Consider a mid-size Swiss firm looking at this very question last year. “Do we really need a pentest?” Many companies ask this question when cybersecurity comes up. A penetration test quickly costs CHF 15,000 to 50,000, and the necessity isn’t always clear. This article helps with the decision.
What Is a Penetration Test?
Definition
A penetration test (pentest) is a simulated cyberattack on your IT systems, performed by security experts, to find vulnerabilities before real attackers do.
In contrast to:
- Vulnerability Scan: Automated tool, finds known vulnerabilities
- Security Audit: Review of processes, policies, compliance
- Red Team Assessment: In-depth test incl. social engineering, physical security
What Gets Tested?
Typical targets:
- Web applications (shops, portals, SaaS)
- Mobile apps (iOS, Android)
- Network infrastructure (servers, firewalls, VPN)
- APIs (REST, GraphQL)
- Cloud environments (AWS, Azure, Google Cloud)
- IoT devices
- WLAN networks
How Does a Pentest Work?
Phase 1: Planning (1-2 weeks)
- Define scope (what gets tested?)
- Set objectives
- Agree on time window
- Clarify rules (what’s allowed?)
Phase 2: Reconnaissance (Information Gathering)
- Passive information gathering
- Active scanning
- Identify vulnerabilities
Phase 3: Exploitation
- Exploit vulnerabilities
- Gain access
- Escalate privileges
Phase 4: Reporting
- Detailed report
- Prioritisation (Critical, High, Medium, Low)
- Recommendations for remediation
Phase 5: Re-Test (optional)
- After remediation: Verification
- Confirmation that gaps are closed
Duration: 1-4 weeks (depending on scope)
When a Pentest Is Mandatory
1. Regulatory Requirements
Certain industries and situations in Switzerland require pentests by law or industry standards.
Financial Sector (FINMA):
Who:
- Banks
- Insurance companies
- Financial service providers
- Payment service companies
Requirements:
- FINMA Circular 2008/21 “Operational Risks Banks”
- Regular security tests
- Annual pentests for critical systems
- After major changes
Typical:
- Costs: CHF 30,000-80,000/year
- External, certified pentesters
- Documentation for FINMA
Healthcare:
Who:
- Hospitals
- Clinics
- Doctor’s practices with electronic patient records
- Health app providers
Requirements:
- Data Protection Act (DSG)
- EPD (Electronic Patient Dossier) requirements
- ISO 27001 often required (incl. pentests)
Typical:
- Pentest at EPD systems go-live
- After major updates
- Annually for critical systems
Critical Infrastructure:
Who:
- Energy suppliers
- Water utilities
- Telecommunications
- Transport companies
Requirements:
- Federal Act on Information Security (ISG)
- NIS Directive (Network and Information Security)
- Regular security tests mandatory
PCI DSS (Payment Cards):
Who:
- Online shops accepting credit cards
- Payment service providers
- Anyone storing/processing card data
Requirements:
- PCI DSS Requirement 11.3: Annual pentest
- After any significant change
- By PCI-certified testers
Typical:
- Costs: CHF 15,000-40,000
- External testers (PCI-QSA)
- ASV scans (Approved Scanning Vendor) quarterly additionally
ISO 27001 Certification:
Who:
- Companies pursuing/having ISO 27001
- B2B providers (often customer requirement)
Requirements:
- Regular vulnerability assessments
- Pentests for critical systems recommended
- Often required at re-certification
2. Before Major Launches
Even without regulatory obligation: For certain projects, a pentest is indispensable.
When mandatory:
New web platform with sensitive data:
- Online banking
- Health portals
- Government portals
- B2B platforms with customer data
Example: Swiss startup launches SaaS platform for HR data. Before go-live: Pentest for CHF 20,000. Result: 3 Critical, 8 High issues found. Remediation before launch = no data leak after market entry.
Mobile apps with payment:
- Fintech apps
- E-commerce apps
- Any app processing payments
Example: Mobile banking app of Swiss regional bank. Pentest finds authentication vulnerability that would have enabled account takeover. Pentest costs: CHF 25,000. Costs of data leak: Millions + reputation damage.
API launch for partners:
- APIs used by third parties
- B2B integrations
- Public APIs
Why:
- API security often underestimated
- Potential for data leakage enormous
- Partners demand security proof
Cloud migration:
- Move from on-premise to cloud
- New cloud architecture
- Multi-cloud setups
Why:
- New attack vectors
- Misconfigurations frequent
- Compliance requirements (data in cloud)
3. After Security Incidents
When:
- After data leak or breach
- After successful attack
- After suspicious activities
Why:
- Find further vulnerabilities
- Understand extent
- Restore trust
Example: Swiss SME (e-commerce) notices unusual database access. Post-incident pentest uncovers 5 additional vulnerabilities that were overlooked. Costs: CHF 18,000. Could have prevented a second breach.
