.

How much cost a Pentest?

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Mar 16, 2010 6:57 am

How much cost a Pentest?

Hey,

I am still quite new to the security field and someone asked me yesterday the question: "How much cost a pentest?". Althought the answer to this question is obviously "it depends", I realized I couldn't even answer with a price range.  ???

In addition, I was recently listening to a pentest security course and the teacher frequently mentioned that there are 2 kinds of pentesters: those who run Nessus and give the report they got and those who do it properly. So the following questions relate to a quality pentest, not just running a tool and printing the report.

For these 3 scenarios, what would be the effort (number of people, time) and the cost for a good test? I didn't give more details about these companies because we always have to give a price range without knowing much...

1) Small company of 10 employees.
2) A mid-size company of 100 employees.
3) A large company of 2000 employees.

My very humble rookie guess would be:

1) 1 person, 5 days, $2500
2) 2 people, 7 days, $7000
3) 4 people, 20 days, $40000

How far off am I?  ;D
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Mar 16, 2010 8:36 am

Re: How much cost a Pentest?

the variables are not the size of the company and number of employees. its about number of active hosts with number of active/running applications. the second part you got almost right: what if i do the first one with 5 employees and complete it in 1 day?

i'd do it like this (for an external scan):

number of servers/systems
this may vary from 1 to about 10(?), if it gets any bigger id do a pilot on a set of servers that are representative for the whole infrastructure.

number of active/running services
this may also vary a lot. if there is one active service (dedicated mail server for example) it takes a lot less effort to thorough scan the server. this however should be tested completely for vulnerabilities. what about custom build applications? do they require code review?

number of resources
how many people do you put on the job? this one goes with the next one:

number of days
how fast does the pentest have to be completed? this factor influences the resources factor.

there are a lot of other factors that influence the outcome of a price for a penetration test. i sure cant give you an accurate guess...anybody else?
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Dutchie

Newbie
Newbie

Posts: 33

Joined: Sat Jan 23, 2010 1:48 pm

Post Tue Mar 16, 2010 9:02 am

Re: How much cost a Pentest?

At the EC-Council website http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

I found this information concerning an indication of costs:

10. I would like to provide professional service as a CEH professional. What can I expect to be paid per assignment?

The remuneration per assignment will vary with specifics of the client environment. However, on an average you can expect to be paid around $15,000 to $ 45,000 per assignment.


I do not know in how realistic this information is but there is an big gap with  your guess!!! For consultancy work a fee of $500 a day isn't that "high".
RA, CISA, CISSP, C|EH, C|HFI, CWSP, LPIC-1
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Mar 16, 2010 9:18 am

Re: How much cost a Pentest?

Thanks for your answers.

a pilot on a set of servers

That makes so much sense to reduce costs.

what if i do the first one with 5 employees and complete it in 1 day

Unless there is a real emergency for a pentest, I would think the client will find it "too easy" if things can get done in 1 or 2 days. Also, it may be hard to bill $3000/day for pentesting. Regardless if the contract is per diem or per assignment, the client will do the math. Don't you think?

on an average you can expect to be paid around $15,000 to $ 45,000 per assignment.

I read it too when I did my CEH, but it doesn't say much...

Anyone else have already done pentesting for a company?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Wed Mar 17, 2010 8:36 pm

Re: How much cost a Pentest?

You mention the client doing the math even if the job is per assignment... 

I have been in this situation as well and have to let the client know that I have experience in and licenses for specialized software their staff does not.  This is a huge factor in the cost. 

One thing that helps on a contract job is to get the client to allow a scope of internal/external testing that varies over a couple of weeks.  One person I know intentionally overlaps pentest clients (when work is plentiful).  Inevitably, while a pentest is going on, every IT problem is blamed on the test (even if only one or two people know about it).  He says he lets them call a couple of times about "problems he's caused" before he's ever probed the network.  He says it helps settle the client down before he actually touches anything.  Claims he's still doing company fingerprinting during that time (and he may actually be, but most of the time he's finishing reports from a prior test). 

This helps to:
1.  Prevent the client from thinking you can do it all in one day.
2.  Prevent the client from blaming perceived IT problems on the pentest.

Hope this makes sense/helps.  As far as cost goes, the cost depends most on the scope of the test.  A test that includes internal code review as opposed to simply fuzzing a web server will obviously cost more.  The second important factor (particularly in the current economy) is what match of test scope (value) to price ratio makes sense for the company.  Unless the company has specific compliance issues to address, you can sell the need for the most comprehensive test available (and they can believe the need 100%) but they won't bite if it doesn't make financial sense.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Mar 18, 2010 6:42 pm

Re: How much cost a Pentest?

