Note from the Editor: This blog is the fourth installment of an 8-part blog series entitled, “The Complete Web Application Penetration Test Guide.” To read the series from the beginning, please go to the blog, What is a Web Application Penetration Test?
This blog will remove some of the mystery behind pricing for web application penetration tests. One of our core tenets is honesty and transparency, so if we can clarify the process of scoping out a penetration test and help you understand how much a web application penetration is going to cost, it may make you more comfortable when comparing penetration testing firms. This blog will focus specifically on web application penetration testing. As this testing can be one of the most wildly different in terms of cost that we see across the industry.
Web Application Penetration Test Cost = Test Scope
The secret to web application penetration testing cost lies in the project scope. Understanding how a web application penetration test is scoped will help you understand the cost. What we’ve seen across the industry is that there are a couple of main components that matter:
- Unique Applications – the number of different applications that need to be tested
- Different Roles – how many different “angles” the application will be assessed from based on the different types of accounts that exist within the application (i.e., user, administrator, etc.)
- Screens or Forms – a count of the number of unique screens that are associated with the web application. This can be a really amorphous number that is hard to quantify, making it a fairly inaccurate part of scope
Ultimately, the more accurate the scope is, the more accurate your testing price should be. Too much time and you’ll be paying for more than you need. Too little time and you’re likely not going to get a thorough and accurate assessment.
Now, you might take the same website to three different companies and get three very different quotes. Our goal is to standardize and take some of the guess-work out of this process for you. Please reach out to us to get a customized quote for a web application penetration test.
About the Author:
JR Johnson is the Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
