What a ₦500k "pentest" actually delivers
At the ₦300,000 to ₦700,000 price range, you are buying a vulnerability scan packaged as a penetration test. The vendor runs one or more automated tools (typically Nessus, OpenVAS, Qualys, or Burp Suite's automated scanner) against your application and infrastructure, exports the results, and delivers a branded PDF. The findings will include: missing security headers, outdated software versions, weak cipher suites, default configurations, and known CVEs matching your software stack.
These are real findings. They are worth addressing. But they are the same findings you could generate yourself by running the same tools. What you are paying for at this price point is the vendor's time to run the scan and format the output. No human tester manually explored your application. No one tested your payment flow for race conditions. No one tried to escalate privileges from a regular user to an admin. No one chained a rate-limiting weakness with an OTP bypass to demonstrate account takeover.
Why this fails for compliance
The CBN's Risk-Based Cybersecurity Framework requires penetration testing, not vulnerability scanning. A CBN examiner who understands security will recognise a scanner report. PCI DSS Requirement 11.4 explicitly requires that penetration tests include both automated and manual techniques, with manual validation of findings. A scan-only report does not satisfy this requirement. You will pay for the scan now and pay for a real pentest later when the auditor rejects it.
A ₦500k scan that fails compliance costs you ₦500k + the price of a real pentest
If the scan report does not satisfy your regulatory requirements, you have not saved money. You have spent ₦500,000 on a document that cannot be used for its intended purpose and still need to engage a firm for manual testing. The cheapest pentest is the one you only have to do once.
What a real penetration test delivers
A manual penetration test involves a certified security engineer spending one to four weeks actively attacking your application the way a real adversary would. Automated scanners are used as reconnaissance tools during the early phases, but the core of the engagement is human-driven exploitation and analysis.
Business logic testing
The most valuable findings in any fintech pentest are business logic vulnerabilities. These are flaws in how your application implements financial operations. A scanner cannot test whether your loan disbursement endpoint allows double-disbursement under a race condition. A scanner cannot test whether your transfer API lets User A access User B's transaction history by modifying an ID parameter. A scanner cannot test whether your payment webhook can be replayed to credit an account multiple times. These are the vulnerabilities that cause actual financial loss. See our breakdown of BOLA vulnerabilities in payment APIs for real examples.
Vulnerability chaining
A medium-severity rate-limiting weakness on its own is a configuration issue. That same weakness combined with a brute-forceable OTP endpoint becomes an account takeover chain. Manual testers think in attack chains. They combine individually modest findings into high-impact exploitation scenarios. Scanners evaluate each finding in isolation and have no concept of chaining.
Proof-of-concept evidence
Every finding in a manual pentest report includes proof that the vulnerability was actually exploited: HTTP request/response pairs, annotated screenshots, and step-by-step reproduction instructions. A scanner report says "possible SQL injection on parameter X." A pentest report says "SQL injection on parameter X was exploited to extract the users table containing 47,000 records. Here is the request, here is the response, here is how to reproduce it." The difference matters when your developer needs to understand the actual impact to prioritise the fix.
Real price ranges for manual penetration testing
Honest pricing depends on scope, complexity, and engagement duration. Here are the ranges you should expect for manual testing by a qualified firm in Nigeria:
- Web application (standard): ₦1.5M – ₦4M for 1–2 weeks of testing
- Mobile application (iOS + Android): ₦2M – ₦5M for 2–3 weeks of testing
- API-only: ₦1.5M – ₦3.5M for 1–2 weeks depending on endpoint count
- Infrastructure: ₦1M – ₦2.5M for 3–5 days depending on environment size
- Full-scope (web + mobile + API + infrastructure): ₦4M – ₦10M for 3–5 weeks
These ranges reflect the cost of certified engineers spending weeks on your application. A price significantly below these ranges means either the scope is very narrow or the engagement is automated testing sold as manual work. For a detailed pricing breakdown, see our pentest pricing guide.
Want a quote for a real penetration test with manual testing?
Get a Real QuoteRed flags when evaluating vendors
Whether you engage Simpa Labs or another firm, watch for these signs that you are buying a scan, not a pentest:
Fixed pricing with no scoping
A vendor who quotes a flat rate without asking about your application, its complexity, your user roles, your technology stack, or your compliance requirements is not pricing a penetration test. They are pricing a scan run. Real pentests require a scoping call because the effort scales with application complexity. See what to expect from an engagement for how proper scoping works.
Turnaround under one week for a full application
A comprehensive web application pentest cannot be completed in two days. If the vendor promises results in 48 hours for your entire platform, they are running a scanner. Manual testing takes time because human analysis takes time.
No retest included
A vendor who delivers a report and disappears is selling a document, not a security outcome. Retest is where findings get verified as fixed. Without it, you have no evidence that remediation worked. A professional engagement includes retest as standard. For the full deliverable set, see our article on documents to demand after a pentest.
Report without proof-of-concept
If findings lack request/response evidence and reproduction steps, they were not manually verified. Ask the vendor what percentage of findings were manually exploited versus scanner-flagged. A legitimate answer is specific. A vague answer is a red flag.
No attestation letter
If the vendor cannot produce a letter of attestation for your auditors and clients, they may not have experience working with regulated fintechs. This document is a standard deliverable for any firm that regularly tests financial applications.
The right question is not "how much" but "what am I getting"
A vulnerability scan has its place. Run them monthly as part of your security hygiene. But when a regulator asks for a penetration test, when an enterprise client requires evidence of security testing, or when you need confidence that your payment platform can withstand a targeted attack, the scan is not the answer. Understand what you are buying before you sign.
Related reading
Blog: Simpa Labs vs automated scanners · How a Simpa Labs pentest works · Would hackers attack my fintech?
Guides: Pentest pricing guide · Assessment vs pentest · Top pentest companies in Nigeria
Services: Penetration testing · Vulnerability assessment · API security