When a Pentest Makes Sense (But Isn’t Mandatory)
1. High Reputation Risks
Who:
- Brands with high visibility
- Public institutions
- Swiss SMEs with strong brand value
Why:
- A data leak = massive reputation damage
- Customer trust is core of business
- Insurance often demands proof
Cost-benefit:
- Pentest: CHF 20,000-40,000
- Reputation damage with breach: Priceless
2. Before Major Investment Rounds
Who:
- Startups before Series A/B
- Scale-ups before exit
- SMEs before sale
Why:
- Investors check cybersecurity (due diligence)
- Security gaps = deal-breaker
- Pentest report = proof of trust
Typical:
- Costs: CHF 15,000-30,000
- Timing: 2-3 months before fundraise
- Remediation of critical issues before due diligence
3. B2B Customers Demand It
Who:
- SaaS providers
- IT service providers
- Suppliers for large corporations
Why:
- Large customers (banks, insurance, corporations) demand pentest reports
- Part of vendor assessment
- Without pentest: no contract
Typical:
- Annual pentests required
- Reports must be shared
- Costs often in sales budget
4. After Major Changes
When:
- New features with authentication
- Architecture changes
- Integration of new systems
- After major code refactorings
Why:
- New features = new attack surface
- Changes can break old security measures
Typical:
- Mini-pentest (only new features): CHF 8,000-15,000
- Faster (1 week)
- Focused
When a Pentest Isn’t (Yet) Necessary
1. Very Early Startups (Pre-Product-Market-Fit)
Who:
- MVP phase
- Prototype
- Few users, no sensitive data
Why not (yet):
- Product changes constantly
- Resources better in product development
- No regulatory pressure
Instead:
- Vulnerability scans (automated, cheap)
- Basic security (HTTPS, password hashing, etc.)
- Pentest only at scale or before fundraise
2. Purely Internal Tools (Without Sensitive Data)
Who:
- Intranet without external connection
- Internal dashboards
- Tools only for employees
Why not:
- Attack surface small (only internal users)
- Cost-benefit questionable
- Risk limited
But:
- If external connection after all: Pentest needed
- If admin rights involved: Consider pentest
3. Static Websites (No Data Processing)
Who:
- Marketing websites (only content)
- Landing pages
- Blogs
Why not:
- No database
- No user authentication
- No payment processing
But:
- If form with database: Consider pentest
- If login area: Pentest needed
4. Infrastructure Completely with Large Cloud Providers
Who:
- Pure SaaS users (no own code)
- Infrastructure 100% at AWS/Google/Azure (managed services)
Why not:
- Cloud providers have own pentests
- Shared Responsibility Model: Provider secures infrastructure
But:
- Your application/configuration: Your responsibility
- Pentest of application layer still makes sense
Types of Pentests
1. Black Box Pentest
What: Tester has no information about system. Simulates external attacker.
Advantages:
- Realistic (like real attack)
- Finds what attacker would find
Disadvantages:
- Time-consuming
- More expensive
- May not find all internal vulnerabilities
Typical costs: CHF 20,000-50,000
When:
- External web applications
- Publicly accessible systems
- Realistic attack simulation desired
2. White Box Pentest
What: Tester has full access: code, architecture docs, credentials.
Advantages:
- Finds more vulnerabilities
- Faster (no reconnaissance)
- Cheaper
Disadvantages:
- Less realistic
- Attacker wouldn’t have this info
Typical costs: CHF 15,000-35,000
When:
- Before launch (find everything)
- Compliance tests (e.g., PCI DSS)
- Internal systems
3. Grey Box Pentest
What: Tester has partial information (e.g., user account, but no admin).
Advantages:
- Realistic (insider threat)
- Finds more than black box
- Cheaper than black box
Typical costs: CHF 18,000-40,000
When:
- Simulates insider attack
- Realistic test with efficiency
4. Focused Pentest (Limited Scope)
What: Test only specific parts (e.g., only new API, only payment flow).
Advantages:
- Cheap
- Fast (1 week)
- Focused on risk areas
Typical costs: CHF 8,000-20,000
When:
- After major changes
- New features
- Limited budget
How Often Should You Do Pentests?
