Penetration Testing mailing list archives

Re: Pen-testing - pricing model

From: intel96 <intel96 () bellsouth net>
Date: Sat, 02 Dec 2006 09:47:55 -0500

Chris,

I agree with Sami you must estimate to the best of your ability how much
time it will take you to conduct the test and produce some type of
output.   Conducting the test is more than just using a scanner.  You
need to define a scope for each project separately no project is the
same.  Some costs are hard to factor into a project.  For example some
projects may require extra research into products that you have not
tackle in the past.   The customer may want more data on how to fix the
problem like the commands for their IT to use or what vendor tools to
use.  They also may want a special threat matrix designed to fit their
needs and their auditors.  You need to also think about how much time it
will take for the customer to review the document and for you to make
any changes.

Remember all project come down to scope......hammering this out  is
VERY  critical  to  prevent cost issues (especially losses on fixed
price projects).   This last point is important!!  Sometimes scope creep
can kill your bottom-line.  I saw a consulting firm get hammered by
their client because the scope was to vague.  A 12 week assessment
turned into a 1 year project with multiple consultants on-site for the
fix price of only 12 weeks!!!!!!!!!!

You should always factor in some extra time for those "what if" that
always pop-up.

And lastly  you should always be prepared to negotiate the pricing with
the customer.  The customer will always find someone cheaper and you
will have to prove why you are better for the extra cost.





sami.ghourabi () icn com tn wrote:

I would try to evaluate necessary time to do the job and charge XX dinars (or

dollars) per 8 hours day



On Thu Nov 30 10:59 , Chris Stromblad  sent:

Hi list,

Those of you who work with this professionally, what sort of pricing

model do you use? How do you assess what should be charged for the test?

Considering the fact that there are many types of pen-tests and all have

different scope. I'm having a hard time figuring out if the prices that

has been given to me are reasonable.

Say I were to give you one of the following scenarios, what would you

charge (roughly):

1. "Black box with shades of gray", 2 /24 networks, not all devices are

active. External scan.

2. Internal scan, only devices

3. Internal scan, procedures, physical security and devices

I know this question is somewhat difficult to answer, because there is

no correct answer, but any advice is welcome.

Cheers,

Chris

------------------------------------------------------------------------

This List Sponsored by: Cenzic

Need to secure your web apps?

Cenzic Hailstorm finds vulnerabilities fast.

Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php\?camp=701600000008bOW

------------------------------------------------------------------------


  






------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

Re: LophtCrack and SAM Passwd, (continued)
- - - Re: LophtCrack and SAM Passwd Jerome Athias (Dec 20)
    - Re: LophtCrack and SAM Passwd Justin Lintz (Dec 20)
    - Re: LophtCrack and SAM Passwd killy (Dec 20)
    - Re: LophtCrack and SAM Passwd Brendan Dolan-Gavitt (Dec 20)
    - Re: LophtCrack and SAM Passwd jm (Dec 20)
    - Re: Pen-testing - pricing model intel96 (Dec 16)
    - Re: Pen-testing - pricing model Kish Pent (Dec 17)
    - Re: Pen-testing - pricing model Sels, Roger (Dec 19)
- Re: Pen-testing - pricing model sami.ghourabi (Dec 01)
  - Re: Pen-testing - pricing model crazy frog crazy frog (Dec 03)
  - Re: Pen-testing - pricing model intel96 (Dec 03)
    - Re: Pen-testing - pricing model Stefano Zanero (Dec 03)
    - Re: Pen-testing - pricing model Ozan Ozkara (Dec 03)
    - Re: Pen-testing - pricing model intel96 (Dec 03)
    - Re: Pen-testing - pricing model Lee Lawson (Dec 04)
    - RE: Pen-testing - pricing model Erin Carroll (Dec 04)
- RE: Pen-testing - pricing model Michael Scheidell (Dec 03)
- Re: Pen-testing - pricing model Barry Fawthrop (Dec 16)