Penetration Testing Pricing in Thailand: What Drives Cost and What to Budget (2026)
If you're budgeting for a penetration test in Thailand, you've probably noticed that most providers won't publish their prices. That makes it difficult to plan, compare, and justify the spend internally.
This guide gives you a transparent, practitioner-level overview of what penetration testing actually costs in Thailand, what drives the price, and how to ensure you're paying for real security, not just a scan report with a cover page.
Why Pentest Pricing Is Hard to Pin Down
Penetration testing is not a commodity. Two engagements scoped as "web application pentest" can differ by 5x in price depending on:
- Application complexity: a static brochure site vs. a multi-tenant SaaS platform with 200+ API endpoints
- Authentication depth: unauthenticated scanning vs. testing multiple roles (admin, user, manager) with business logic abuse
- Compliance requirements: a general assessment vs. one that must satisfy BOT, PCI DSS, or SEC Thailand reporting standards
- Retesting and remediation support: some vendors include a verification retest, while others charge separately
The honest answer is: a penetration test in Thailand typically ranges from ฿150,000 to ฿2,000,000+, depending on scope, depth, and compliance needs. Here is how that breaks down.
Penetration Testing Price Ranges by Service Type
The following ranges reflect the Thai market in 2026 for professional, manual-led penetration testing (not automated scanning).
Note: All prices shown are estimated starting ranges and will vary based on actual scope, application complexity, number of systems or endpoints, compliance requirements, and timeline. Contact us for a detailed scoping discussion and custom quote.
Web Application Penetration Testing
| Scope | Typical Range (THB) | Duration |
|---|---|---|
| Small app (< 20 pages, limited auth) | ฿150,000 - ฿300,000 | 5-8 days |
| Medium app (20-50 endpoints, 2-3 roles) | ฿300,000 - ฿600,000 | 8-15 days |
| Large app (50+ endpoints, complex logic, APIs) | ฿600,000 - ฿1,200,000 | 15-25 days |
What should be included: OWASP Top 10 coverage, business logic testing, authentication/authorization abuse, API endpoint testing, and a detailed remediation report with actionable findings, not just tool output.
Mobile Application Penetration Testing
| Scope | Typical Range (THB) | Duration |
|---|---|---|
| Single platform (iOS or Android) | ฿200,000 - ฿400,000 | 8-12 days |
| Both platforms (iOS + Android) | ฿350,000 - ฿700,000 | 12-20 days |
| Banking/fintech (with API backend + compliance) | ฿500,000 - ฿1,200,000 | 15-25 days |
Key cost driver: Mobile banking apps subject to BOT Notification 4/2568 require deeper testing covering biometrics, session management, certificate pinning, and anti-fraud controls, which adds significant scope.
Network Penetration Testing
| Scope | Typical Range (THB) | Duration |
|---|---|---|
| External only (IP ranges, public services) | ฿150,000 - ฿300,000 | 5-8 days |
| Internal only (on-site or VPN, AD assessment) | ฿250,000 - ฿500,000 | 8-15 days |
| Combined external + internal | ฿350,000 - ฿700,000 | 12-20 days |
What matters: Internal network tests should include Active Directory attack path analysis, Kerberoasting, NTLM relay, and lateral movement simulation, not just a Nessus scan with pretty graphs.
Cloud Penetration Testing
| Scope | Typical Range (THB) | Duration |
|---|---|---|
| Single cloud (AWS, Azure, or GCP) | ฿250,000 - ฿500,000 | 8-12 days |
| Multi-cloud or hybrid environment | ฿500,000 - ฿1,000,000 | 15-25 days |
Key cost driver: Cloud tests must cover IAM misconfigurations, storage exposure (S3 buckets, blob containers), container/Kubernetes escape paths, and serverless function abuse. This requires cloud-specific expertise beyond traditional network testing.
