Re: Pen-test pricing

[Christoph Puppe <puppe () hisolutions com>]

Salve,

most companies charge per day. Only if it is a emergency-response, then
by the hour. The number of servers, locations, firewalls, DMZs and other
stuff that is to be tested should help you to calculate a number of
days, that you will need to do a good job (hrs /system * systems / 8)
and meet the targets.

PT-Targets the easy way is first to establish what the customer want's
to protect against:

Class 1 Attacker (governmental or organized crime funded, very
knowledgable, cappable of impressive stunts)
Class 2 Attacker (corp. Espionage or knowledgable person with some funds)
Class 3 Attacker (Skript-Kid, Scanner-Swinging, persons who do not
target your customer, but just look for low hanging fruits)

For Class 1, multiply the number of days you would need for a good job
by two. Class 3, divide by 2 ;)


Andre Derek Protas schrieb:

> Does anyone have any good figures on pricing for pen-tests?  Is charging
> done per server, location, or hour?  Any help would be appreciated.
>
> ::andre::
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

-- 
Mit freundlichen Grüßen

Christoph Puppe
Security Consultant


We secure your business.(TM)
_______________________________________________________

HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________

-----------------------------------------------------------------
Besuchen Sie uns vom 10.-16.03. auf der CeBIT in Hannover!
In der CEFIS Halle 7 Stand C22/14 informieren Sie unsere Berater
zu den Themen Informationssicherheit und IT-Service Management.
-----------------------------------------------------------------