Penetration Testing
July 15, 2026

Build vs. Partner: A Financial Model for Audit Firms Adding Manual Penetration Testing as a New Revenue Line

Ivan Stanev
Ivan Stanev
Founder & Senior Security Researcher
Build vs. Partner: A Financial Model for Audit Firms Adding Manual Penetration Testing as a New Revenue Line

For audit firms weighing whether to expand into security services, the question is no longer if they should offer manual penetration testing — it is whether they should build that capability from scratch or partner with a specialist firm to deliver it. The short answer: for most audit practices under 50 consultants, partnering wins on cost, speed, and quality every single time. This post walks through the financial model so you can stress-test that decision with your own numbers, understand what the build route actually costs in the first eighteen months, and see precisely how a white-label partnership converts audit client relationships into a meaningful new revenue line without a single new hire.

Why Audit Firms Are Looking at Penetration Testing Right Now

Clients who trust your firm with SOC 2, ISO 27001, or HIPAA audits are increasingly asking a follow-up question before sign-off: "Can you also test whether our controls actually hold up against a real attack?"

Compliance frameworks are nudging this. SOC 2's CC6 and CC7 controls implicitly reward organisations that can demonstrate attacker-resistant architecture rather than merely documented controls. HIPAA technical safeguard reviews increasingly reference the need for periodic penetration testing of PHI-adjacent systems. And with the NIS2 directive shaping EU-based clients, demand for manual penetration testing as part of an integrated assurance package is growing across every vertical your audit team already serves.

The opportunity is real. The risk of executing it badly is equally real. A client who receives a checkbox penetration test driven primarily by automated scanners — dressed up as a manual engagement — will notice when the report says nothing meaningful. That reputational damage is far more expensive than any short-term revenue gain. Which is why the build-versus-partner calculus deserves a rigorous financial lens before your leadership team commits either way.

The Real Cost of Building a Manual Penetration Testing Capability In-House

Headcount Is the Biggest Line Item

A credible manual penetration testing practice needs a minimum of two experienced testers — ideally OSCP-certified or equivalent — plus a delivery lead who can manage scoping calls, methodology oversight, and report quality control. In the current market, a mid-level penetration tester with three to five years of genuine hands-on experience commands $95,000–$130,000 in base salary in the US, excluding benefits and tooling allocation. Two testers plus a lead means a first-year payroll commitment of $320,000–$400,000 before you have billed a single engagement.

Tooling, Lab Infrastructure, and Training

Beyond headcount, building an in-house pen testing team requires investment in lab environments (cloud-based attacker infrastructure, VPN configuration, exploit development environments), commercial tooling licences, and continuous training. OSCP certification alone costs approximately $1,499 per candidate. Offensive Security, SANS GPEN, and eLearnSecurity courses add further to the training budget. A realistic first-year tooling and training allocation for a team of three sits at $40,000–$65,000. That is before factoring in the productivity loss during ramp-up, where a newly assembled team typically takes six to twelve months to reach a commercially viable output cadence.

Time-to-Revenue Reality

When you aggregate payroll, benefits, tooling, training, and lost productivity during the ramp period, a firm building manual penetration testing capabilities in-house should budget $500,000–$600,000 before the practice generates enough revenue to cover its own costs. Most audit firms hit profitability on a new service line at around month eighteen at the earliest. That is a significant capital commitment for a service that your existing client base may or may not convert to immediately.

The Partner Model: Delivering Manual Penetration Testing Without the Build Cost

Partnering with a specialist manual penetration testing firm — such as IVASTA Security — eliminates almost all of the upfront capital risk. Here is how the economics work in practice.

Revenue Share or Fixed Project Pricing

Most audit firm partnerships operate on one of two models. In the first, the audit firm marks up the penetration testing engagement between 15% and 35% above the testing partner's wholesale rate and invoices the client directly. The testing firm white-labels deliverables under the audit firm's brand. In the second, the audit firm refers the client and receives a referral fee per closed engagement, typically ranging from 10% to 20% of the project value. Either way, the audit firm adds revenue to its P&L without adding a single headcount.

