RE: Pen-testing - pricing model

["Erin Carroll" <amoeba () amoebazone com>]

Daily rates vary from company to company and on the task types you're
scoping. On average I've seen rates ranging from $75/hr to $300/hr depending
on the type of work involved. Performing a quick external VA would price out
on the lower end of the spectrum due to the lower technical experience
required whereas writing custom exploit code for a particular pen-test would
probably be on the high-end. That kind of expertise and skill is scarce and
the market rates reflect it.


> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of Lee Lawson
> Sent: Monday, December 04, 2006 8:13 AM
> To: intel96
> Cc: Stefano Zanero; sami.ghourabi () icn com tn; pen-
> test () securityfocus com; Chris Stromblad
> Subject: Re: Pen-testing - pricing model
>
> nobody has actually given their daily rates!  I agree with everything
> that everyone has said.  It is very difficult to quote for consultancy
> times without good, detailed information.  But then you fall into the
> trap of the client not wanting to give you that information because
> they feel it would compromise the authenticity of the tests.
>
> If a client is not willing to give you good, detailed information
> (recently I had a client who would not tell me if their wireless
> network was encrypted or not, so I quoted an extra day!), then you have
> to over quote to protect yourselves.
>
> I have worked for, and currently work for good pen testing
> organisations that charge a variable rate of 800-1000 British pounds
> per day.  Depending on how long you reckon it will take to perform the
> required testing depends on the final cost to the client.  Excluding
> tax and travel expenses.
>
> So a 5 day, external pen test would cost anything from £4000 to £5000.
>  We also give discounts for returning customers.  But saying that, we
> are good!
>
> later,
>
>
> On 12/3/06, intel96 <intel96 () bellsouth net> wrote:
> > Stefano,
> >
> > Yes, I agree that this is very difficult in most cases.   I recently
> had
> > to prove that I was better than other bidders jocking to do a global
> > pentest for a Fortune 1000.  The customer had no idea what the
> > differences were between a vulnerability test and a pentest.   First,
> I
> > had to educate the customer about security testing in general.
> > Second, I had to provide the customer with strong references from
> > other pentest project.  Third, I had to explain why my pricing was up
> > to 11 times higher than other bidders.  Most of the other bidders
> were
> > companies that sell security software and one was a MSSP, who pricing
> for the
> > project was ZERO.   The MSSP was also bidding to obtain a 1 million
> > dollars managed services contract.  Fourth, the customer provide each
> > bidder a single IP to test.   I was the only one that correctly
> > identified the OS, web application and vulnerabilities on the system.
> > Fifth, I had to provide a sample document, which I refused to do
> since
> > even a sample reports can be too detail.
> >
> > I finally won the project, but only a piece of the overall project.
> > The customer gave part to the MSSP who costs were nothing and the
> rest
> > to me, but only after I cut my pricing based on the new project
> details.
> > The biggest issue that I have in pricing projects today is with the
> > security software vendors and MSSPs that want to sell their wares to
> > the customer!!! BUT only after they do a vulnerability test or
> pentest
> > for FREE!!!!
> >
> > Intel96
> >
> >
> >
> >
> > Stefano Zanero wrote:
> > > > And lastly  you should always be prepared to negotiate the pricing
> > > > with the customer.  The customer will always find someone cheaper
> > > > and you will have to prove why you are better for the extra cost.
> > >
> > > This is very difficult if your customer does not have an exact idea
> > > of what a pen-test is supposed to be.
> > >
> > > What kind of proof would you suggest bringing to help a customer
> > > understand the difference ?
> > >
> > > Stefano
> >
> >
> > ---------------------------------------------------------------------
> -
> > --
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=70
> > 1600000008bOW
> > ---------------------------------------------------------------------
> -
> > --
>
>
> --
> Lee J Lawson
> leejlawson () gmail com
> leejlawson () hushmail com
>
> "Give a man a fire, and he'll be warm for a day; set a man on fire, and
> he'll be warm for the rest of his life."
>
> "Quidquid latine dictum sit, altum sonatur."
>
> -----------------------------------------------------------------------
> -
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701
> 600000008bOW
> -----------------------------------------------------------------------
> -


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------