Penetration testing or pen testing is an important activity to secure an organization's information resources and IT infrastructure, which includes communication networks, software solutions, personal computer endpoints (i.e. workstation PCs and laptops running Windows and Linux & mobile apps), servers and cloud solutions, such as an AWS infrastructure.
Today, penetration testing is a mandatory requirement for hospitals, financial institutions, telecommunication providers, public institutions and authorities as well as for the service industry in general. While the demand for pentesting services has increased, there are still gaps for stakeholders in establishing a fair pricing structure that is suitable for both the pentesting provider and the customer organization.
How much Costs should be considered for a Pentest?
This question usually arises when negotiating the cost of a pentest of IT. However, this depends on several factors, including the complexity of the organization, server systems, and applications to be evaluated, the experience of the analyst, the cost of the scanning tools used by the pentest vendor with the license fees, the scope of the test, any corrective actions based on the test results, and the retesting process. Specific skills that increase costs, such as SAP pentest, log or hardware analysis, or a specialized testing framework such as PCI DSS, may also be required.
In this section, we will try to dimension the different factors that go into the pricing of a pentest. As a contractor, it is often very time-consuming and complex to find out what you have to pay for a pentest, whereas as a pentest service provider, you do not want to quote prices that would alert a customer or force him to look for alternatives.
The most important factor to consider when determining the cost of pentesting is the complex nature of the customer organization and network environment. Organizations that have a complex and distributed computer network with multiple network devices, multi-layered API endpoints, and complex application software leading to more potential attack vectors will of course receive a much higher price than organizations with a less complex attack point with less infrastructure, mobile apps, and front-end and back-end systems.
Secondly, the scanning tools used by the service provider are all part of the cost of the service, as the fee charged should be able to compensate for the cost of acquiring the tools and their licence fees. Otherwise, it will not make economic sense to pay for software licenses without being able to offset the cost of the work performed.
The IT security service provider's experience with regard to the profiles of its customer base also comes into play. If the service provider has acquired high-profile customers and also enjoys a large volume of orders, it will most likely charge a higher price than if the opposite is the case.
Another determinant of the final fee for a pentest is the scope of the test, which is often the responsibility of the client organization. The scope will largely influence the final quote to be prepared, as the test provider will need to match its billing to things that fall within the agreed scope for such an engagement. However, it is very risky to allow the fear of high costs as a driver for vulnerability assessment and penetration testing, as the limited scope leaves little or no room for actual identification of inherent vulnerabilities and control gaps in the operating environment.
Pentest Costs in Relation to Profitability
IT security can never be perfect, so a degressive and cost-efficient approach to an optimum must take place. Basically, the longer pentesters examine the infrastructure, mobile apps or web applications, the more meaningful the results are.
Penetration tests are snapshots that are often out of date after only one week. This metric should also be taken into account, as this would allow future tests to be performed incrementally to reduce costs. Here, regular and event-driven automated pentesting can provide a certain basic, but not high, level of security and maturity.
What are the Average Costs for a Pentest Project?
The answer depends largely on the factors listed above. For simple or less complex networks and software, however, one could expect fees in the range of 4,500 to 6,000 euros. For a moderately complex organization with a diverse system architecture, a fee between €10,000 and €15,000 would be ideal. However, for large organisations with much more complex networks and distributed systems and web services, they could pay up to €100,000, which is not too much compared to the risk and consequences of a hack or attack when it occurs.
As often as possible, organizations should evaluate the value of business data and information and the investment in their IT infrastructure, weigh it against the risk and consequences of a successful attack. This will help to correctly assess whether the cost of a security assessment is worthwhile or not. It should also be noted that services that advertise at significantly reduced rates may not provide truly meaningful information. Assessing vulnerabilities through penetration testing is a very important task for any organization that is required by law or regulation to do so because of its handling of personal or cardholder data.
Therefore, it is important for any organization that wants to perform an IT pentest to consider not only the cost, but also the criticality of the exercise in terms of its security and that of its information assets. Since the connection to the attack vectors increases the likelihood of an attack or breach being identified as such, it is essential to always ensure that your information assets and operating environment are free from those vulnerabilities that hackers might exploit to cause harm to the organization. Hackers (whether internal or external) can cause damage if they find the slightest opportunity to do so for a flimsy reason or motive, depending on what the motive is. So the least you can do is to be ready for such an attack by creating the necessary groundwork to prevent being targeted.
Variable Pentest Costs
Variable costs are variable costs that vary depending on time, additional services or special methods.
1. Scope and Duration of the Engagement
The scope of the test will have a direct impact on the time it takes to complete the test. Factors that will affect the duration (and subsequent costs) include the size of the site, the number of clients to be tested, the functionality, the associated API or web services, and the complexity of the server or cloud infrastructure.
Every pen tester has a different way of performing his penetration test. Some use more expensive tools than others, which could increase the price. However, expensive tools could shorten the time of your test and provide high quality results.
3. Test Concepts
Depending on the information basis, white, grey or black box tests are carried out. Gray box tests are all test types that fall between grey and black box tests. Some information is provided to the analyst, usually only logon information. All other information should be analyzed! This type of test is an interesting compromise in terms of number of test cases, cost, speed and scope of the tests. Gray box tests are the most common type of tests in the security industry.
4. Experience of the Pentester
Analysts with more experience will be more expensive. Just remember that you get what you pay for. Beware of pentest vendors who offer prices that are too good to be true, because they probably do not do a thorough job. It makes sense to look for penetration testers who have references like OSCP, CISSP, GIAC, or CEH behind their name.
All pentests carried out by the contractor should include a one-time free retest, during which the previously identified vulnerabilities are re-examined. During this test it can be validated whether the client's measures have the desired effect.
So what are the Costs?
Each project is tailored to the organization to be tested, but as a general guide, an automated test with comprehensive analysis of the results and a detailed list of security recommendations costs as much as described in the average cost. Daily rates often vary between different vendors, but they should be viewed critically if they are set too low. Scope and duration of the engagement, tools, test concepts, experience of the pentester and the post-test are the set screws for a rational adaptation to the needs.
In most cases, the decisive factor is how much manual work is performed and not automated. Even with higher costs, there is no better way to test your security systems.