Updated: April 9, 2018
How Much Should You Pay for A Pen Test?
It’s my job to ensure that we’re priced right and delivering a strong value for what we charge. Yet, I’m continually amazed at the price differential I am seeing for penetration tests (pen tests). With prices ranging from $1,500 to hundreds of thousands of dollars, I can imagine how difficult it might be for our customers to understand how penetration testing pricing works.Similar to many things that you buy, generally the higher cost products tend to be better than the lower cost products. While this is likely true in the pen testing world too, how do you know what is adequate for your needs? Even though there’s a need for high dollar tests at the highest category, most companies don’t need to spend $250,000 on a multi-month penetration test. For just one week of penetration testing, pricing ranges from $1,500 to about $15,000 for a full retail price. However, not all pen tests are equal.Here’s a breakdown of why pen testing prices are so different. There are other elements that might come into play, such as on-site vs. remote and remediation testing, however this list focuses on the penetration test work itself.
Skill Set
Not all pen testers are the same, and the proposed pen test pricing should reflect that. For example, some pen testers are incredible at hacking Windows systems, but are not nearly as strong when it comes to Linux or mobile technology. Make certain that the team is well versed in all technologies that you have in scope. Many environments have a huge mix of Linux, Windows, Android, iOS, Mac OS X, Cisco IOS, Wireless networks, and others. Your pen tester needs to have skills in all of the areas that affect your environment to perform a valid test.
Time Dedicated to the Job
The amount of time that a penetration tester spends on a job can really vary, leaving lots of room in how the jobs are quoted. Some pen testers believe that a week, two weeks, or even months are required to get a comprehensive test completed on your network. If you’re quoted anything less than a week, I would hope that it’s an extremely small scope of just a few IPs with no services running on them. Otherwise, I’d be skeptical. The key here is to make sure the time spent on the job makes sense with what you’ve deemed in scope for the test. Keep in mind a single IP with a large customer facing web portal with 10 user roles will take a lot more time than 250 IP addresses that only respond to ping.
Methodology
There’s a few different ways to complete a penetration test. I’ve broken them down into types for reference.
- Type A would be to search for the low hanging fruit and gain access to a system as quickly as possible. The goal would be to pivot, gain additional access to other systems, ensure retention of the foothold, and finally exfiltrate data. This is a true penetration test and demonstrates exactly what would happen in the event of a real world breach. Some companies call this a “deep” penetration test as it gains access to internal systems and data. It’s the type of test that we prefer to do and what I would recommend as this is what the real adversarial hackers are doing.
- Type B searches for every possible entry point and validates that the entry point actually is exploitable. This validation is most often completed by performing the exploit and gaining additional privileges. The focus with this type is to find as many entry points as possible to ensure they are remediated. The underlying system might be compromised, but the goal is not to pivot, breach additional systems, or to exfiltrate data. This type is often useful for regulatory requirements as it provides better assurance that all known external security vulnerabilities are uncovered.
- Type C is really more of a vulnerability scan where the results from the scanner report are validated and re-delivered within a penetration testing report. Many of your lower cost firms are delivering this as a penetration test, although it really isn’t one. It’s just a paid vulnerability scan, and, in some cases, that might be all you need. We offer a vulnerability scan called the BSA on an automatic, recurring basis and it is very useful in discovering new security risks that are caused by changes to the environment or detecting emerging threats. No, it’s not a pen test 😉
My recommendation would be to ensure both Type A and B are part of your pen test. This means that even a small IP range will have a week long test at a minimum, but it is the most comprehensive way to pen test your environment and best meets regulatory requirements as well. Type A will ensure that a test is completed allowing pivoting and exfiltration of information. Type B will get you that comprehensive test of any vulnerabilities found to ensure that you’re fixing real issues and not false positives.
Don’t Go too Low
If someone is offering you a pen test for less than $3,000 for an entire week of effort, I would be very skeptical that you’re getting an actual penetration test. The ethical hackers that perform these tests are costly, and as they don’t work for a salary that would fit the bill rate. Remember that these resources need to understand networking, operating systems, applications, and security all at the same time. In addition, there is also cost overhead from operating a business that should be considered.Regardless, penetration testing is a vital part of a strong security program. Most regulations and security professionals recommend it be performed annually. It’s better to be hacked by a pen testing vendor than the alternative, so give us a call at Raxis, and we’ll be glad to help you improve your security by uncovering any hidden security risks.