How Much Does an External Penetration Test Cost?

Note from the Editor: This is the fifth installment of an 8-part blog series entitled, “Everything you need to know about an External Penetration Test.” To read the series from the beginning, start at “What is an External Penetration Test?”

An external penetration test is designed to test the perimeter security of your organization. This test takes the role of an attacker from outside trying to breach your network, compromise your Internet-facing hosts, or discovering sensitive information on public assets that may damage your company’s reputation (for more information, read our complete external penetration test guide). As such, an external penetration test is one of the most important assessments for any organization. Not surprisingly, an external penetration test is a requirement for compliance with many standards, including PCI. Because of that, many of our clients are concerned about how much an external penetration test costs. As well as what factors may increase or decrease that cost.

External Penetration Test Cost at a High Level

In almost every penetration testing service, cost boils down to time. The most expensive operating cost of any penetration testing firm is the salary of their engineers. The more qualified the engineer, the more expensive their time is. Additionally, the scope of the penetration test will play a large role in the cost. Simply speaking, the more IP addresses you have on your Internet perimeter, the more time an engineer must spend to provide a thorough test.

On average, for an organization with a limited number of Internet-facing hosts (ten or fewer), an external penetration test will start around $3,350. On the other end, for a company with a larger Internet presence (fifty or more), an external penetration test can cost upwards of $8,000. Again, this all boils down to how long it will take a skilled engineer to perform the assessment.

Factors That Can Change the Cost

While the cost range above is a good starting point, the cost you receive from a penetration test could vary dramatically based on several factors. Below are some major factors for you to consider when scoping and selecting a penetration testing firm.

Number of IP Addresses

The biggest cost factor for an external penetration test is the number of IP addresses on your Internet perimeter. This will dictate how much time is spent in testing. One way to reduce this cost is to only perform a penetration test on the Internet hosts that have ports open and services listening on the Internet. Simply put, if a Internet host does not have any services listening, an attacker will not be able to attack it. Some organizations choose to test their entire range, to have a qualified third-party verify that there are no services listening, but a lot of times, especially if costs are a concern, this can be done internally.

Black Box, White Box, or Gray Box Testing

Also known as zero knowledge testing, black box testing has the testing organization start without knowing the IP Addresses or hostnames of the systems in scope. As part of the test, the engineer will attempt to enumerate your organization’s hosts and then proceed to target them. This type of test has an advantage of being more realistic, and giving you a better understanding of what public information is available about your company. The disadvantage of this type of testing is cost, because the engineer has to spend an extra 8 to 16 hours performing enumeration before they can begin the assessment.

Retests

Some organizations require a retest of the findings discovered during the penetration test. This is typically driven by a compliance requirement. However, sometimes it derives from the need to show the penetration test to a prospective/current client. Some penetration testing firms will bundle a retest as part of the up-front cost. Others may charge separately for it. On average, a retest will cost up to half of the cost of the original assessment. This can be significantly reduced if you only want to retest the critical/high vulnerabilities.

Night Testing

Although not every penetration testing firm will charge additionally for after hour testing, many do. Although after hour testing might reduce the impact of a penetration test, many times they are not necessary.

Skill of the Engineers

This one is much harder to quantify. We have clients come to us and ask why they are receiving quotes that vary so much. Although we have found that sometimes the issue comes down to scoping, a lot of the time, it varies depending on the level of engineer that will be performing your assessment, and therefore the quality of work you will get.

On the lower range, these penetration tests will likely be little more than a vulnerability scan (here is the difference between a vulnerability scan and a penetration test), and not be a true assessment of the risks to your organization. On the higher end, these usually involve engineers who are very talented and are recognized leaders in the field of information security. Depending on the needs of your organization and the maturity of your security program, this might be overkill for what you are looking for.

For more information, reach out to to set up a call to discuss today.

About the Author:

Matt Miller is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.


Have Questions?
We look forward to hearing from you.