People are funny. Some companies won't bat an eye at dropping 30k for a pentest, usually because the results of a failure would be so damaging (look what happened to HBGary). But to someone whose livelihood doesn't depend on the web, they think our services are vastly overpriced, they think 1k is too much. Now we have pentesting companies racing to the bottom to deliver automated tests as cheaply as possible, giving people a false sense of security.
I was watching a video from one of the links I saw on this site talking about, given the hundreds of vulnerabilities coming out everyday, it's only a matter of time before you get hacked (the video was focusing on mitigating damages, monitoring outbound connections, running browsers and email in VMs, etc.).
A cheap, automated pentest only scratches the surface and doesn't even begin to deal with the big picture view or how to focus on the things that matter most in securing your company.
BTW, the video was the "Special Webcast: How to Avoid Being Compromised? Featuring Dr. Eric Cole" at SANS.
Last edited by WCNA
on Sun Mar 13, 2011 9:52 pm, edited 1 time in total.
ISC2 Associate, WCNA, CWNA, OSCP, Network+