We have used local (to Indiana) companies, so I can’t really recommend a specific vendor, but I can mention what we have done and about how much we’ve paid with 3 different vendors for annual security audits over the past 3 years.
We typically pay $15k-$18k each year for the following
- Security Assessment & gap analysis - about $4k
- Phishing and pretext calling tests - about $3k
- Penetration test - $5k
- Internal vulnerability scan (70 production server IPs) $3k-$5k
Of course, we are an insurance company and must have these done as part of compliance; so it’s possible we are paying a higher rate??
Hope that helps.