Skip to content
PRICING //

Transparent pricing

Fixed prices, no hidden fees, no scope creep. Start free with a Ghost Scan, book the $2,499 fixed-price penetration test, or run Wyrm free on your own machine. Every number on this page is the same one you'll see on the product pages.

COST 01

What a penetration test costs

The honest answer to the penetration testing cost question is that the market is wide: an equivalent web-and-API engagement from a traditional firm usually lands somewhere between $5,000 and $35,000 once scoping, hours, and change orders are added up. That range is why penetration testing pricing is so hard to compare — you rarely know the number until the invoice arrives.

We price the penetration test at a flat $2,499 for the whole engagement: no hourly billing, no scope creep, one number quoted and held. Expedited 72-hour delivery is $1,000 extra, and the security retainer is $2,999/month for teams that ship continuously.

PRODUCTS 02

Pricing by product

Ghost Scan

01
Free

No signup. Real-time. Nothing stored.

Run a free scan

Penetration Test

02
$2,499

Fixed price. 5–7 days. Free re-test + attestation.

See the pentest

Wyrm

03
Free / $29+

Free locally (AGPL). Paid plans from $29/mo add cloud sync.

Explore Wyrm

DragonScale

04
Custom

Self-hosted commerce. Zero commission. Contact for a quote.

See DragonScale
PRICING //

Transparent Pricing. Real Results.

Security services with clear pricing — no hidden fees, no scope creep.

Every pentest includes fix-it guidance + a free re-test

Security Scan

01

Automated check for common attack patterns

$499
one-time fee

Best for: small businesses launching a site or app

  • Automated scan against 75+ known weakness patterns
  • Covers the OWASP Top 10 (the 10 most common web security gaps)
  • Executive-ready PDF report — readable without a security background
  • Delivered in 48 hours
De-brief Session
MOST_POPULAR

Penetration Test

02

Hands-on attempt to break into your system

$2,499
per project

Best for: startups before a launch or fundraise

  • Everything in Security Scan
  • Manual testing — a real engineer tries to break in
  • Business logic testing (e.g. can someone bypass payment?)
  • Fix-it-yourself guidance + a re-test after you patch
De-brief Session

Security Retainer

03

Ongoing protection for your team

$2,999
per month

Best for: growing companies with regular code changes

  • Penetration test every quarter
  • We watch your systems 24/7 and alert when things look off
  • Priority help when something breaks (incident response)
  • Dedicated security engineer assigned to your account
  • Monthly summary report
  • 24/7 emergency hotline
De-brief Session

Custom / Enterprise

04

Scoped to your specific needs

Custom
tailored quote

Best for: regulated industries, mergers, or large platforms

  • Audits across multiple connected systems
  • Help you prepare for SOC 2 / ISO 27001 (the security certifications enterprise buyers ask for)
  • Dedicated engineering team for the project duration
  • Uptime guarantees with contractual SLAs
De-brief Session

Flexible billing // PO-Ready

Encrypted_TransactionGlobal_Delivery
QUESTIONS 03

Pricing questions

Straight answers on what costs what, what's free, and what's included.

How much does a penetration test cost?

+
Ghost Protocol's penetration test is a fixed $2,499 — the whole web-and-API VAPT engagement, not an hourly estimate. For comparison, an equivalent engagement from a traditional firm typically runs $5,000 to $35,000 once scoping, hours, and change orders are counted. We quote one number and hold it: no hourly billing, no scope creep. Expedited 72-hour delivery is $1,000 extra, and the ongoing security retainer is $2,999/month.

What does the $2,499 penetration test include?

+
A fixed-price engagement where a real engineer plus 75 AI-powered scanners try to break into your web app or API. You get an executive-readable PDF report, developer JSON + SARIF, reproducible proof-of-concept for each high-severity finding, a free re-test after you patch, a 30-day Q&A inbox, and a signed attestation letter for auditors. Delivery is 5–7 days. No hourly billing and no scope creep.

What's free?

+
The Ghost Scan at ghosts.lk/scan is free forever — no signup, no credit card. It's an automated surface-level check of publicly visible configuration, results are generated in real time and not stored on our servers. Wyrm is also free to use locally with no limits, and a free 15-minute consult is available before any paid engagement.

How is the Ghost Scan different from the penetration test?

+
The free Ghost Scan is an automated check of publicly visible configuration. The $2,499 penetration test is a manual deep-dive: a real engineer actively tries to exploit your application logic, authentication, and infrastructure, then hands you a report an auditor will accept. The free scan tells you if anything obvious is exposed; the pentest tells you whether someone can actually break in.

Do you offer retainers?

+
Yes. The security retainer is $2,999/month and includes a penetration test every quarter, 24/7 monitoring with alerting, priority incident response, a dedicated security engineer assigned to your account, a monthly summary report, and a 24/7 emergency hotline. It is effectively continuous penetration testing for growing companies that ship code regularly — a fresh quarterly engagement instead of a single point-in-time test.

Can I expedite the pentest, and what does it cost?

+
Yes. Standard delivery is 5–7 calendar days. Expedited 72-hour delivery is available for an extra $1,000. Most engagements don't need it — SOC 2 auditors are comfortable with the standard 5–7 day turnaround.

How does Wyrm licensing work?

+
Wyrm is free to use locally with no limits — install it via npm and add it to your MCP config in under 60 seconds. The code is dual-licensed AGPL-3.0-or-later (commercial terms available), and the Wyrm Memory Protocol is published as an open spec. Paid plans add cloud and team features: Pro is $29/month (cloud sync, AES-256 encryption), Team is $199/month (shared memory, up to 25 seats), and Enterprise is $499/month (SSO/SAML, custom SLA, on-premise option).

How much does DragonScale cost?

+
DragonScale is a self-hosted commerce platform with no monthly fees and no per-order commissions — you own your data and infrastructure. It's deployed in Starter, Business, and Enterprise tiers scoped to your needs, so pricing depends on locations, customization, and support level. Contact us for a tailored quote.

Why is the pentest cheaper than the big firms?

+
We're a small senior team based in Sri Lanka, so engineering overhead runs roughly a fifth of US bay-area rates and we pass that on. The work follows OWASP / NIST methodology and the report is built to be accepted by auditors and enterprise customers; only the overhead is lower, not the caliber.

Will the report be accepted by my auditor or enterprise customer?

+
Yes. Every report follows OWASP / NIST methodology and includes a scope statement, severity-ranked findings, an executive summary, remediation guidance, and a signed-and-dated attestation letter. The Pentest tier covers the technical-testing requirement for SOC 2, ISO 27001, and PCI-DSS. Anonymized sample reports are available under NDA before you commit.

Start free. Pay a fixed price when you're ready.

Run a free Ghost Scan in seconds, or book the fixed-price penetration test — one price, five to seven days, a report you can hand to an auditor.

Run a free scanBook a pentest · $2,499