Pricing and Scoping

Information on what to expect in terms of cost as well as a review of of the scoping process followed by most vendors in the Industry.

What to expect in Cost

When budgeting for a penetration test, expect costs to be significantly higher than those for automated alternatives. If you're paying the minimum, you're likely getting low-level expertise or an automated process. In such cases, the vendor might not be upfront about simply running a tool or scanner.

The actual cost depends on several factors, like the scope of what's being tested (e.g., lines of code, number of APIs, or user roles), the complexity and sensitivity of the tests (e.g., needing a specific hardware setup), and the expertise and credentials of the tester or company (e.g., testing might require a specialist for something highly specific, like nuclear reactor disassembly, along with rare and costly certifications, which are partially amortized into the cost).

Hourly Rates vs. Project Cost

If you're getting quotes from different vendors and want to compare them, don't get too fixated on Hourly Rates. That's just the P from P * Q - you could get a vendor with a lower hourly rate who just takes twice as much time to cover half of what a higher hourly rate vendor would cover in lesser time. Instead, focus on the overall project (or per-phase) cost which already considers the Duration variable.

Are we talking full coverage, or timed-effort?

As discussed in the Coverage section (link below), you may have in front of you two work proposals for the same type of approach, yet with different intended coverage. It is not only OK but VERY important to discuss with your vendor or partner whether they intend to cover everything (e.g. all roles, all APIs, all IP ranges, ...) or their time and cost estimate anticipates a timed-effort approach; where coverage will be limited, tackling in order a set of priorities (Priorities which will require your input and validation, if not to be created entirely by your team).

Disregarding whether it is a full coverage or timed-effort approach, don't be shy to talk about priorities and testing plans. Request from your vendor/partner information on what was covered and what wasn't. Even in cases where full coverage is intended, there's the possibility that certain surface is left out because it wasn't functioning properly at the time (Expectation would be for your vendor/partner to reach out when and if that happens)

Coverage

Is the validation of Fixes included?

Estimating the effort behind fix validation is a best-guess approach when you haven't yet executed the actual work of discovering vulnerabilities. It is however a typical practice to ensure the price you're paying already includes time for verifying fixes. Always ask your vendor if Fix validation is included int he total price; and when comparing quotes/proposals, have that in mind. You may have in your hand a vendor that is 20% more expensive than another just because they include time for fix validation.

Last updated