Re: [PEN-TEST] Pen-testing reports

[Steve Goldsby <sgoldsby () INTEGRATE-U COM>]

Are you talking pure pen-tests or full inside-out security audits?  I can
give you some ideas based on my own experiences.

I think that for a PenTest (Internet attack through a firewall), 3 days at
$4-10k is reasonable.  We offer our clients 3, 5 and 10 day PenTests so THEY
can define how hard they want us to push.  The more time we have ,the more
likely we are to compromise their network and find esoteric problems.   If
you just run ISS/Nessus/<insert scanner here>, then you're doing your client
a disservice.  There are hundreds of other organizations out there that can
do that for $500 a day.  Find a way to add value.

Our Security Audits (inside-out assessment of the entire organization) range
from $35k to $150k.  We cover physical security, personnel security,
training, technical vulnerability analysis (e.g. network scans and system
audits), policy review and the like.  These take 4-6 weeks and we push VERY
hard.  Deliverables range from 75 to 500 pages depending on the size of the
organization and the vulnerability domain, and it is meant to provide a
baseline metric from which to measure progress as well as a guide on
remediation measures.

Finally, I suggest you find a way to differentiate from KPMG/ISS/PWC/<insert
big-N accounting firm here>

We differentiate from the other players by:
        - digging deeply into all areas outlined above
        - providing project plans and having weekly meetings for QA
        - allowing for a change budget
        - providing (IMO) the best deliverables with detailed remediation
instructions
        - providing CISSPs with DoD Security Clearances and real InfoSec experience

I personally have been in the InfoSec arena for over 10 years, and my advice
is this: don't undersell yourself.  As our prices have gone up, so has the
quality of the engagement, and the quality of the client.  We now get
clients that value our work and actually do what we tell them without
arguing it to death.    I had to be very competitive in the beginning to
gain marketshare, but now we have the luxury of picking our clients.  And
yes, we do reject some of them.

If you provide tier-1 service, charge tier-1 prices and make sure you take
care of your client.  Not many people out there are doing that these days.

The alternative is to follow the other lemmings and do cut rate work at
WalMart prices.

Steve Goldsby, CEO
Integrated Computer Solutions, Inc.
www.integrate-u.com


-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Max Vision
Sent: Monday, March 26, 2001 12:54 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Pen-testing reports


Since I am hardcore technical and dislike business, pricing has been
painful.  I tried giving customers an extremely customized and accurate
price quote based on an hourly rate multiplied by the actual time it would
take to audit their network (I've done enough of this to make safe
estimates).  However, that approach failed miserably.  Out of about 30
proposals I had one actual customer, and the proposals were very detailed
- possibly nicer than most final reports (quoted prices ranged from $500
to about $5000).  I now use a flat rate instead, or alternately just
undercut the other leading bid by 50%.  A more detailed explanation is
available at http://maxvision.net/price.html

Your email makes it hard to tell, but you are offering more than a
portscan right?  In my opinion, if you aren't offering something better
than the ISS crystal reports output, then don't bother.  That is the LOW
end of the reporting spectrum, and it is substantial.  Email me off-list
if you want some constructive feedback on your reporting.

Max

On Mon, 26 Mar 2001, Mehmet Murat Gunsay wrote:
> Hello,
>
> I'd like to have a general idea about the penetration testing reports that
people from this
> mailing list offer to their customers.  I'm not sure if the reports we
provide as a company
> are adequate or even good enough.  By finding the listening ports on a
given subnet, we
> try to find what services or programs are running and so forth.  However,
as this approach
> sometimes may get too deep, pricing such a test also becomes an issue.  Is
there a
> specific measure that some of you use for pricing?  I believe replies for
these questions
> will help us greatly in redefining our standards and measures.  Thanks in
advance for
> all the replies.
>
> Regards,
> Mehmet Murat Gunsay
> BTKOM A.S.
> http://www.btkom.com
> mgunsay () btkom com