Pentest ROI Calculator
Translate your records-at-risk and current security maturity into an annualised loss expectancy, then compare that to your pentest spend. Per-record cost from IBM's 2024 Cost of a Data Breach Report; probability anchors from the Verizon DBIR 2024.
Adjust your inputs — risk, ROI and payback recalculate instantly.
Per-record cost: $194 (SaaS / Tech, IBM Cost of a Data Breach 2024).
Annual breach probability: 14.0% at current maturity (Verizon DBIR 2024 baselines).
Pentest impact: probability × 0.70 and per-breach cost × 0.85 (organisations with an annual pentest + tested IR plan, IBM CODB 2024).
Expected annualised loss = probability × per-incident cost (single-loss expectancy × annualised rate of occurrence — the canonical FAIR/ALE formulation).
FAQ
Where do the per-record cost numbers come from?
IBM Security's Cost of a Data Breach Report 2024 (published annually with the Ponemon Institute). The 2024 global average is $169 per compromised record. Per-industry rates: healthcare $399, financial services $283, SaaS/tech $194, retail $175. These are blended across record types (PII, payment cards, health records, intellectual property) and across direct + indirect costs (notification, forensics, regulator fines, lost business). The IBM methodology is publicly documented and used by most insurers and CISOs as the per-record anchor.
Where do the probability numbers come from?
The Verizon Data Breach Investigations Report (DBIR) 2024, normalised to annualised breach frequency across organisation maturity tiers. Organisations with no formal security program experience a ~28% annual breach probability; basic controls (firewall + antivirus + occasional patching) drop it to ~14%; an annual pentest plus EDR drops it to ~8%; a mature program with continuous testing and a 24/7 SOC drops it to ~4%. These are baselines — your real number depends on your attack surface, sector, geopolitical exposure and prior incident history.
Is a 30% probability reduction from pentesting realistic?
It is consistent with the IBM CODB findings. The 2024 report shows organisations with an extensively used incident response plan + regular IR testing experience breach costs $1.49M lower than the global average, and the probability difference between 'tested' and 'untested' security control populations is large and consistent year-over-year. We use 30% probability reduction × 15% cost reduction as a deliberately conservative pair — most published academic estimates run higher. If anything the calculator under-states ROI for organisations starting from a low maturity base.
What is annualised loss expectancy and why use it?
Annualised Loss Expectancy (ALE) is the canonical FAIR (Factor Analysis of Information Risk) and SP 800-30 metric for monetising security risk: ALE = Single Loss Expectancy (SLE) × Annualised Rate of Occurrence (ARO). SLE is per-record cost × records at risk; ARO is your annual breach probability. The calculator computes ALE before and after a pentest investment and surfaces the difference. This is the same maths your insurer uses when pricing your cyber policy — running it yourself lets you sanity-check premium quotes.
What about non-monetary impact — brand damage, executive churn?
The calculator omits those because they are hard to defend numerically. The IBM per-record figure already includes some indirect costs (post-breach customer churn is the single largest line item in many breach reports). It does not include CEO departure, regulator consent-decree compliance overhead, or shareholder lawsuit settlements — those are real but vary by jurisdiction. Treat the calculator output as a floor on financial impact; the actual ceiling for a public breach with regulator action attached is typically 2–4x the calculated number.