Penetration Testing mailing list archives
RE: Pen-testing - pricing model
From: Omar Herrera <oherrera () prodigy net mx>
Date: Fri, 01 Dec 2006 18:59:04 -0600
Hi Chris, Estimating the price with just the general goals is very difficult. You might find it easier to have a few more variables, for instance: number of consultants involved along with their credentials (years of experience, certifications,...), resources (hardware, software, bandwidth). For example, for scenario 1 one company might offer you 1 consultant with her/his PC, 8 hours a day for 2 weeks with a 1MB DSL line to do all work while another company might offer you something like 2 consultants and 1 Sr. consultant specialized in Web application testing for one week, 12 hours a day, one server for automated tasks, 3 PCs for manual tests and 5MB sustained bandwidth to conduct the tests. Usually faster tests, more (specialized) consultants and more resources means higher prices, but you should remember that scope does not only cover the objects of the test and the time, but also the depth (e.g. if you require the consultants to dedicate a minimum time for manual tests). The best thing to do is to ask them for this information. Many companies do not disclose all the details (some times because they have actually no idea of what they are doing but if this is the case you will find out very quickly). So with the scenarios you described, ask them to provide you with: * The time required to finish the task (if you are not specifying this as a requirement; if you do make sure it is reasonable). * The number of consultants involved and their qualifications with how many hours are they going to be involved (i.e. 1 jr consultant + 1 sr. consultant during the whole engagement is not the same as 1 jr consultant 100% of the time + 1 sr consultant 20% of the time). * Infrastructure and resources (hardware and software) involved (e.g. if each consultant has its own equipment and will work in parallel as soon as the automated tools return some results or if they are going to do everything in sequence). Armed with that information, you can estimate how much would it cost to you to acquire or lease the infrastructure being devoted to the test that you do not possess (and how much would it cost you to divert resources to this engagement if you have them). You could probably get also some quotes from commercial software (e.g. if they use some vulnerability scanner for the corresponding phase). Next, based on the qualifications of the consultants you can do a quick research of how much someone with similar qualifications is being paid right now by the industry. Using the hours that each consultant will be involved you can work out how much each consultant is costing to the project (don't forget that project manager and staff making the reports and presentations look nice also cost). Also, you have to take into account that there will be other operation costs. After all, consultants need offices and facilities to do their job and someone has to pay the hierarchy (huge companies tend to demand more money just to pay for their increased bureaucracy). So, with this estimates you should have an idea of the profits that the pentest company is making. Each company will offer different things but this is a good way to compare them with each other and determine if the price being offered is acceptable and competitive. Of course, you will need to get at least a few quotes from different service providers to actually see any difference. So, if you see someone making a profit of 20% and someone else offering you something for a 300% profit you can be suspicious of the later. It might even be the same price, but someone is putting more resources and quality in the job. The hardest part would be to determine the depth you need. Assessing core servers from a financial institution is not the same as assessing core military servers or core server from a small manufacturing company. So be sure that all the quotes you get are from service providers that understand and have experience with your sector to avoid comparing apples and oranges as much as possible. In any case, interview the technical people that would be in charge to justify their balance between resources and the cost of the project. If they are any good at what they are doing, they should be able to justify their choices, and it will be easier for you to pick up companies that are selling you more than you need just to make more money, or less than you require by offering you a cheap price to secure the contract. This is really a very good question because comparing pentest proposals is not easy as you can see, and even with some experience hiring companies you will make mistakes from time to time because this estimation process is by no means perfect, but it should clarify what you are paying for and justify future budgets. I hope that this helps. Regards, Omar Herrera
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Hi list, Those of you who work with this professionally, what sort of pricing model do you use? How do you assess what should be charged for the test? Considering the fact that there are many types of pen-tests and all have different scope. I'm having a hard time figuring out if the prices that has been given to me are reasonable. Say I were to give you one of the following scenarios, what would you charge (roughly): 1. "Black box with shades of gray", 2 /24 networks, not all devices are active. External scan. 2. Internal scan, only devices 3. Internal scan, procedures, physical security and devices I know this question is somewhat difficult to answer, because there is no correct answer, but any advice is welcome. Cheers, Chris ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600 000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Pen-testing - pricing model Chris Stromblad (Dec 01)
- RE: Pen-testing - pricing model Omar Herrera (Dec 03)
- Re: Pen-testing - pricing model Michael Weber (Dec 03)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 03)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 04)
- Re: Pen-testing - pricing model Kish Pent (Dec 10)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 11)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 13)
- Re: Pen-testing - pricing model Clint Laskowski (Dec 16)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
- Re: Pen-testing - pricing model Kish Pent (Dec 10)