Smart Contract Audit
| Scope | Typical Range (THB) | Duration |
|---|---|---|
| Single contract (< 500 SLOC) | ฿200,000 - ฿400,000 | 5-10 days |
| Protocol audit (multiple contracts, DeFi) | ฿500,000 - ฿1,500,000 | 15-30 days |
| Full platform (exchange + contracts + API) | ฿1,000,000 - ฿3,000,000 | 30-60 days |
SEC Thailand note: Digital asset operators regulated by the Securities and Exchange Commission (กลต.) must undergo security assessments including smart contract audits as part of their licensing requirements.
Red Teaming / Adversary Simulation
| Scope | Typical Range (THB) | Duration |
|---|---|---|
| Targeted (specific objectives, limited scope) | ฿500,000 - ฿1,000,000 | 2-4 weeks |
| Full-scope (people + process + technology) | ฿1,000,000 - ฿3,000,000 | 4-8 weeks |
| BOT iPentest (intelligence-led, D-SIB banks) | ฿1,500,000 - ฿5,000,000+ | 6-12 weeks |
What makes iPentest different: BOT's intelligence-led penetration testing (iPentest) framework requires threat intelligence gathering, Red Team vs. Blue Team exercises, and board-level reporting. This is fundamentally different from a standard pentest. The cost reflects that complexity.
What Drives Cost Up (and Down)
Factors That Increase Cost
- Compliance-specific reporting: BOT, PCI DSS, and ISO 27001 each require specific evidence formats, control mappings, and remediation verification procedures.
- Number of roles/environments: Testing 5 user roles across staging and production is 3x the work of testing one role in staging.
- Source code access (gray-box/white-box): While this improves test quality, reviewing code alongside runtime testing requires additional expertise.
- On-site requirements: Internal network tests or air-gapped environments require physical presence, which adds logistics costs.
- Urgent timelines: Regulatory deadlines or upcoming go-lives often compress testing schedules, requiring larger teams.
Factors That Reduce Cost
- Well-defined scope: Clear asset inventories and API documentation reduce discovery time.
- Annual retainer agreements: Multi-engagement contracts (quarterly VA + annual pentest) typically offer 10-20% savings.
- Staged approach: Start with a vulnerability assessment to identify and fix obvious issues, then invest in deeper penetration testing.
- Retest bundled with initial engagement: Including one round of verification retesting in the original scope is more efficient than scoping it separately.
How to Evaluate a Pentest Proposal
Not all proposals are equal. These are the things worth checking closely.
Red Flags
- Price below ฿100,000 for anything beyond a simple scan. You're likely getting automated tool output, not manual testing.
- Fixed duration regardless of scope. "5 days for any web app" means they're not actually scoping the work.
- No methodology mentioned. If the proposal doesn't reference OWASP, PTES, or OSSTMM, they may not follow a structured approach.
- "Unlimited retesting." This sounds good but usually means the initial test wasn't thorough enough to find everything the first time.
Green Flags
- Clear scope definition: specific endpoints, roles, environments, and exclusions documented.
- Named methodology: PTES, OWASP WSTG/MASTG, or equivalent with specific testing phases described.
- Remediation support: real developer consultation and fix guidance after the test, beyond handing over a report.
- Compliance mapping: if you need BOT/PDPA/PCI compliance, the deliverables should explicitly map findings to regulatory requirements.
- Tester credentials: certifications like OSCP, OSCE, OSWE, eMAPT, or CREST demonstrate hands-on capability (not just theory).