What the Numbers Look Like

A mid-market audit firm with forty active compliance clients and an average client spend of $30,000 per year in audit fees can reasonably expect that 20%–30% of that client base will take up manual penetration testing when it is introduced during the audit engagement scoping call. At a conservative eight clients per year, an average project value of $7,500, and a 20% markup, the firm generates $72,000 in year one from a service line that required zero capital investment. Scale the client penetration rate to 40% and the project value to $10,000 and year-one revenue exceeds $160,000.

Build vs. Partner: At-a-Glance Financial Comparison

Criteria Build In-House Partner with IVASTA
Upfront Cost High — hiring, tooling, training Low — project-based pricing
Time to Revenue 12–18 months minimum 4–6 weeks from first client
Certification Depth Varies by hire OSCP/CREST-certified testers
Manual Testing Quality Dependent on team maturity 100% manual validation standard
Scalability Slow — headcount-constrained Flexible — scale by project
Client Brand Risk High during ramp-up Low — white-label delivery available

What "Quality" Means When Audit Clients Buy Manual Penetration Testing

Audit clients are not buying a vulnerability report. They are buying evidence they can present to a board, a regulator, or an enterprise procurement team. That evidence only holds up when it comes from a manual penetration testing engagement that mirrors the way real attackers operate. Automated scanners catch CVE-mapped vulnerabilities. They do not catch business logic flaws, chained exploitation paths, or the kind of access escalation that leads to a genuine data breach. When your clients ask whether the penetration test was manual or scanner-driven, they are asking a meaningful quality question.

This is why the quality of your chosen partner matters as much as the pricing model. A partner whose testers hold offensive security certifications, who performs manual penetration testing with zero scanner-only assessments, and who delivers actionable reports tied to real attack chains will protect your firm's reputation rather than expose it. IVASTA Security's model, for instance, validates 100% of findings manually before they appear in a client report — the kind of standard that translates directly into audit client confidence.

Revenue Model: What Audit Firms Can Realistically Earn

The table below illustrates what a typical manual penetration testing engagement actually earns an audit firm under a white-label partner arrangement. Figures are based on realistic IVASTA wholesale rates with a standard audit firm markup applied on top.

Scenario IVASTA Cost (to firm) Audit Firm Invoice Gross Profit Internal Effort
SOC 2 Web App Pentest $5,000 $7,000 $2,000 ~2 hrs coordination
PCI DSS Ext. + Internal $8,500 $11,500 $3,000 ~3 hrs coordination
ISO 27001 Infrastructure $7,000 $9,500 $2,500 ~2.5 hrs coordination
Full-Stack (Web + API + Infra) $12,000 $16,500 $4,500 ~4 hrs coordination

Even the conservative scenario — two engagements per month at $5,000 average deal size — generates $120,000 in annual revenue from a service that required no capital investment, no new hires, and no internal capability build. The moderate and aggressive scenarios produce revenue figures that would justify a dedicated business development hire focused purely on cross-selling penetration testing into the existing audit client base.

How to Position Manual Penetration Testing to Your Audit Clients

The language audit partners use to introduce manual penetration testing into an existing relationship matters. Framing it as an add-on service misses the opportunity. The more effective framing positions manual pen testing as the natural completion of the assurance picture: "Your compliance audit tells us what your controls say. The penetration test tells us what your controls do under pressure." That framing resonates because it is true.

For clients pursuing web application penetration testing or API penetration testing for SOC 2 or HIPAA purposes, your audit firm's involvement in scoping and report interpretation adds genuine value to the engagement. You understand the client's control environment. You know which finding categories will matter to auditors reviewing the penetration test evidence. That contextual knowledge is something a standalone penetration testing firm selling cold cannot replicate.

Common Objections — and How to Answer Them

"Won't clients think there is a conflict of interest?"

There is no inherent conflict when the entities performing the audit and the manual penetration testing are organisationally separate. The audit firm scopes and interprets; the testing partner executes. As long as findings from the penetration test inform rather than replace audit evidence, you are operating within standard industry norms. Many of the largest assurance networks have operated exactly this model for years.

"What if the penetration test finds something that impacts the audit outcome?"

