How Does Pentest Pricing Work and How to Choose a Penetration Testing Company
We find ourselves in an era dominated by automated hacking systems, frequent data breaches, and stringent consumer protection regulations such as GDPR and PCI DSS. In this landscape, penetration testing has evolved from being solely a requirement for financial institutions and government entities to becoming an essential security measure for businesses of all industries and sizes.
For many companies, this marks their first foray into the world of penetration testing, and it's not a straightforward journey. The initial challenge lies in selecting a suitable penetration testing vendor and understanding the many factors that contribute to pricing. The multitude of available penetration testing providers can be overwhelming, leaving you with pressing questions: How can you determine their competence? Can you gauge the depth of their security expertise from the assessment report? Are your applications truly secure, or did the tester miss critical vulnerabilities?
While there are no definitive answers to these queries, the encouraging news is that you can navigate this terrain more effectively by posing the right questions upfront. The paramount factors to consider can be categorized into three key areas: certifications, experience, and — of course — the cost associated with a pen test.
What is the cost of a penetration test?
It’s common for people to ask for the cost of a standard penetration test, but due to the diversity in the size and intricacy of IT systems, this question is like asking how long it would take you to travel to an unspecified destination. It hinges on the specific context and the level of thoroughness required. A suitable analogy might be painting a bridge: the cost is contingent on the bridge's dimensions and the number of paint coats desired. Opting for a thin layer might leave vulnerabilities exposed, much like exposure to the elements.
Average cost of a penetration test
Penetration tests are priced in a variety of ways, but an hourly rate, as opposed to an abstract total project cost, is a good way to make sure you’re getting the work you pay for. This hourly rate may range from $100-$300 an hour, and a total project may take between 20 and 100 hours for SMBs, more for enterprises.
The specific rate can differ among vendors, influenced by factors such as reputation, certifications, and any unique demands associated with the tester's expertise. However, if your test requires a longer period of time to complete (more than 15 days), it's possible to negotiate discounts.
Rates are typically either fixed or organized into tiers, contingent on the seniority of the consultant conducting the test. For more intricate and complex requirements, the rate may be higher, since it requires a more senior and seasoned security consultant.
Does the type of penetration testing affect the cost?
You may be curious about whether specific types of penetration tests, like a network penetration test or an application pen test, incur different costs. As mentioned earlier, penetration testing firms determine their charges by how long a project is. However, there are common trends. For example, authenticated environments have more complicated attack vectors than unauthenticated environments, meaning network or application tests will usually cost more than basic attack surface analyses. Regardless of the specific test you need, the expense ultimately hinges on the scope and duration of the assessment.
How the scope affects the cost of a pen test
The scope of a pen test is shaped by multiple factors, including:
- Application Complexity: This encompasses factors like the size and intricacy of web application pages and features, impacting the depth of the assessment.
- System Accessibility: The ease of accessing systems plays a pivotal role; more accessible systems often require a broader scope.
- Assurance Level: The desired level of assurance acts as a guiding principle for scope determination, with higher assurance levels necessitating more extensive testing.
Scope Definition Process
Typically, the penetration test vendor requires a product demo or gathers information about your environment. A noteworthy rule of thumb is that fewer questions posed during this phase may result in a less accurate project quotation.
Impact on Duration and Cost
After establishing the scope, it is then that the following factors can be determined, affecting the overall cost:
- Duration: The number of hours and days needed to complete the assessment.
- Consultant Expertise: The seniority of the consultant required to deliver the sought-after assurance level.
Cost Examples
The cost of a web application penetration test can vary widely, ranging from $4,000 to $20,000:
A small, straightforward web app test might take 3 days at a cost of $4,000 in total.
On the other hand, a substantial, intricate web app test could extend over 10-15 days, costing around $20,000 in total.
Scope Variability
Scoping is not standardized, so estimates can vary. One organization might perceive a job as a 3-day task, while another might assess it as a 5-day endeavor. These are their best approximations, with exact duration often becoming apparent only during the work. Be sure to ask the pentesting firm if there are any overage charges if the project lasts longer than expected.
