Penetration Testing mailing list archives

Re: [PEN-TEST] Pen-testing reports

From: CyberCop <misha () PRIVAT SYSEDATA NO>
Date: Wed, 28 Mar 2001 11:59:08 +0200

Hi.

I think this aproach with charges is a bit wrong way. How about seeing it not
from position of a fixed price, but be more flexible and offer client something
based on amount of actual work and size of customer's network?
We had cases that customer wanted to check 1 extremely important machine and
nothing else (machine stood on separate segment on switched net as web server),
so we charged our rate of bottomline (4k). Another case is when you have
1,2,3,5 C-classes networks. Or even B-Class,etc. What you have to establish is
how big customer's network is, and how much work it will require on it, than
proceed with price estimation.

If you use commercial scanners, you should buy license, and in that case
customers often want rights for scanner, which is discussable issue.Personaly I
can say that we do not use either ISS,Nessus,etc for anything smaller than 5
C-classes networks, otherwise we do use those tools for preliminary(first) scan
along with Fyodor's Nmap (Fyodor, great work!) which is still the best scanner
out there. Based on results of nmap our technicians do further manual checks
with own-made scanners of different types.
And if you are charging something like 35k or even 150k, it must be _HUGE_
network size starting from 4-5 C-classes up to B-Class. Most of customers in
country where I live would not accept cost 150k USD even for B-Class network.
Prices would be approximately 60-70k in best case for B-Class net. So, when you
say prices issue, please specify that this is for specific country (like in US
companies can afford to pay it, but not in Norway).


Best regards,                                                   Mikhail Iakovlev
Security officer for Cerber Security
Email: misha () cerber no
WWW: www.cerber.no
Cell: +47 99579541, Fax: +47 22870954

I think that for a PenTest (Internet attack through a firewall), 3 days at
$4-10k is reasonable.  We offer our clients 3, 5 and 10 day PenTests so

THEY

can define how hard they want us to push.  The more time we have ,the more
likely we are to compromise their network and find esoteric problems.   If
you just run ISS/Nessus/<insert scanner here>, then you're doing your

client

a disservice.  There are hundreds of other organizations out there that

can

do that for $500 a day.  Find a way to add value.

Our Security Audits (inside-out assessment of the entire organization)

range

from $35k to $150k.

Current thread:

[PEN-TEST] Pen-testing reports Mehmet Murat Gunsay (Mar 26)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 26)
- Re: [PEN-TEST] Pen-testing reports Max Vision (Mar 26)
  - Re: [PEN-TEST] Pen-testing reports Steve Goldsby (Mar 27)
    - Re: [PEN-TEST] Pen-testing reports bacano (Mar 27)
  - Re: [PEN-TEST] Pen-testing reports bacano (Mar 27)
- [PEN-TEST] RES: [PEN-TEST] Pen-testing reports Cristiano Lincoln Mattos (Mar 28)
- <Possible follow-ups>
- Re: [PEN-TEST] Pen-testing reports Peter Herzog (Mar 27)
- Re: [PEN-TEST] Pen-testing reports CyberCop (Mar 28)