Re: [PEN-TEST] Pen-testing reports

[Max Vision <vision () WHITEHATS COM>]

Since I am hardcore technical and dislike business, pricing has been
painful.  I tried giving customers an extremely customized and accurate
price quote based on an hourly rate multiplied by the actual time it would
take to audit their network (I've done enough of this to make safe
estimates).  However, that approach failed miserably.  Out of about 30
proposals I had one actual customer, and the proposals were very detailed
- possibly nicer than most final reports (quoted prices ranged from $500
to about $5000).  I now use a flat rate instead, or alternately just
undercut the other leading bid by 50%.  A more detailed explanation is
available at http://maxvision.net/price.html

Your email makes it hard to tell, but you are offering more than a
portscan right?  In my opinion, if you aren't offering something better
than the ISS crystal reports output, then don't bother.  That is the LOW
end of the reporting spectrum, and it is substantial.  Email me off-list
if you want some constructive feedback on your reporting.

Max

On Mon, 26 Mar 2001, Mehmet Murat Gunsay wrote:
> Hello,
>
> I'd like to have a general idea about the penetration testing reports that people from this
> mailing list offer to their customers.  I'm not sure if the reports we provide as a company
> are adequate or even good enough.  By finding the listening ports on a given subnet, we
> try to find what services or programs are running and so forth.  However, as this approach
> sometimes may get too deep, pricing such a test also becomes an issue.  Is there a
> specific measure that some of you use for pricing?  I believe replies for these questions
> will help us greatly in redefining our standards and measures.  Thanks in advance for
> all the replies.
>
> Regards,
> Mehmet Murat Gunsay
> BTKOM A.S.
> http://www.btkom.com
> mgunsay () btkom com