Hey,

I am still quite new to the security field and someone asked me yesterday the question: "How much cost a pentest?". Althought the answer to this question is obviously "it depends", I realized I couldn't even answer with a price range. 

In addition, I was recently listening to a pentest security course and the teacher frequently mentioned that there are 2 kinds of pentesters: those who run Nessus and give the report they got and those who do it properly. So the following questions relate to a quality pentest, not just running a tool and printing the report.

For these 3 scenarios, what would be the effort (number of people, time) and the cost for a good test? I didn't give more details about these companies because we always have to give a price range without knowing much...

1) Small company of 10 employees.
2) A mid-size company of 100 employees.
3) A large company of 2000 employees.

My very humble rookie guess would be:

1) 1 person, 5 days, $2500
2) 2 people, 7 days, $7000
3) 4 people, 20 days, $40000

How far off am I? 

At the EC-Council website http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

I found this information concerning an indication of costs:

10. I would like to provide professional service as a CEH professional. What can I expect to be paid per assignment?

The remuneration per assignment will vary with specifics of the client environment. However, on an average you can expect to be paid around $15,000 to $ 45,000 per assignment.

I do not know in how realistic this information is but there is an big gap with  your guess!!! For consultancy work a fee of $500 a day isn't that "high".

You mention the client doing the math even if the job is per assignment... 

I have been in this situation as well and have to let the client know that I have experience in and licenses for specialized software their staff does not.  This is a huge factor in the cost. 

One thing that helps on a contract job is to get the client to allow a scope of internal/external testing that varies over a couple of weeks.  One person I know intentionally overlaps pentest clients (when work is plentiful).  Inevitably, while a pentest is going on, every IT problem is blamed on the test (even if only one or two people know about it).  He says he lets them call a couple of times about "problems he's caused" before he's ever probed the network.  He says it helps settle the client down before he actually touches anything.  Claims he's still doing company fingerprinting during that time (and he may actually be, but most of the time he's finishing reports from a prior test). 

This helps to:
1.  Prevent the client from thinking you can do it all in one day.
2.  Prevent the client from blaming perceived IT problems on the pentest.

Hope this makes sense/helps.  As far as cost goes, the cost depends most on the scope of the test.  A test that includes internal code review as opposed to simply fuzzing a web server will obviously cost more.  The second important factor (particularly in the current economy) is what match of test scope (value) to price ratio makes sense for the company.  Unless the company has specific compliance issues to address, you can sell the need for the most comprehensive test available (and they can believe the need 100%) but they won't bite if it doesn't make financial sense.

That's a tough question to answer.  I'd say a truly expert contract pen tester could draw in that much or more per day with no problem, but you are really comparing apples and oranges.

In my experience, when we hire a DB programmer or systems engineer it is to complete tasks on some project we are working.  The contract workers give some estimate of time expected to complete, but actual completion time depends on a number of factors that might not be clear until they actually start the project.

When you negotiate a pentest, you have negotiated to complete a specific scope of work (test X services on X servers, etc).  I have never been engaged in an open ended penetration test.  The penetration test is normally billed on a project basis, not an hourly or daily basis. 

To put a price on it though, I would have no problem charging (or paying, if I needed to) $500-1000 per day to a contractor for expert penetration  testing services.  In my experience, anything under $80/hr is a deal for expert contracting services, $100-120 is about average, and anything more than $150 had better bring something darn special to the table.

That being said, I view a pentest much more like outsourcing a module of code to be written.  I spec out what needs to be written, a contractor submits a bid, I hire, pay, and get the code.  I don't care how many man hours it takes for them to do it (as long as it is delivered on the agreed upon schedule).

Thanks again for your answers.

What I meant by:

Is the more things you have to know in order to perform a given job, the more difficult it is to find a person like that. In other words, the offer becomes lower and lower. Therefore, salary tend to rise a bit.

But thank you for your answers!

I'm coming in late, to this one, as work's been crazy busy this past week...  that said -

There are too many variables to give a 'flat rate,' at least if you're a smaller shop, doing this type of work.  Companies like Core are coming around, and offering some very nice prices for smaller gigs, and you really need to be able to compete, so you'll need to look at the market in your area,  scope of the test, the depth of products / services you need to evaluate in the test, the number of machines, the time involved, etc.  You need to intelligently come up with some pricing that takes EACH of these into account, and have a price schedule you can work from, accordingly, to determine the cost of any given engagement.  I can't count on both hands and feet the number of engagements, in the last year, where I've custom quoted pricing (and gotten the engagement over other firms) because I've been more flexible, and not come with a set price.