Penetration Testing Scoping for Texas SMBs: Getting What You Pay For

• Surface size — number of internet-facing IPs, web apps, mobile apps, internal subnets, cloud accounts
• Knowledge level — black-box (no info), gray-box (some info), white-box (full info)
• Test depth — vulnerability scan vs validated exploitation vs lateral movement vs full red team
• Test type — external network, internal network, web application, mobile, wireless, social engineering, physical
• Reporting depth — automated tool output vs analyst-validated narrative vs executive-presentation-grade
• Retest scope — included or extra

External Network Pen Test ($4,000-$15,000)

Tests your internet-facing infrastructure: external IPs, web servers, mail servers, VPN endpoints. Validates that the things visible to attackers are not exploitable. Required by most insurance carriers and SOC 2.

This is the most common SMB pen test and usually delivers the lowest hit rate (modern external posture is generally hardened) but is non-negotiable for compliance.

Internal Network Pen Test ($8,000-$30,000)

Tests what an attacker who has landed inside your network (via phishing, compromised endpoint, or rogue insider) can do. Tests Active Directory tiering, segmentation, lateral movement potential, privilege escalation paths.

For Texas SMBs with on-premises Active Directory, this is the highest-value test because it validates the controls that actually matter post-initial-access. See our Active Directory tiering guide for context.

Web Application Pen Test ($6,000-$40,000 per app)

Tests a specific web application for OWASP Top 10 categories: injection, broken auth, sensitive data exposure, XXE, broken access control, security misconfiguration, XSS, insecure deserialization, vulnerable components, insufficient logging.

For Texas SMBs that develop their own software (SaaS startups, e-commerce, custom client portals), this is mandatory annually plus before any major release.

Cloud Configuration Review ($5,000-$20,000)

Tests Azure / AWS / GCP configuration against CIS benchmarks and security best practice. Identifies overly-permissive IAM roles, public S3 buckets, exposed databases, missing logging.

For Texas SMBs running production workloads in cloud, this is now a standard quarterly cadence (or continuous via tools like Wiz, Lacework, Defender for Cloud).

Social Engineering / Phishing Engagement ($3,000-$15,000)

Tests human controls: phishing campaigns, vishing (voice phishing), smishing (SMS phishing), and increasingly deepfake voice scenarios — see our deepfake fraud defense guide.

Full Red Team Engagement ($30,000-$150,000)

Combines all of the above with adversary emulation methodology. Tests not just the existence of vulnerabilities but your organization's ability to detect and respond to active attack. Meaningful for organizations with mature security operations; usually overkill for SMBs without internal SOC.

• Black-box — tester knows only what an outside attacker would know. Most realistic adversary emulation but inefficient for budget — testers spend most of the engagement on reconnaissance.
• White-box — tester has full network diagrams, source code access, credentials, etc. Most coverage per dollar but less realistic adversary emulation.
• Gray-box — tester gets reasonable information (network ranges, employee count, public-facing apps inventory) but no privileged access. Best ratio of realism to coverage for SMB engagements.

For most Texas SMB engagements, gray-box is the right default.

• Executive summary — 1-2 pages, board-readable, with risk rating and trajectory
• Methodology — what was tested, what wasn't, how, when, by whom (named individuals with credentials)
• Findings — each with: severity, CVSS, EPSS where applicable, exploitation steps, business impact, remediation guidance, retest criteria
• Attack narratives — for high-severity findings, the actual attack path with screenshots
• Strategic recommendations — beyond individual finding remediation, what programmatic changes would prevent the class of issues found
• Appendices — full vulnerability scan output, tool versions, credentials used, evidence files

If a "pen test" report is just a Nessus or Qualys scan output formatted into a PDF — that is not a pen test. It is a vulnerability scan. They are different products at different price points.

• "We can complete this in 8 hours" — modern environments need at least 30-40 hours of analyst time even for small scope
• No retest included — you'll find issues; retest validates remediation; without it the engagement is half-done
• Same provider does pen test AND remediation consulting — conflict of interest; severity inflation incentive
• Refusal to share sample reports — sanitized samples are standard; refusal suggests there's nothing impressive to show
• Tester credentials not named — OSCP, OSEP, GPEN, GXPN, GWAPT are minimums you should expect

• SOC 2 Type II — annual pen test required
• HIPAA — risk assessment required; pen test is the most common method to validate
• PCI-DSS — annual external + internal pen test if Level 1 or 2 merchant; quarterly external scan otherwise
• FTC Safeguards Rule — periodic risk assessment; pen test counts (see FTC Safeguards Rule)
• CMMC 2.0 Level 2 — assessment required; pen test recommended (see CMMC compliance)
• Cyber insurance underwriting — increasingly required annually (see our cyber insurance renewal playbook)

For Texas SMBs scoping their first or next pen test: define your goal first. "Pass our SOC 2 audit" is a different scope from "find what an attacker would actually do." Both are legitimate; they are not the same engagement. Then get three quotes for that exact scope, compare what each provider lists in their methodology, and pick on quality not price.

Related reading: Vulnerability prioritization with EPSS, cybersecurity services, IR tabletop exercise design.

• Houston cybersecurity
• The Woodlands cybersecurity
• Sugar Land cybersecurity
• Austin cybersecurity