Financial Sector, Healthcare, Critical Infrastructure
Recommendation: Annually (at minimum)
Regulatory:
- FINMA: Annually for critical systems
- PCI DSS: Annually + after major changes
- ISO 27001: Regularly (often annually)
Additionally:
- After every major change
- Quarterly vulnerability scans
SaaS, E-commerce, B2B Platforms
Recommendation: Annually or every 18 months
Why:
- Technology changes
- New vulnerabilities emerge
- Customers expect proof
Additionally:
- Before major releases
- After architecture changes
Startups, SMEs (Without Regulation)
Recommendation: Every 2-3 years (or as needed)
Why:
- Cost-benefit
- With limited budget: Focus on critical moments
Critical moments:
- Before fundraise
- Before launch of major features
- After growth spurt (e.g., 10x more users)
Ongoing Vulnerability Scans (Additionally)
What: Automated tools continuously scan for known vulnerabilities.
Costs: CHF 500-2,000/month
Tools:
- Qualys
- Tenable Nessus
- Rapid7 InsightVM
Why additionally:
- Pentests = snapshot (moment in time)
- Vulnerability scans = continuous
- Find new CVEs (Common Vulnerabilities and Exposures) immediately
Costs of a Pentest
Factors Influencing Costs
1. Scope:
- Web app: CHF 15,000-35,000
- Mobile app: CHF 12,000-30,000
- Infrastructure: CHF 20,000-50,000
- Cloud environment: CHF 18,000-45,000
- Complete IT (everything): CHF 40,000-120,000+
2. Complexity:
- Simple web app (5 pages): CHF 8,000-15,000
- Medium platform (multiple modules): CHF 20,000-40,000
- Complex enterprise software: CHF 50,000-150,000+
3. Type:
- Black box: +30-50% vs. white box
- Grey box: +15-25% vs. white box
4. Certifications:
- PCI-certified testers: +20-40%
- CREST-certified: +25-50%
5. Re-test:
- Often included (1x)
- Further re-tests: CHF 3,000-8,000
Typical Prices Switzerland (2025)
Small (startup, simple web app):
- Scope: 1 web application, <10 endpoints
- Duration: 5-7 days
- Costs: CHF 8,000-18,000
Medium (SME, standard platform):
- Scope: Web app + API + mobile app
- Duration: 10-15 days
- Costs: CHF 20,000-45,000
Large (enterprise, financial sector):
- Scope: Complete infrastructure + apps
- Duration: 20-30 days
- Costs: CHF 50,000-120,000+
Ongoing security monitoring (alternative/addition):
- Vulnerability scans: CHF 500-2,000/month
- Bug bounty programs: CHF 2,000-10,000/month
- Managed security services: CHF 3,000-15,000/month
Alternatives for Smaller Budgets
No budget for CHF 20,000+ pentest? There are alternatives that at least ensure basic security.
1. Automated Vulnerability Scanning
What: Tools automatically scan for known vulnerabilities.
Tools:
- OWASP ZAP (free)
- Burp Suite (CHF 400/year)
- Acunetix (CHF 5,000-10,000/year)
- Nessus (CHF 2,500/year)
Advantages:
- Cheap or free
- Fast
- Continuously usable
Disadvantages:
- Finds only known vulnerabilities
- Many false positives
- No manual attacks (business logic flaws missed)
Typical costs: CHF 0-10,000/year
2. Bug Bounty Platforms
What: Ethical hackers worldwide search for vulnerabilities, payment only upon finding.
Platforms:
- HackerOne
- Bugcrowd
- Intigriti (Europe)
Advantages:
- Pay-per-vulnerability (no fixed price)
- Many testers = broad perspective
- Continuous (not one-time)
Disadvantages:
- Vulnerabilities become public (after fix)
- Coordination effort
- Only for external systems
Typical costs:
- Setup: CHF 2,000-5,000
- Bounties: CHF 500-10,000 per vulnerability (depending on severity)
- Platform fee: 20-30%
When:
- Web applications
- APIs
- Mobile apps
- After initial pentest (as addition)
3. Security Code Review
What: Manual review of code by security experts.
Advantages:
- Finds design flaws
- Cheaper than full pentest
- Learning for developer team
Disadvantages:
- Doesn’t find infrastructure issues
- No test of runtime environment
Typical costs: CHF 5,000-15,000
When:
- Before launch
- For critical code areas (payment, auth)
- As precursor to pentest
4. Security Champions Program (Inhouse)
What: Employees are trained in security, perform internal reviews.