Wow, thanks former33t, you definitively bring a different perspective! But since no one can answer my very vague question, here is another one:

As a contractor, how much can an expert pentester charge per day?

As a comparison, in my web application world, a system architect on a contract with 7 to 10 years of experience will get around $675/day.

How this compare to a very good pentester? My feeling is the pentester needs to know more things than a system architect and therefore, should get more $$.

What do you guys think?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Thu Mar 18, 2010 10:16 pm

Re: How much cost a Pentest?

That's a tough question to answer.  I'd say a truly expert contract pen tester could draw in that much or more per day with no problem, but you are really comparing apples and oranges.

In my experience, when we hire a DB programmer or systems engineer it is to complete tasks on some project we are working.  The contract workers give some estimate of time expected to complete, but actual completion time depends on a number of factors that might not be clear until they actually start the project.

When you negotiate a pentest, you have negotiated to complete a specific scope of work (test X services on X servers, etc).  I have never been engaged in an open ended penetration test.  The penetration test is normally billed on a project basis, not an hourly or daily basis. 

To put a price on it though, I would have no problem charging (or paying, if I needed to) $500-1000 per day to a contractor for expert penetration  testing services.  In my experience, anything under $80/hr is a deal for expert contracting services, $100-120 is about average, and anything more than $150 had better bring something darn special to the table.

That being said, I view a pentest much more like outsourcing a module of code to be written.  I spec out what needs to be written, a contractor submits a bid, I hire, pay, and get the code.  I don't care how many man hours it takes for them to do it (as long as it is delivered on the agreed upon schedule).
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Fri Mar 19, 2010 3:57 am

Re: How much cost a Pentest?

i see that a little different. its true you have to have more knowledge about security/tools/methods then testers in other fields, but thats just part of the game. i dont see that as a reason to pay somebody more. thats like paying a garbage man per kilo of garbage he has picked up. if one is on a route that has more garbage, he shouldnt get paid more. a garbage man is a garbage man, just like a security/penetration tester is the same as a application tester.

on price thats just a different story. it depends on things like offer and demand. but when i look at the prices mentioned here i think thats pretty accurate (even though its more like a 1000$ then 500$).
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Mar 19, 2010 6:33 am

Re: How much cost a Pentest?

Thanks again for your answers.

What I meant by:
the pentester needs to know more things than a system architect and therefore, should get more $$


Is the more things you have to know in order to perform a given job, the more difficult it is to find a person like that. In other words, the offer becomes lower and lower. Therefore, salary tend to rise a bit.

But thank you for your answers!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Sun Mar 21, 2010 4:15 am

Re: How much cost a Pentest?

H1t M0nk3y wrote:Thanks again for your answers.

What I meant by:
the pentester needs to know more things than a system architect and therefore, should get more $$


Is the more things you have to know in order to perform a given job, the more difficult it is to find a person like that. In other words, the offer becomes lower and lower. Therefore, salary tend to rise a bit.

But thank you for your answers!


if thats the case then its true. like i said its a offer and demand thing. so when they ask a little more, they should get it.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Mar 21, 2010 7:36 am

Re: How much cost a Pentest?

I'm coming in late, to this one, as work's been crazy busy this past week...  that said -

There are too many variables to give a 'flat rate,' at least if you're a smaller shop, doing this type of work.  Companies like Core are coming around, and offering some very nice prices for smaller gigs, and you really need to be able to compete, so you'll need to look at the market in your area,  scope of the test, the depth of products / services you need to evaluate in the test, the number of machines, the time involved, etc.  You need to intelligently come up with some pricing that takes EACH of these into account, and have a price schedule you can work from, accordingly, to determine the cost of any given engagement.  I can't count on both hands and feet the number of engagements, in the last year, where I've custom quoted pricing (and gotten the engagement over other firms) because I've been more flexible, and not come with a set price.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Mar 22, 2010 6:44 am

Re: How much cost a Pentest?

I am not ready to do pentests now. In a couple of years, if things go well, I know enough to do a good job (hopefully!!!).

Other then trying very hard to get experience by working with established professionals, when I will start, I will probably ask a bit less then all the others in order to build my name...

I currently own a company, but I am more in web development than anything else right now. But I do know how a business works. I will try to start doing partnership or work for another company just to see how this pentest business works.

Anyway, as i said, I still have a few years ahead of me and I know that patience is gold!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software