An MSP we work with closed a $14,000 pentest engagement last quarter on a $4,200 cost basis. The client was a 90-employee SaaS company doing SOC 2 Type II for the second year. The engagement was scoped right, priced right, and the margin paid for the MSP’s entire compliance practice manager for two months. The math is not a secret, but most MSPs do not work it through carefully when they start reselling pentesting.
This piece walks through how to actually structure pentest pricing as an MSP — what the reseller cost stack looks like, where the margin lives, how to bundle for retention, and the common pricing mistakes that leave money on the table or send clients to a different MSP.
The reseller cost stack
For a manual external network pentest on 10 IPs, the wholesale reseller cost from a channel-only vendor lands around $1,400 to $1,600 depending on volume tier. For a manual web application pentest on a single application with one user role, around $2,100 to $2,400. For an internal network pentest of a single corporate network, $2,100 to $2,400. AI-assisted pentests covering up to 50 assets land at around $350 wholesale.
The retail equivalents at a generalist vendor sit higher: external around $2,000 to $2,500, web app around $3,000 to $3,500, internal around $3,000 to $3,500, AI-assisted around $500. The wholesale-to-retail spread is your starting margin pool.
That spread is the floor, not the ceiling. The actual margin opportunity is bigger because most clients are not buying line items — they are buying compliance evidence and security posture. The price the client will pay for an integrated SOC 2 pentest deliverable through their trusted MSP is often higher than what they would pay buying the same testing direct from a vendor, because the MSP is wrapping the work in scoping, project management, evidence preparation, and audit liaison.
Pricing tiers MSPs actually run
Three pricing structures show up across our partner base. Each is appropriate for a different MSP business model.
Cost-plus pricing. Take the wholesale cost, add a fixed markup percentage (typically 30 to 50 percent), and quote the client. Simple, easy to defend, easy to scale. Margin is predictable. The downside: you are leaving value on the table for clients who would happily pay more for the integrated deliverable, and you have no margin flexibility for low-cost competitive scenarios.
Example: $1,500 wholesale external pentest at 40 percent markup quotes at $2,100 to the client. Margin is $600. Reasonable. Not exceptional.
Value-based bundle pricing. Wrap the pentest into a broader compliance package — SOC 2 readiness assistance, evidence collection, audit liaison, retest coordination — and price the bundle as a single deliverable. Decompose only if the client asks. Margin can be 100 to 200 percent on the pentest portion because the value to the client is the whole package, not the line item.
Example: $1,500 wholesale external pentest, $2,400 wholesale web app pentest, plus 8 hours of compliance project management at $200 per hour. Total cost basis $5,500. Bundle quote to client: $12,000 for “SOC 2 pentest evidence and remediation package.” Margin is $6,500. The client is happy because they get a single deliverable that maps to their audit; you are happy because the margin funds the rest of your compliance practice.
Retainer-embedded pricing. Include pentests in the annual managed services or vCISO retainer at a slight discount, billed as a fixed monthly fee that includes one annual manual pentest plus quarterly AI-assisted coverage. Predictable revenue for both sides, sticky relationship, and the pentest cost becomes a small percentage of the total retainer.
Example: $4,800 annual cost basis for one manual web app pentest plus four quarterly AI external pentests. Wrap into a $4,000 per month vCISO retainer that also includes policy work, risk assessments, and ongoing compliance management. The client sees a clean monthly number; the pentest is just one line on a much larger relationship.
The bundling moves that capture more value
A few specific bundling moves that consistently work in practice:
Bundle the retest. Most pentest vendors include retesting in the engagement. Some do not. If you are reselling from a vendor that includes retest, do not present the retest as a separate line item to the client — bundle it into a higher base price and present the retest as “included in our pentest service.” The client perceives more value; the margin is captured up front.
Bundle compliance mapping. Most pentest reports include compliance control mapping. Some MSPs separately bill for “SOC 2 evidence preparation” or “compliance documentation review.” If your vendor is already mapping findings to controls in the report, that work is done — charge for it as part of the integrated package rather than letting it be invisible value.
Bundle the kickoff and report briefing calls. Pentests come with a kickoff call to align scope and a delivery call to walk through findings. As an MSP, you should be on both calls. Charge for that hour as part of the engagement, even if your vendor includes it free. Your hour with the client during the report walkthrough is when relationship value compounds.
Bundle next-year planning. At the close of every pentest engagement, schedule a 30-minute call with the client to scope next year’s test. Capture the renewal as a soft commitment in writing. This becomes recurring pentest revenue and reduces the chance the client will shop for a different vendor next year.
Pricing pitfalls that cost MSPs deals
Three common mistakes:
Pricing as a line item rather than as a deliverable. When the client sees “$2,000 external pentest, $3,000 web pentest, $1,500 internal pentest, $500 reporting” on a quote, they shop each line. They Google “external pentest cost,” find a $1,500 vendor, and ask why yours is more. When the client sees “$8,000 SOC 2 pentest readiness package,” they buy the deliverable.
Underselling AI pentests. AI-assisted pentests at $500 wholesale should not be quoted at $700 or $800 to the client. The value is not the cost-plus markup; the value is the integration into your overall security program. Quote AI pentests at $1,500 to $2,500 each as part of an annual continuous testing package. The client gets quarterly coverage they would not otherwise have; you get four times the engagement depth.
Charging for retesting. If your vendor includes retests, charging the client separately for retests creates friction and resentment. If your vendor does not include retests, switch to a vendor that does — the absence of bundled retesting is a sign the vendor is unbundling for revenue capture, which is exactly what your client will eventually do to you.
Volume tier negotiation with the vendor
One area MSPs leave money on the table: negotiating volume tiers with the pentest vendor. Most vendors discount wholesale pricing in tiers based on annual engagement volume. The tiers we offer are roughly: less than $25,000 annual at standard wholesale, $25,000 to $75,000 at 8 to 12 percent additional discount, $75,000+ at 15 to 20 percent additional discount.
If you are reselling consistently — even at the lower volume tier — ask the vendor about quarterly volume reviews. A growing MSP partner can hit the next tier within a year, and most vendors will pre-tier qualifying partners with a written commitment to that volume.
The compounding effect: a 15 percent additional wholesale discount applied to a 100 percent retail markup nearly doubles your per-engagement margin. Over a year of consistent engagement volume, that is meaningful money.
The ROI math for the MSP business
One way to frame this for an MSP partner who is on the fence about adding pentesting to their service portfolio:
If your average client adds a $4,000 pentest engagement per year at 50 percent margin, that is $2,000 of incremental annual margin per client. If pentesting helps you retain 90 percent of clients vs. 80 percent retention without it, the lifetime value compounding is significant. A retention rate change from 80 to 90 percent on a 5-year client base roughly doubles average client lifetime value.
Pentesting alone does not retain clients. But pentesting delivered as part of an integrated compliance and security program does. The reseller relationship makes that integration possible without the operational overhead of building an in-house pentest practice.
If you want to see actual reseller pricing for your annual engagement volume, our partner intake form opens the conversation. We send a tiered pricing sheet, sample reports under your branding, and a partner agreement draft within one business day.
.avif){kind=logo}
.png){kind=logo}
.png)
.png)
