Pricing

We offer transparent pricing across our service areas. Choose a tab below to see rates and how we structure engagements for Security Testing, Systems Engineering, and Security Leadership.

All of our prices are oriented around a base rate of £1,500 per day exclusive of VAT and expenses.

Security Testing

We offer transparent, scoped security work so you know what you’re getting and what it costs. Below we explain our engagement levels, how we price engagements, and how we protect you every step of the way.

Our Four Levels of Security Work

We structure security engagements by depth and complexity so you can choose the right tier for your needs. Each level has a distinctive scoping model regarding comprehensiveness and time.

These tiers are scaled in days by the complexity of your business, systems, and the size of your operation. Due to the high margin of our security work, we are very happy to provide an initial consultation completely free of charge to help you make the best decision for your business and receive a clear quote before we start.

Due to the nature of our work and every engagement being unique, we cannot provide direct pricing for these services here. However, if you’re curious about what we do and wonder if we’re a good fit for your business, we’re pleased to offer our Level 0 for a fixed rate of £3,000 to £7,500 (excl. VAT).

Level 0 — Offensive Security Taster — £3,000 to £7,500

This engagement, scoped based on your organisation’s complexity, involves a tightly scoped assessment of your current systems and a report with recommendations and advice. Should you decide to proceed with a higher level engagement, we will credit the cost of the Taster towards the more comprehensive engagement.

Level 1 — Technical Security Review

A technical security review is a comprehensive white-box audit of your systems, infrastructure, and practices. We will architect a threat model for your business and oversee your digital systems and security posture to identify the greatest potential weakpoints in your processes and stack. We will provide a report with recommendations for improvement and mitigation.

Level 2 — Manual Penetration Test

A manual penetration test is a grey-box test of how your systems and infrastructure are at risk of vulnerabilities and exploits. This is an intrusive test but with more pre-knowledge than a full red teaming engagement would have, which allows it to be completed in a shorter timeframe. We will provide a report detailing your vulnerabilities and where we were able to exploit them with proposals for improvement.

Level 3 — Adversary Simulation and Red Teaming

An adversary simulation/red teaming engagement is a full-scale black-box attack on your systems and infrastructure. This is a very intrusive test performed with very limited pre-knowledge of your system architecture. This tier involves an information gathering phase which leads into our numerous attacks to break into your system just as an actual adversary would. By making information gathering part of our engagement, we can understand and demonstrate what critical information the business might be exposing. A red team engagement also involves post-exploit techniques which allow us to demonstrate just how much damage real attackers could do to your business, as well as attempts to avoid detection and maintain access. This tier is our most comprehensive and provides you with the most extensive report and understanding of how a genuine attack would play out.

How We Calculate Prices

We quote based on time and scope, not hidden fees. We estimate the time required for your chosen level given the complexity of your systems, then give you a clear fixed quote. You’ll see how the price is built: what we’re testing, what we’re delivering (e.g. report, retest), and any pass-through costs (such as legal documents) listed upfront. We may also charge for expenses such as travel, accommodation, and other costs we face during the engagement, but these will be clearly communicated and reflective of the actual costs incurred.

After a free discussion of your needs, we’ll reach an agreement on what level fits your needs best and draft a written quote so you can decide with full transparency.

Legal Protection for You

We take your protection seriously and all of our security work is conducted in accordance with the Computer Misuse Act 1990 and the UK General Data Protection Regulation (GDPR) along with any other relevant laws and regulations. Before any testing begins we work with solicitors specialising in this area of law to put in place a contract, Rules of Engagement (what we will and won’t do based on your requirements and authorisation scope), and NDAs you require where appropriate. You’re fully covered and in control. Any legal or administrative costs for these (e.g. legal review) are passed on to you pre-engagement.

You’re in Safe Hands

Admitting that your systems might not be secure can feel uncomfortable, but it’s the first step to making them safer. We never judge. Every organisation has room for improvement; our job is to help you find and fix them. You don’t need to feel embarrassed or vulnerable. We prioritise building trust as the foundation of our relationship, with clear boundaries and full legal protection. We provide you with the peace of mind to know that your systems have been done right, or how to make them right if they aren’t.

Security Leadership

Shellhex provides external security leadership for organisations that require experienced security oversight without hiring a full-time Chief Security Officer or Chief Information Security Officer. These services combine information security leadership (CISO) with broader organisational security strategy (CSO) and operate on a monthly retainer basis with ongoing advisory, strategy, and governance support.

Our Three Tiers

Choose the level of security leadership that fits your organisation. All tiers include partner pricing on Shellhex security testing services.

Tier 1 — Security Advisor — £2,000 per month (excl. VAT)

Experienced security guidance and oversight for smaller organisations, startups, and companies beginning to formalise their security practices.

Services include:

Security strategy and advisory support
Guidance on infrastructure and application security decisions
Security architecture review and recommendations
Incident response advisory and consultation
Consultation on security questions
Review of major infrastructure or system changes
Quarterly security posture and risk review

Testing benefits:

10% partner pricing on Shellhex security testing services

Ideal for:

Startups and small businesses
Companies beginning security maturity efforts
Organisations that want ongoing expert oversight

Tier 2 — Fractional CISO — £4,500 per month (excl. VAT)

Active information security leadership and governance support for growing organisations that require structured security oversight.

Services include everything in Security Advisor, plus:

Development and maintenance of security policies
Security roadmap development and planning
Participation in leadership or security meetings
Supplier and SaaS security reviews
Compliance readiness guidance (e.g. Cyber Essentials, ISO 27001)
Security architecture and infrastructure planning
Incident response planning and preparation
Annual threat modelling workshop

Testing benefits:

15% partner pricing on Shellhex security testing services

Ideal for:

SMEs scaling their technology infrastructure
Organisations pursuing compliance frameworks
Businesses requiring ongoing security leadership

Tier 3 — Strategic Security Partner — £8,500 per month (excl. VAT)

Comprehensive security leadership and programme management equivalent to a dedicated security executive guiding your organisation’s security strategy.

Services include everything in Fractional CISO, plus:

Full security programme leadership and strategic oversight
Board-level security advisory and risk reporting
Security architecture and long-term security planning
Staff security awareness sessions and training
Tabletop incident and breach simulation exercises
Security culture and operational security guidance
Priority security advisory access

Testing benefits:

20% partner pricing on Shellhex security testing services
Priority scheduling for testing engagements

Ideal for:

Organisations requiring dedicated security leadership
Businesses managing sensitive data or infrastructure
Companies seeking mature security governance

Partner Pricing for Testing Services

Clients subscribed to Shellhex Fractional Security Leadership receive reduced pricing on Shellhex security testing engagements. Discount structure: Security Advisor — 10%; Fractional CISO — 15%; Strategic Security Partner — 20%. These partner rates apply to security audits and reviews, vulnerability assessments, manual penetration testing, and red team engagements.

Ready for a no-obligation quote?

Get in Touch

Pricing

Security Testing

Our Four Levels of Security Work

Level 0 — Offensive Security Taster — £3,000 to £7,500

Level 1 — Technical Security Review

Level 2 — Manual Penetration Test

Level 3 — Adversary Simulation and Red Teaming

How We Calculate Prices

Legal Protection for You

You’re in Safe Hands

Systems Engineering

How We Price Systems Work

Security Leadership

Our Three Tiers

Tier 1 — Security Advisor — £2,000 per month (excl. VAT)

Tier 2 — Fractional CISO — £4,500 per month (excl. VAT)

Tier 3 — Strategic Security Partner — £8,500 per month (excl. VAT)

Partner Pricing for Testing Services