Penetration Testing mailing list archives
Re: Pen-testing - pricing model
From: intel96 <intel96 () bellsouth net>
Date: Sat, 02 Dec 2006 09:47:55 -0500
Chris, I agree with Sami you must estimate to the best of your ability how much time it will take you to conduct the test and produce some type of output. Conducting the test is more than just using a scanner. You need to define a scope for each project separately no project is the same. Some costs are hard to factor into a project. For example some projects may require extra research into products that you have not tackle in the past. The customer may want more data on how to fix the problem like the commands for their IT to use or what vendor tools to use. They also may want a special threat matrix designed to fit their needs and their auditors. You need to also think about how much time it will take for the customer to review the document and for you to make any changes. Remember all project come down to scope......hammering this out is VERY critical to prevent cost issues (especially losses on fixed price projects). This last point is important!! Sometimes scope creep can kill your bottom-line. I saw a consulting firm get hammered by their client because the scope was to vague. A 12 week assessment turned into a 1 year project with multiple consultants on-site for the fix price of only 12 weeks!!!!!!!!!! You should always factor in some extra time for those "what if" that always pop-up. And lastly you should always be prepared to negotiate the pricing with the customer. The customer will always find someone cheaper and you will have to prove why you are better for the extra cost. sami.ghourabi () icn com tn wrote:
I would try to evaluate necessary time to do the job and charge XX dinars (or dollars) per 8 hours day On Thu Nov 30 10:59 , Chris Stromblad sent:Hi list,Those of you who work with this professionally, what sort of pricingmodel do you use? How do you assess what should be charged for the test?Considering the fact that there are many types of pen-tests and all havedifferent scope. I'm having a hard time figuring out if the prices thathas been given to me are reasonable.Say I were to give you one of the following scenarios, what would youcharge (roughly):1. "Black box with shades of gray", 2 /24 networks, not all devices areactive. External scan.2. Internal scan, only devices3. Internal scan, procedures, physical security and devicesI know this question is somewhat difficult to answer, because there isno correct answer, but any advice is welcome.Cheers,Chris------------------------------------------------------------------------This List Sponsored by: CenzicNeed to secure your web apps?Cenzic Hailstorm finds vulnerabilities fast.Click the link to buy it, try it or download Hailstorm for FREE.http://www.cenzic.com/products_services/download_hailstorm.php\?camp=701600000008bOW------------------------------------------------------------------------------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: LophtCrack and SAM Passwd, (continued)
- Re: LophtCrack and SAM Passwd Jerome Athias (Dec 20)
- Re: LophtCrack and SAM Passwd Justin Lintz (Dec 20)
- Re: LophtCrack and SAM Passwd killy (Dec 20)
- Re: LophtCrack and SAM Passwd Brendan Dolan-Gavitt (Dec 20)
- Re: LophtCrack and SAM Passwd jm (Dec 20)
- Re: Pen-testing - pricing model intel96 (Dec 16)
- Re: Pen-testing - pricing model Kish Pent (Dec 17)
- Re: Pen-testing - pricing model Sels, Roger (Dec 19)
- Re: Pen-testing - pricing model crazy frog crazy frog (Dec 03)
- Re: Pen-testing - pricing model intel96 (Dec 03)
- Re: Pen-testing - pricing model Stefano Zanero (Dec 03)
- Re: Pen-testing - pricing model Ozan Ozkara (Dec 03)
- Re: Pen-testing - pricing model intel96 (Dec 03)
- Re: Pen-testing - pricing model Lee Lawson (Dec 04)
- RE: Pen-testing - pricing model Erin Carroll (Dec 04)