Cybersecurity audit pricing in 2026 · what €5k, €18k and €60k actually cover

Cybersecurity audit pricing in 2026 is the most opaque tier in European studio quotes · the same 30-page "penetration test report" gets billed at €1 200 by one firm and €38 000 by another. The gap is mostly about scope, evidence, and whether the engagement ships fix-PRs or just a PDF you put in a drawer. Below: the real tiers, what's included at each, and the four signals that separate engineering from theatre.

Why "a security audit" doesn't pin down the price

"Security audit" can mean five different things, each with a different rate band:

1. Vulnerability scan · automated tool (Burp / Acunetix / OWASP ZAP) running for 4-8 hours, output filed as a PDF. €500-2k. Useful as a baseline, not as an audit.
2. Penetration test · manual + automated, scoped to a specific surface (web app, mobile app, AI system). €5-12k for 1-2 weeks of senior auditor time.
3. Full security audit · pentest + threat-model + supply-chain review + identity & access review across the whole stack. €18-35k for 3-5 weeks.
4. Compliance readiness · audit + documentation pack + tabletop + training, mapped to NIS2 / SOC2 / ISO 27001 / GDPR controls. €40-80k for 6-10 weeks.
5. Continuous attestation retainer · monthly auditor + on-call + quarterly re-test. €4-12k/month, 12-month minimum.

When a studio quotes you a number without naming which of those five they're selling, the quote is meaningless · ask before signing.

Tier 1 · Focused pentest · €5-12k

1-2 weeks, scoped to a single surface. The most common entry-tier audit · used by SaaS teams that want a sanity check before a Series A, by AI teams shipping a customer-facing chatbot, by indie founders who hit a procurement security questionnaire from a larger customer.

What's included at €5-9k

• Manual pentest of the target surface · OWASP Top 10 + business-logic + auth / authz flows + session management.
• AI-specific vectors if the target is an AI system · prompt injection (direct, indirect, RAG-poisoning), tool-abuse, exfiltration via rendered output.
• Burp Suite Pro + custom tooling · senior tester drives, not a junior with default scripts.
• Findings ranked by CVSS severity, with reproduction steps for every finding.
• Fix-PR proposals opened against your repo · the auditor writes the patches.
• 30-day post-audit re-test verifying the fixes held under regression testing.

What's a red flag below €5k

A pentest priced under €5k usually means an automated Burp / Acunetix run with the output formatted as a PDF · no manual review, no business-logic analysis, no fix-PRs. "Automated pentest" is a contradiction in terms · Burp / Acunetix find ~30% of the issues a senior auditor finds, and almost none of the business-logic / auth-flow ones that actually matter.

Tier 2 · Full SaaS audit · €18-35k

3-5 weeks across the full stack. What B2B SaaS teams over €5M ARR commission before a Series B, what mid-market platforms run annually, what enterprise customers ask for before signing.

What's included at €18-30k

• Frontend pentest · client-side XSS, prototype pollution, CSP / CORS misconfiguration, supply-chain via npm dependencies.
• Backend pentest · API auth flows, IDOR, SSRF, race conditions, ORM injection, multi-tenant isolation (RLS / app-layer / both).
• Infrastructure audit · IAM least-privilege, network segmentation, secret rotation, exposed admin surfaces (PgBouncer / Redis / monitoring), Terraform / IaC drift.
• Supply-chain review · dependency CVE inventory, SBOM, container-image scanning, Renovate / Dependabot wiring.
• Identity & access review · SSO config, MFA enforcement, JIT elevation, audit-log completeness, deprovisioning workflows.
• Threat-model document covering the full attack surface (data flows, trust boundaries, abuse cases).
• Fix-PRs against your repo + 30-day re-test verifying fixes.

Tier 3 · Compliance readiness · €40-80k

6-10 weeks. Tier 2 plus the compliance pack: NIS2 readiness for any "important" / "essential" entity, SOC2 / ISO 27001 alignment for procurement, GDPR DPA + processing-inventory + DPIA documentation. The endpoint is an audit-ready evidence folder a regulator or enterprise procurement team can read in one sitting.

What's included at €40-65k

• Tier 2 audit (frontend + backend + infra + supply chain + identity).
• NIS2 90-day playbook delivered in full · incident-response runbook, supply-chain risk register, MFA + JIT access overhaul, patch SLA wired to automated dependency updates.
• SOC2 / ISO 27001 alignment notes (gap analysis · this is alignment, not external certification).
• GDPR documentation pack · DPA template, processing inventory, DPIA for any AI / high-risk system in scope.
• Tabletop exercise on a realistic incident · the auditor runs it with the on-call engineer, times every phase, and writes up the bottlenecks found.
• Two-hour team training session · runbook walkthrough, access policy walkthrough, signed acknowledgements.
• Pinned evidence folder organised for audit/inspection · vendor attestations, runbook, training log, tabletop after-action.

What pushes a quote above €80k

1. Multi-product SaaS (3+ distinct apps under the same compliance scope) · each app multiplies the audit surface ~30%.
2. Regulated sector (fintech, medical, legal) requiring sector-specific frameworks (DORA for fintech, HIPAA-equivalent for medical, eIDAS for digital identity).
3. Multi-tenant SaaS with strict tenant-isolation requirements · adds ~3-5 days of dedicated tenant-isolation testing.
4. External SOC2 / ISO 27001 certification (vs alignment-only) · the certification work itself is done by the certified auditor, but the readiness studio prepares the evidence and shepherds the audit.

What pushes a real audit invoice up · the four signals

If the quote bundles everything into one line item ("Security audit · €25 000"), ask for the breakdown. A real engagement always has these four:

When a paid audit is premature

Three situations to skip a paid audit and run a self-assessment instead:

• Pre-launch with no production traffic. Run Snyk + Semgrep + a self-administered OWASP ZAP scan first; commission the audit after launch when the attack surface is real.
• Single founder, no team, code under 5kLOC. A €4-8k focused audit on the riskiest 20% of the codebase beats a full €25k audit you can't afford to action on.
• You haven't fixed the issues from the last audit. Auditors hate this · pay €0 to action the previous report before commissioning a new one.

Where DField Solutions sits in this map

We run tiers 1 and 2 directly · focused pentests (€5-12k) and full SaaS audits (€18-32k). For Tier 3 compliance readiness (NIS2 + SOC2 + ISO 27001), we run the engineering and compliance documentation in-house and partner with certified auditors for the external attestation phase. Every audit ships fix-PRs against your repo + a 30-day re-test · we don't ship PDFs.

The pricing page has our base tiers. The services / cybersecurity page lists recent engagements. The contact page takes a sentence · written scope + line-item breakdown back within 24 hours.