Penetration Testing mailing list archives
Re: Pen-testing - pricing model
From: "Michael Weber" <mweber () alliednational com>
Date: Sat, 02 Dec 2006 07:54:36 -0600
Greetings.
On 11/30/2006 at 3:59 AM, Chris Stromblad <chris () fragzone se>
wrote:
Hi list, Those of you who work with this professionally, what sort of pricing
model do you use? How do you assess what should be charged for the
test?
Considering the fact that there are many types of pen-tests and all
have
different scope. I'm having a hard time figuring out if the prices
that
has been given to me are reasonable. Say I were to give you one of the following scenarios, what would you
charge (roughly):
<snip> What you list is not nearly enough information to give even a "rough" estimate. However, you didn't ask for a price quote you asked for a price model. Here's what I use. First, never quote blind. If you are asked to bid on a project, request permission (in writing!) to do a quick nmap/nessus/sara scan. While these tools will not do the pen test for you, they are very good enumeration tools. Use the output to get a good handle on exactly what you're in for when you do the test. You don't want to bid on a server having been told that it only does file and print stuff, get there and discover it also handles the internal web site and accounting's database. (Holy under-bid, Batman!) Once you get a real map of what the bid entails, you should have enough experience to know what a pen-test of a MySQL box will take. Do a best guestimate of the time required and bid as a Not To Exceed contract. Also, make VERY sure you lay out exactly what services and interconnections you know about and are bidding on. When (not if) you find unexpected services, hosts or connections, you are then able to renegotiate the deal to include them if the customer desires. Make sure you include data analysis time, and make SURE the customer knows that you will be spending only 50% of the time on-site, the rest of the contract time is data analysis time that is done off-site. My $0.02. -Michael E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated file(s) may contain privileged, confidential or proprietary information or be protected from disclosure under law ("Confidential Information"). Any use or disclosure of this Confidential Information, or taking any action in reliance thereon, by any individual/entity other than the intended recipient(s) is strictly prohibited. This Confidential Information is intended solely for the use of the individual(s) addressed. If you are not an intended recipient, you have received this Confidential Information in error and have an obligation to promptly inform the sender and permanently destroy, in its entirety, this Confidential Information (and all copies thereof). E-mail is handled in the strictest of confidence by Allied National, however, unless sent encrypted, it is not a secure communication method and may have been intercepted, edited or altered during transmission and therefore is not guaranteed. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Pen-testing - pricing model Chris Stromblad (Dec 01)
- RE: Pen-testing - pricing model Omar Herrera (Dec 03)
- Re: Pen-testing - pricing model Michael Weber (Dec 03)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 03)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 04)
- Re: Pen-testing - pricing model Kish Pent (Dec 10)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 11)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 13)
- Re: Pen-testing - pricing model Clint Laskowski (Dec 16)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
- Re: Pen-testing - pricing model Kish Pent (Dec 10)