Penetration Testing mailing list archives
Re: Pen-test pricing
From: Matthew Caston <mattcaston () mchsi com>
Date: Thu, 03 Feb 2005 11:37:43 -0600
Andre,For a good pentester using custom tools/script (not cots software) doing a true pentest (not just a vuln scan) you should expect to pay between $225-350usd per hour - in today's market. Although you may be able to find independent contractors, or boutiques who do it for less. Either way, make sure you do your due-diligence on the actual testers, not just the companies. Many use a bait and switch and opt for automated tools rather than true hands on expertise.
On average most of my previous clients were looking external pentests of their DMZ environment which in turn contained 20-30 target servers - depending on final scope we would charge from $25-40k on average, with some of the more detailed tests reaching $60k and above. It really does depend on the desired level of detail, reporting and explanation of discovered vulns as well as the testing profile itself. I.e. do you want a real world simulation to see if your HIDS/NIDS (CERT personnel) picks up the test; is it a true blind test with no intel provided up front and so on....
If you're interested, I can put you in touch with some former employees and colleagues who are widely regarded as some of the best in the business - even if you're not ready to buy, I'm sure they would be willing to chat with you in re: objectives/options/cost.
Regards, ... Andre Derek Protas wrote:
Does anyone have any good figures on pricing for pen-tests? Is charging done per server, location, or hour? Any help would be appreciated.::andre:: _________________________________________________________________Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Current thread:
- Pen-test pricing Andre Derek Protas (Feb 03)
- Re: Pen-test pricing Faisal Khan (Feb 04)
- Re: Pen-test pricing Nathan Sportsman (Feb 04)
- Re: Pen-test pricing Marc (Feb 04)
- RE: Pen-test pricing Tyler Markowsky (Feb 04)
- Re: Pen-test pricing Adam Chesnutt (Feb 04)
- Re: Pen-test pricing Matthew Caston (Feb 04)
- Re: Pen-test pricing Jason Romo (Feb 04)
- <Possible follow-ups>
- Re: Pen-test pricing Christoph Puppe (Feb 04)
- Re: Pen-test pricing (long) Volker Tanger (Feb 04)