Advantages:
- Cheap long-term
- Culture change (security mindset)
- Continuous improvement
Disadvantages:
- Time effort
- Doesn’t replace real pentest
- Operational blindness possible
Typical costs:
- Training: CHF 2,000-8,000/person
- Time: 10-20% of one employee
When:
- Medium to large teams
- Long-term security strategy
- In addition to external tests
5. Hybrid Approach (Recommendation for SMEs)
Year 1:
- One-time full pentest: CHF 20,000
- Setup vulnerability scanning: CHF 2,000
- Remediation critical/high issues: CHF 5,000-15,000
Year 2-3:
- Ongoing vulnerability scans: CHF 1,000/month
- Bug bounty (optional): CHF 3,000-10,000/year
- Focused re-test after major changes: CHF 8,000
Year 4:
- Full pentest again: CHF 20,000
- Cycle repeats
Total over 4 years: CHF 80,000-120,000 Per year: CHF 20,000-30,000
Advantage:
- Balance between costs and security
- Continuous monitoring
- Regular deep testing
Swiss Compliance Context
FINMA (Financial Sector)
Requirements:
- FINMA Circular 2008/21 “Operational Risks”
- Annual security tests for critical systems
- External audit required
- Documentation for supervision
Typical pentests:
- Internet banking
- Mobile banking apps
- Trading platforms
- Payment systems
Costs: CHF 40,000-100,000/year
DSG (Data Protection Act)
Requirements:
- Technical and organisational measures (TOM)
- Risk-based approach
- For high-risk data processing: Pentests recommended
Affects:
- All Swiss companies
- Especially: Healthcare, HR, sensitive personal data
Sanctions for violation:
- Fines up to CHF 250,000
- Reputation damage
EPD (Electronic Patient Dossier)
Requirements:
- Technical requirements according to EPDV
- Security tests before go-live
- Regular reviews
Affects:
- Hospitals
- Doctor’s practices
- Communities
- EPD providers
ISO 27001 (Switzerland)
Certification bodies:
- SQS (Swiss Association for Quality and Management Systems)
- SGS
- TÜV Süd
Pentest requirements:
- Regular vulnerability assessments (A.12.6.1)
- Pentests for critical systems recommended
- Often checked at re-certification
Checklist: Do I Need a Pentest?
Mandatory YES if…
- Financial sector (bank, insurance, payment)
- Healthcare (EPD, patient data)
- Critical infrastructure (energy, water, transport)
- PCI DSS-obligated (credit card data)
- ISO 27001 certification pursued
- Regulatory obligation exists
Highly recommended if…
- Launch of platform with sensitive data (before go-live)
- Mobile app with payment function
- API for external partners
- Cloud migration with sensitive data
- B2B customers demand pentest report
- Before fundraise/exit (due diligence)
- After security incident
Consider if…
- High reputation damage possible with breach
- Major changes to architecture
- More than 3 years since last pentest
- Strong growth (10x more users)
- New: external access to internal systems
Not yet necessary if…
- MVP phase, pre-product-market-fit
- Purely static website (no login, no data)
- Purely internal tool (no external access)
- Fewer than 100 users, no sensitive data
- Budget for basic security missing (implement these first)
Expert View
A penetration test is not a luxury, but an investment in risk minimization.
Mandatory with:
- Regulatory requirements (FINMA, PCI DSS, etc.)
- Sensitive data (healthcare, finance)
- Before major launches
Very sensible with:
- High reputation risks
- B2B customer requirements
- Before fundraise/exit
Alternatives for limited budget:
- Vulnerability scanning (continuous, cheap)
- Bug bounty (pay-per-vulnerability)
- Focused pentest (only critical areas)
- Hybrid approach (full pentest every 3-4 years + continuous scans)
Ask yourself:
- Do I have regulatory obligations?
- What would be the damage with a data leak?
- Do my customers demand a pentest?
- Is a major launch upcoming?
If 1-2 of these questions are “Yes”: Pentest is worth it. Swiss-based providers such as RedTeam Partners offer CREST-certified penetration testing tailored to the Swiss regulatory environment, making the scoping and compliance process considerably smoother.
If all “No”: Start with vulnerability scanning and consider pentest at scale or before major milestones.
Security is not an end state, but a process. A pentest is an important building block, but not the only one.
Transparency Note: Alpine Excellence only lists verified providers. When seal holders are mentioned in this article, it serves to illustrate quality standards concretely, not as advertising.