Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pen-testing - pricing model

From: intel96 <intel96 () bellsouth net>
Date: Wed, 13 Dec 2006 15:27:29 -0500
I have never seen a ROI analysis in a pentest report.  How do you
perform such an analysis?




Kish Pent wrote:

Hello all, :)
I totally agree with carnevali davide, he's absolutely
right because pen-test pricing is based on man hours
put in for the work, not the goals or skills.

In the company I work, the pricing is usually decided
as follows. 

1)Once the scope of the test is determined, the
standard pricing per hour for 8 hours a day is
determined.

2)The report is submitted in hard copy after the test
is over with ROI analysis to prove the time-value
trade off.

Regards



--- Davide Carnevali <carnevali () protechta it> wrote:

  

Generally Pen Test should be a "time based"
activity.

You define targets, goals and TIME within achieve
these goals.

Once TIME is defined, with the client, you get the
price.

Skills are not part of the pricing model: skills
affect TIME and goals.

My 2 cents

Chris Stromblad ha scritto:
    

Hi list,

Those of you who work with this professionally,
      

what sort of pricing 
    

model do you use? How do you assess what should be
      

charged for the test? 
    

Considering the fact that there are many types of
      

pen-tests and all have 
    

different scope. I'm having a hard time figuring
      

out if the prices that 
    

has been given to me are reasonable.

Say I were to give you one of the following
      

scenarios, what would you 
    

charge (roughly):

1. "Black box with shades of gray", 2 /24
      

networks, not all devices are 
    

active. External scan.

2. Internal scan, only devices

3. Internal scan, procedures, physical security
      

and devices
    

I know this question is somewhat difficult to
      

answer, because there is 
    

no correct answer, but any advice is welcome.

Cheers,
Chris



      

------------------------------------------------------------------------
  

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download
      

Hailstorm for FREE.
    

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
  

      

------------------------------------------------------------------------
  

-- 

Davide Carnevali
CEO
Protechta - Information Security
OPST, CCSP
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/
e-mail: davide () protechta it
Disclaimer: http://www.protechta.it/disclaimer

    


Kishore
Penetration Tester
Smart Security
17/1,Upstairs,Sarojini St,
T.Nagar , Chennai - 600 017
Phone: 91 98841 80767


 
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: