Penetration Testing mailing list archives
Re: pricing model for Pen-test
From: <dave () immunitysec com>
Date: 16 Nov 2003 09:08:37 -0000
In-Reply-To: <20031116025452.2C54A43042 () maja zesoi fer hr> This sounds like a good way to get totally chewed up. A fixed price also has a high risk for you, the pen-tester. The cost of that risk is built into the price. In addition, a fixed time schedule prevents "free" overruns as the client delays waiting for their network people to fix bugs while you perform your test. It also enables you to accurately and effectively staff your projects. (Just a quick warning for those people starting their own businesses out there.) Dave Aitel Immunity, Inc.
From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr> To: <pen-test () securityfocus com> Subject: RE: pricing model for Pen-test Date: Sun, 16 Nov 2003 15:54:51 +1300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <20031114105508.24069.qmail () sf-www2-symnsj securityfocus com> X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOr4wU4kGNcoLCUQpmSXHLUCARlrgACW9Lw Message-Id: <20031116025452.2C54A43042 () maja zesoi fer hr> X-Virus-Scanned: by amavisd-new at maja.zesoi.fer.hr-----Original Message----- From: dave () immunitysec com [mailto:dave () immunitysec com] Sent: Friday, 14 November 2003 11:55 p.m. To: pen-test () securityfocus com Subject: Re: pricing model for Pen-test In-Reply-To: <20031112204753.26518.qmail () sf-www3-symnsj securityfocus com> Any pricing based on a per-IP is bogus anyways. The client knows you are doing a time-based estimate. Just say "6 Class C assessment for 2 weeks is 10K" the same as a "1 Class C assessment for 2 weeks" . As long as you define the scope to basically be a nessus scan plus any extra time that you have goes into "verification" you have all the wiggle room you need. And pricing based on a time estimate is more honest, in my opinion, than tried to develop some complex price scaling algorithm based on scope. Your SOW should have the time limit explicitly in it.I agree with Dave, a total price should depend upon time it took you to run the penetration test, analyze the results and create the final report (plus eventually presentation). The problem is that the customer usually wants a fixed price. As a rule of thumb, you can use OSSTM rules. However, what I usually like is that we give a top price to the customer (like this is the biggest price it'll cost you) and then, at the end, calculate used hours. Obviously, if our estimation of top price was correct, used hours * price per hour will be near that. If it's below, even better for the customer (that means we spent less time then we thought we'll need). On the other hand, if price is above the agreed top price - then we charge agreed top price and loose the rest. I think this is pretty fair to the customer, you just have to be good in predictions :) Regards, Bojan Zdrnja CISSP --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- pricing model for Pen-test a55mnky (Nov 12)
- RE: pricing model for Pen-test Robert E. Lee (Nov 15)
- RE: pricing model for Pen-test Pete Herzog (Nov 15)
- Re: pricing model for Pen-test Martin Mačok (Nov 15)
- <Possible follow-ups>
- Re: pricing model for Pen-test dave (Nov 15)
- RE: pricing model for Pen-test Bojan Zdrnja (Nov 15)
- Re: pricing model for Pen-test dave (Nov 16)