This is actually the best possible outcome for the client. A manual penetration testing engagement that surfaces a material control failure before audit fieldwork allows the client to remediate, re-test, and present clean evidence to auditors. That sequence is dramatically better for the client than a clean audit followed by a breach six months later. Frame it that way and most compliance officers will agree.

"Can we really deliver the same quality as a specialist pen test firm?"

You are not claiming to. You are delivering the same quality by working with a specialist pen testing firm. The distinction matters when clients ask. Transparency about the partner delivery model is a strength, not a weakness — it tells the client you chose depth over dilution. Firms that try to disguise the partnership arrangement often create more risk than those who position it clearly. See how IVASTA Security approaches white-label penetration testing for audit firms for a detailed operational model.

Getting Started: A Four-Week Path from Decision to First Engagement

Week one: complete the partner evaluation. Review sample reports from at least two specialist manual penetration testing firms. Assess methodology depth, finding quality, remediation specificity, and the certification profile of the testers. Ask specifically what percentage of findings are manually validated versus scanner-generated. The answer tells you everything.

Week two: negotiate the commercial model. Decide whether you want a markup model, a referral model, or a hybrid. Set expectations around turnaround time, communication protocols during active testing, and escalation paths if a critical finding surfaces mid-engagement.

Week three: build the internal sales motion. Train your audit partners and managers on the language to use when introducing penetration testing during scoping calls. Develop a one-page leave-behind that positions manual pen testing as part of your firm's integrated assurance offering. Set a target: five introductory conversations within the first thirty days.

Week four: close your first engagement. Use the partner firm's sample report and scoping questionnaire to run the discovery call with your first client. Hand off scope documentation to the testing partner. Your role from this point is client relationship management and report interpretation — both things your team already does well.

For firms that want to see what a high-quality manual penetration testing report looks like before committing to any partner conversation, IVASTA Security makes a sample report available for download — a straightforward way to calibrate quality expectations before the first conversation.

Ready to explore how a penetration testing partnership could fit your audit practice? Get in touch with the IVASTA Security team — we will walk you through the commercial model and answer any scoping questions on the first call.

Frequently Asked Questions

Manual penetration testing is a security assessment conducted by certified testers who actively attempt to exploit vulnerabilities in a system using the same techniques a real attacker would use. Unlike automated scanning tools, which identify known vulnerability patterns against a signature database, manual testing uncovers business logic flaws, chained attack paths, and contextual weaknesses that no scanner can detect. The output is a validated, actionable report rather than a list of CVE identifiers.

No. Many audit firms successfully deliver manual penetration testing through white-label partnerships with specialist security firms. The audit firm manages the client relationship, scoping, and report interpretation while the specialist partner handles execution. The client receives a professional, high-quality engagement and the audit firm generates revenue without the capital cost of building an in-house team.

Pricing for manual penetration testing varies depending on scope, environment complexity, and testing duration. Web application tests for a mid-market SaaS product typically range from $4,000 to $12,000. Infrastructure and internal network assessments can range from $8,000 to $25,000 or more depending on the number of hosts in scope and the depth of testing required. Partner pricing available through a white-label arrangement typically sits 20%–30% below market retail rates.

SOC 2 does not explicitly mandate penetration testing, but auditors reviewing CC6 and CC7 controls regularly request penetration test evidence as the most direct way to demonstrate that access controls and change management procedures are effective under adversarial conditions. Organisations that provide a manual penetration testing report as part of their SOC 2 evidence package typically have a smoother audit process and more defensible control narratives.

Most manual penetration testing engagements run between one and two weeks from kickoff to final report delivery. The active testing phase is typically five to ten business days depending on scope. Final report delivery including manual validation of all findings adds two to four business days on top of active testing. Rush engagements with compressed timelines are sometimes available but are generally not recommended for compliance-driven assessments where report quality is paramount.

A web application penetration test scoped to include thorough business logic coverage requires more time than a standard OWASP Top 10 assessment because the tester must map application workflows and role structures before testing. A single SaaS application with three to five distinct user roles and a defined set of core workflows typically requires seven to ten business days of testing time. Applications with complex multi-tenant architectures or large API surfaces may take longer. A scoping call with a tester is the most reliable way to estimate timeline before committing to a proposal.