Hello!

Feel free to correct me if I am wrong, I believe at an Enterprise Level penetration testing and contracts are paid a flat rate? To some of the members who pen test in the corporate world, do these tests typically range from x to x depending on what needs to be done, or do various companies contract out penetration testers at a solid hourly rate?

I'm in a situation where I am partaking on a few freelancing websites and there's folks who want this type of work done and have never thought, 'If I had to charge an hourly rate to do this type of work, how much should I charge?'. I saw one contractors profile who has it rate set at $132 an hour, but he's located in the US. Of course I am sure it varies across the board depending on what country your located in. My main question basically is, how much do you think is a minimal hourly rate to set for this type of work? I'm sure based on your experience levels and years in the field it must vary, but if anyone could help, I'm all ears!

Thanks,

Kris

The answer is: it depends!

I will say what I think based on the current rates, in Ottawa, Canada.

1) Contract length
The longer the contract, the lower the rate. If you get a 5 day contract, you can ask $125. But for contracts longer than 15 days, it's hard to get more than $100. The reason is we leave in a federal government city where applying for a contract requires lots of red tape. And since don' don't win everytime, you need to get your investment back in a shorter time frame. This also leads to less competition since most companies won't spend 10 hours responding to a RFP for a 5-day contract they may not win... The short/long contract rate has nothing to do with knowledge, just red tape.

2) Knowledge required
Pentesting a custom application requires fuzzing and maybe writting your own 0-day requires more knowledge than running Nessus. I know, running Nessus is barely performing a VA and is not a pentest at all, but your competitors may bid a very low rate and just do that. The client gets screwed, but for some of them, they don't care as long as they can say they had an external company performing a pentest. I hate that, but that's a reality... So be careful to stay competitive. Pentests cost a lot and many clients think they bring little back to a project, especially if the security was already pretty good. We always have to fight the perception that security is expensive and brings nothing back...

3) Long term relationship
Do you want a one off or establish a long term relationship with your client? If you are relatively cheap and you do a good job, you have good chances to get other contracts with them. So unless you are so busy that you have to cancel offers all the time, you have to consider this.

4) Contractor or employee?
To me, an employee would probably make $45/hour for a typical engagement while a consultant would average $100/hour. And really, at the end of the year with all benefits taken into account, it's about the same amount of money. When you're a consultant, you don't work all the time, you have to train yourself, bid on projects, you don't get benefits, need an insurance, etc. So big differences there.

5) Time of year
In Ottawa, there is virtually no contracts between mid-July until mid-September because managers are on holidays. The best time of year is May-June when it's the beginning of the fiscal year for the federal government. So I would ask a lot less in August if I am out of work than I would in May. Check your region and find out how it works.

6) Are you that good?
I consider myself not too bad, but I am not a superstar at all! If I were to compete against Sil for example, I know I would have to ask a lot less per hour because after an interview, I would stand a chance. He can probably go 5 times faster than me. So 5 days of his work may look more attractive to a client than 10 days of mine... You've got to take this into account. Also, if a pentest requires very special knowledge and you know you have the experience, you may get more than your previous engagement where you didn't know that much. It's tricky.

At the end of the day, if you are a consultant, what you really want is to build relationships with clients and work full time. If you are an employee, you want to learn as much as possible, get lots of experience and... become a consultant! 

I hope that helped a bit.


 

Eventually those companies will pay for the services, yes, they paid very low but when they get the problem and know how they got it and the expensive they will change their mind.

I have a question: how do you market pen testing?

I'm also interested in how people market pen testing. Naturally, you contact your existing customers asking whether they need a fresh test, or have contacts to whom they'll refer you, but for someone just hanging up their own shingle with no existing clients, where do you start?

I'm running a free test for a friend who is a business owner with hopes that he'll refer me to others, and that will get his repeat business once he sees the value a pentest offers. I can do this a few times for various groups, but I can't do it too often, or for to long.