Note from the Editor: This blog is the fifth installment of an 8-part blog series entitled, “The Complete Web Application Penetration Test Guide.” To read the series from the beginning, please go to the blog, What is a Web Application Penetration Test?
Crazy variations in pricing between companies is one of the most common complaints we hear from clients comparing penetration testing quotes. This isn’t a new problem and it can be frustrating. Especially when you’re trying to compare services that are more technical in nature. Information security consulting engagements or penetration testing may require some in-depth industry knowledge or past experience to understand exactly what your money is buying. This blog will explore some of the contributing factors to the variations in penetration testing quotes.
Why Do Penetration Testing Quotes Vary So Much?
1. Cost of Penetration Testers Vary
A more skilled, senior-level penetration tester costs a lot more per hour than a junior-level penetration tester. That’s just the nature of the business. It is much like how a partner at a law firm is going to cost more than a paralegal. Extending that metaphor, do you want a paralegal defending you on murder charges? Do you need the partner reviewing an employment contract? The point is, you want a skilled tester assessing the security of your organization. However, there is a cost-benefit trade-off that is important to consider. An extremely cheap quote, when compared to others, may speak to the quality of resources you’re getting to test your organization’s security. And if you are checking a box for compliance, maybe that’s OK for you. But quality assessments take quality people who require quality pay.
2. The Scope of your Assessment is Wrong
Depending on who you talk to, the answers to those basic scoping questions everyone asks you could come out completely different. Maybe you’re talking to a sales guy who doesn’t quite understand the technical aspects of your network or application. Maybe there’s just a misunderstanding between you and whoever is scoping out the work to be performed. Either way, this can cost you money and you might not even realize it happened. It’s important to confirm an accurate scope of testing throughout the sales cycle. This ensures everyone is on the same page and you’re not paying too much for testing.
3. You’re Scoped for a Vulnerability Scan Rather than a Penetration Test
We’ve talked about the difference between the two in another post, and it can help explain why some quotes are so much less than others. Real penetration testing takes manual assessment and exploitation above and beyond a baseline vulnerability identification exercise. This takes more time which in turn costs more money. Verify the testing methodology for an organization prior to engaging in an assessment to ensure it aligns with your testing expectations. Additionally, other activities may not be included, such as open source intelligence gathering during the discovery phase or lateral movement attempts during the post-exploitation phase.
4. Some Companies Charge a Premium
May as well stick with the lawyer comparison here. A large, famous firm likely charges a premium when compared to other firms for the exact same service. Penetration testing companies can seem the same way basically a “brand” up-charge for big name companies or to play up the exclusivity of certain organizations. This kind of activity will generally be pretty easy to spot, with outliers on the high side when comparing quotes.
5. Penetration Testing Quotes are Generated by “Sales Guys”
What I mean by this is, whenever “sales guys” are involved there is some margin for price manipulation, for lack of a better term. Maybe you work for a large well-known institution. The perception may be, “these guys have lots of money, let’s toss a little contingency on the top”. Or on the flip side, maybe you’re getting a better deal because it’s a competitive bid. But there’s definitely an artistic side to the way some penetration testing companies come up with numbers for cost. For what it’s worth, we try and standardize cost where possible to avoid this. Our prices are based on the size of the assessment you need and the time it will take to complete, so we avoid traditional sales tactics that can just breed distrust and resentment.
Contact us today if you’d like a customized quote for penetration testing services or you’re having trouble comparing quotes across firms. We can help explain the discrepancies.
About the Author:
JR Johnson is the Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.