Note from the Editor: This blog is the fifth installment of an 8-part blog series entitled, The Complete Web Application Penetration Test Guide. To read the series from the beginning, please go to the blog, What is a Web Application Penetration Test?
Difficulty understanding the crazy variations in pricing between companies is one of the most common complaints we hear from clients comparing penetration testing quotes. This isn’t new and can be frustrating, especially when you’re trying to compare services that are more technical in nature.
Information security consulting engagements or penetration testing may require some in-depth industry knowledge or past experience to understand exactly what your money is buying. This article will explore some of the contributing factors to the variations in penetration testing quotes.
1. Cost of Penetration Testers Vary
A more skilled, senior-level penetration tester costs a lot more per hour than a junior-level penetration tester. It is much like how a partner at a law firm is going to cost more than a paralegal.
Extending that metaphor, do you want a paralegal defending you on murder charges? Do you need the partner reviewing an employment contract?
The point here is that you want a skilled tester assessing the security of your organization. However, there is a cost-benefit trade-off that is important to consider.
An extremely cheap quote, when compared to others, may speak to the quality of resources you’re getting to test your organization’s security, and if you are checking a box for compliance, maybe that’s okay for you. But, quality assessments take quality people who require quality pay.
2. The Scope of your Assessment is Wrong
Depending on who you talk to, the answers to those basic scoping questions everyone asks could come out completely different.
Maybe you’re talking to a sales guy who doesn’t quite understand the technical aspects of your network or application. Maybe there’s just a misunderstanding between you and whoever is scoping out the work to be performed.
Either way, this can cost you money and you might not even realize it happened. It’s important to confirm an accurate scope of testing throughout the sales cycle.
This ensures everyone is on the same page and you’re not paying too much for testing.
3. You’re Scoped for a Vulnerability Scan Rather than a Penetration Test
Real penetration testing takes manual assessment and exploitation above and beyond a baseline vulnerability identification exercise. This takes more time which in turn costs more money.
Verify the testing methodology for an organization prior to engaging in an assessment to ensure it aligns with your testing expectations. Additionally, other activities may not be included, such as open source intelligence gathering during the discovery phase or lateral movement attempts during the post-exploitation phase.
We talk about the difference between the two here. (It helps explain why some quotes are so much less than others.)
4. Some Companies Charge a Premium
Staying with the lawyer example, a large, famous firm likely charges a premium when compared to other firms for the exact same service. Penetration testing companies can seem the same way, basically a “brand” up-charge for big name companies or to play up the exclusivity of certain organizations.
This kind of activity will generally be pretty easy to spot, with outliers on the high side when comparing quotes.
5. Penetration Testing Quotes are Generated by “Sales Guys”
What I mean by this is, whenever sales (likely non-engineer, sales-only roles) is involved there is some chance for price fluctuation.
For example, maybe you work for a large well-known institution. The perception may be, “these guys have lots of money, let’s toss a little contingency on the top”. Or on the flip side, maybe you’re getting a better deal because it’s a competitive bid.
There’s definitely an artistic side to the way some penetration testing companies come up with numbers for cost. We make every effort standardize cost where possible to avoid this.
Our prices are based on the size of the assessment you need and the time it will take to complete, avoiding traditional sales tactics that can breed distrust and resentment.
Contact us today if you’d like a customized quote for penetration testing services or you’re having trouble comparing quotes across firms. We can help explain the discrepancies.
About the Author:
JR Johnson is the Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