Compliance-Driven Testing: What to Budget
Many organizations in Thailand require penetration testing not by choice but by regulation. Here is what each framework typically requires:
| Regulation | Testing Requirement | Typical Budget Impact |
|---|---|---|
| BOT (ธปท.) | Annual pentest + iPentest for D-SIBs | ฿500K - ฿5M+ depending on institution size |
| PDPA (Section 37) | "Appropriate security measures"; pentest is the standard of proof | ฿150K - ฿600K for data-processing systems |
| SEC Thailand (กลต.) | Pre-licensing security assessment + smart contract audit | ฿500K - ฿3M for digital asset operators |
| OIC (คปภ.) | IT risk management including security testing | ฿300K - ฿1M for insurance companies |
| PCI DSS (Req. 11.4) | Annual pentest + quarterly ASV scans | ฿300K - ฿800K for cardholder environments |
| ISO 27001 (A.8.8) | Technical vulnerability management assessment | ฿150K - ฿500K per assessment cycle |
How to Get the Best Value
-
Don't buy the cheapest test. A ฿100K scan that misses critical vulnerabilities costs more than the ฿400K test that finds them before an attacker does. The average data breach costs $4.88M globally (IBM 2024).
-
Invest in remediation, not just reporting. A report that sits in a drawer provides zero security value. Ensure your provider offers developer consultation and verification retesting.
-
Bundle and plan ahead. Annual security programs that combine vulnerability assessments, penetration testing, and compliance reviews are more cost-effective than ad-hoc engagements.
-
Match depth to risk. Not every system needs a full Red Team exercise. Use vulnerability assessments for lower-risk assets and save deep pentesting for critical systems that handle sensitive data or financial transactions.
-
Ask about the team, not just the company. The quality of a pentest depends entirely on the people doing the work. Ask who will be testing, what their certifications and experience are, and whether they'll be available for remediation questions.
Summary: Quick Reference Pricing Table
| Service | Budget Range (THB) | Best For |
|---|---|---|
| Web App Pentest | ฿150K - ฿1.2M | SaaS, e-commerce, banking portals |
| Mobile App Pentest | ฿200K - ฿1.2M | Banking apps, fintech, consumer apps |
| Network Pentest | ฿150K - ฿700K | Corporate infrastructure, data centers |
| Cloud Pentest | ฿250K - ฿1M | AWS/Azure/GCP environments |
| Smart Contract Audit | ฿200K - ฿3M | DeFi protocols, digital asset platforms |
| Red Team / iPentest | ฿500K - ฿5M+ | Banks, critical infrastructure |
| Vulnerability Assessment | ฿80K - ฿250K | Baseline security, annual compliance |
This guide reflects market pricing observed in Thailand as of 2026. Actual pricing varies based on scope, complexity, and provider. For a specific quote tailored to your environment and compliance requirements, contact Reconix for a scoping discussion.
Regulatory and Industry References
- BOT IT Risk Supervision Guidelines (FPG 21/2562)
- BOT Notification 4/2568 - Mobile Banking Security (PDF)
- Personal Data Protection Act B.E. 2562 (PDPA)
- Emergency Decree on Digital Asset Businesses B.E. 2561
- OIC IT Risk Management Notification B.E. 2563
- PCI DSS v4.0.1 Document Library
- ISO/IEC 27001:2022
- IBM Cost of a Data Breach Report 2024
- OWASP Web Security Testing Guide (WSTG)
- Penetration Testing Execution Standard (PTES)
Related Resources
- Top Penetration Testing Companies in Thailand 2026: An Honest Comparison (how the providers compare, including where we fit)
- How to Choose a Penetration Testing Provider in Thailand (what to evaluate before you sign)
Related Reconix Services
- Penetration Testing: Comprehensive manual security testing across all service types discussed in this guide
- Web Application Penetration Testing: OWASP-aligned testing for web apps, portals, and APIs
- Mobile Application Penetration Testing: iOS and Android security testing including BOT compliance for banking apps
- Network Penetration Testing: Internal and external infrastructure testing with Active Directory assessment
- Cloud Penetration Testing: AWS, Azure, and GCP security assessments including IAM and container testing
- Smart Contract Audit: Security audits for DeFi protocols and digital asset platforms regulated by SEC Thailand
- Vulnerability Assessment: Automated scanning with manual verification as a cost-effective baseline