Fixed-Fee Tests
While certain vendors do offer "fixed-fee" penetration tests, it might be worth doing your due diligence and researching the provider more carefully and asking the right questions.
Quality vs. Price
The quoted price should align with the quality of the penetration test. In an industry where evaluating test quality can be challenging, it is imperative to pose the right questions and conduct due diligence to ensure the selection of a reputable provider that delivers the desired level of security testing.
Certifications
In addition to considering the cost of a penetration test, certifications hold significant importance for prospective buyers, offering a valuable shortcut to establishing trust with a vendor.
Several esteemed certifications merit immediate attention in the cybersecurity field, including Offensive Security Certified Pent (OSCP) and Certified Red Team Professional (CRTP) certifications. Many businesses also look for testers who are Certified Information Systems Security Professionals (CISSP), as this certification is common among IT professionals. There are many different certifications however, each encompassing a wide array of subjects, from network infrastructure to cloud penetration testing and web application assessments.
Red Sentry, as a penetration testing company, has completed SOC2 Type II, and our penetration testers are OSCP, CRTP, CISSP, CEH, Security +, eJPT, and CNSS certified.
Certifications, although valuable, have their limitations. With the vast array of technologies in existence, it’s impossible to encompass every facet out there.
Being a penetration tester can be likened to being a doctor in certain respects. You possess a robust knowledge base and skill set, but there isn't always a standardized manual for each unique case you encounter. This is where experience becomes a crucial factor.
When evaluating the qualifications of a penetration testing company, it's important to ask about the actual individuals who will be performing the assessment. Do they possess the requisite certifications and relevant experience for the specific task?
This emphasizes a crucial takeaway: the credentials and expertise of the individual conducting the assessment hold equal significance to those of the organization they represent.
Experience
In addition to a penetration tester's certifications, the depth and breadth of their practical experience significantly influences the quality of a penetration test. A tester's extensive exposure enhances their proficiency in identifying a diverse range of security threats.
It's essential to recognize that not all types of experience hold equal value, as specific testing scenarios may require specialized skills in particular technologies, such as AWS Cognito or the Real-Time Messaging Protocol. Whenever possible, it's advisable to ensure that your prospective provider possesses relevant experience in the specific technologies you're working with.
However, it's worth noting that there may not always be a tester with experience in every existing technology, so some flexibility might be necessary. A skilled penetration tester should have the ability to adapt and learn about the technology under assessment, drawing from their expertise and principles from related domains. Nonetheless, this adaptability might entail a slightly longer familiarization period with the specific technology.
Defend against attacks with Red Sentry
This article aims to clarify several crucial considerations for selecting a penetration testing company and to provide insight into the cost of penetration testing services.
A solution like Red Sentry offers comprehensive penetration testing services in as little as days. A common pain point for companies is that most penetration tests can take months to schedule and conduct, whereas Red Sentry can get you scheduled in 1-2 days, and your results in less than a week.
And if you’re getting a pentest for a compliance framework, like SOC2 or PCI, Red Sentry ensures you're ready for your compliance audit. To learn more about the importance of compliance, check out the first episode of Red Sentry’s Ctrl-Alt-Secure podcast, featuring a compliance expert at Secureframe, an industry-leading compliance automation software.
Offering external penetration test, internal penetration test, and cloud penetration test options (plus so much more), Red Sentry provides custom testing for your unique environment. You’ll be provided with actionable reporting, as well as an opportunity to retest after remediating your discovered vulnerabilities. Explore an example pen test report or schedule a demo today.
Red Sentry penetration testing services and offerings:
- Mobile App Pentesting
- Web Application Pentest
- Cloud Pentest
- External Pentest
- Internal Pentest
Discover more cybersecurity gems: Smarter Shields: How AI and Defensive Cybersecurity are Getting Along