll posts
Published·9 min read

Pentest scoping — a technical deep dive into what really drives the number

Why does an API quote 2 MDs and a web app 9? What pushes a number from 3 to 12? A technical walk through every scoping driver.

Scoping is not estimation by feel. It is a chain of deterministic decisions, each of which moves the MD count in a predictable direction. Below is how each input drives the result in the PentestPlanner engine — and why ignoring any of them produces a wrong number.

1. Asset class picks the sizing unit

The single biggest mistake in scoping is using the wrong unit. The asset class dictates the unit:

  • Web application → pages, modules or API endpoints (pick one, do not mix).
  • API-only → endpoints, grouped by resource.
  • Mobile → screens + native modules + backing API endpoints.
  • External infra → live IPs / hostnames after discovery.
  • Internal infra → /24 equivalents, AD users, AD computers.
  • Cloud → accounts, subscriptions, resource groups.
  • Wireless → BSSIDs + SSIDs + sites.

A "10-page" web app with 80 API endpoints is not a 10-page job. It is an 80-endpoint job with a UI on top.

2. Knowledge mode is a gate, not a slider

Black-, grey- and white-box are not three points on a price scale — they unlock different testing surfaces:

  • Black-box, no credentials — perimeter only. Authentication, registration, password reset, public APIs. Typically 0.5–5 MDs for a web app.
  • Grey-box with credentials — authenticated app surface unlocks. Sizing baseline applies fully.
  • White-box with source — same as grey, plus targeted review on hot paths. Adds 20–40 % depending on language and code volume.

You cannot promise depth in black-box that the gate physically does not allow. A vendor quoting 12 MDs of pure black-box on a 5-page marketing site is selling you fiction.

3. Roles multiply, they do not add

Each authenticated role re-walks the same surface from a different privilege angle. PentestPlanner uses tiered multipliers (e.g. 1.00 / 1.30 / 1.55 / 1.75 for 1 / 2 / 3 / 4+ roles) instead of a linear add, because the marginal cost of role N decreases as you reuse the same authorisation matrix.

Single-role apps are cheap. Multi-tenant B2B SaaS with tenant-admin, tenant-user, support and platform-admin is not.

4. Gating flags swing the number more than people expect

  • Auth-break required in black-box — adds a fixed block for credential discovery / bypass effort.
  • WAF / rate-limiting in scope — adds evasion effort.
  • Out-of-band channels (email, SMS, push) — adds infra setup MDs.
  • Compliance flag (PCI, DORA, NIS2) — adds reporting overhead, not testing depth.

5. Overlap deduction across scopes

Two web apps behind the same IdP share recon, authentication testing and reporting boilerplate. A serious engine deducts the overlap once, instead of charging it per scope. PentestPlanner subtracts shared overhead (PM, workshop, shared reporting) at the engagement level and lets you see the math in the reconciliation panel.

6. Overhead is per-engagement, not per-scope

Project management, kick-off workshop and final read-out are engagement-level constants. Charging them three times because the engagement has three scopes is the most common silent inflation in the industry.

Putting it together

For a 30-page B2B SaaS web app, grey-box, 3 roles, with PCI reporting:

  1. Baseline from pages → e.g. 5.0 MDs
  2. Role multiplier (3 roles, ~1.55×) → 7.75 MDs
  3. Compliance reporting adder → +1.0 MD
  4. Engagement overhead (PM + workshop + read-out) → +1.5 MD
  5. Total → ~10.25 MDs, with a P50–P90 range of roughly 9–12.

Every line is traceable. Every line is challengeable. That is what makes the number defensible — not the number itself, but the fact that you can walk every step of how it was produced.

The full methodology snapshot lives on the methodology page and is versioned. The next time a vendor quotes you, run the same scope through PentestPlanner and ask why the numbers differ. The answer is the conversation worth having.

All posts