Note from the Editor: This blog is part 8 of a 10-part series on Everything you need to know about an Internal Penetration Test. To read the series from the beginning, please go to the blog, What is an Internal Penetration Test?
Perhaps an employee in your organization finds out that he or she is about to be fired and goes on a hacking spree. Or maybe Sally from accounting (sorry Sally) is always clicking on links that she receives in emails and you want to determine the risk to your network associated with that. An internal penetration test is designed to evaluate the risk of a malicious insider or an attacker who has successfully gained access to your organization. As such, an internal penetration test is one of the most important assessments for any organization. As a result, many clients want to get an internal penetration test but are concerned about the cost. This blog will explain the costs and what factors influence the expense.
Internal Penetration Test Cost
In almost every penetration testing service, cost boils down to time. The time it takes for the engineer to perform the test. And, the more qualified the engineer, the more expensive that time is. This cost gets passed on to the client. It stands to reason then, that the more time it takes an engineer to test your network, the more it will cost. In an internal penetration test, that time estimate boils down to the number of systems that need to be tested. Simply speaking, the more devices that have an IP address on your network, the more time an engineer must spend to provide a thorough test and the higher the cost will be. Therefore, an internal penetration test’s cost will vary.
What factors into the cost?
The pricing you receive for a penetration test could vary dramatically based on several factors. Although we cannot cover all of the factors, here are some of the big ones you’ll want to consider when scoping and selecting a penetration testing firm.
Number of IP Addresses
The biggest factor for an internal penetration test cost is the number of systems being tested. This dictates much time it will take to complete the testing.
Re-testing
Some organizations require a retest of the findings discovered during the penetration test. Often, this is because of a compliance requirement. Sometimes it derives from the need to show the penetration test to a prospective/current client. Some penetration testing firms will bundle a retest as part of the up-front cost, but others will charge separately for it. A retest can cost up to half of the original assessment depending on how many findings need to be retested. You can significantly reduce this expense if you choose to only test a subset of findings. For example, only retest the critical and/or high severity vulnerabilities.
After-Hours Testing
Although not every penetration testing firm will charge extra for after-hours testing, many do. After-hours testing might reduce the impact of a penetration test, but many times they are not necessary. If you are concerned about production impacts, work with your penetration testing firm to coordinate down-time.
Skill of the Engineers
This one is much harder to quantify. We have clients come to us and ask why they are receiving quotes anywhere from $5,000 to $15,000. They wonder why the ranges vary so much. Although we have found that sometimes the issue comes down to scoping, a lot of the time, it varies depending on the skill-level of the engineer (or team of engineers) and therefore the quality of work you will get.
If you’d like to learn more about internal penetration tests and receive a customized quote for internal penetration testing for your organization, please contact us today to schedule a call.
About the Author
Matt is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.
