June 2nd, 2006, 06:02 AM
Time/fees for penetration tests
Can you tell me on average how much one would charge to conduct audit, penetration tests and document vulnerabilities for a start-up ?
Assume you have only two front-end end servers and one SQL db server.
Do you normally charge based on IP address/nodes or this has a fixed charge ?
June 3rd, 2006, 05:18 AM
Not sure about what individuals might charge but I've hired a couple security pen-testing companies.
I wont name names but one was a MAJOR nationally known security management/pen testing company and they charged $15K to test one web site. The deliverables was an executive summary, a detailed technical report, list of tools used, all data output of tools, methodology used.
The other was a local security company with very good security folks and they charge $3-5K per web site. The deliverables was same as $15K vendor but without the output of the tools and methodology.
Having done a little pen-testing myself I was very satisfied with both vendors. Both were very thorough and flexible although the local one was probably more flexible meeting my adjustment requests.
Hope this helps you.
June 3rd, 2006, 06:14 AM
When I was adminning at my last job I priced it out with two different companies...
Company 1: Full Internal and External Audit... Compliance and Policy Auditing.... With a walk through from them at the end.... 15K
Company 2: External Audit only... nothing else covered... 2K (I believe, but between 1500 and 2500 anyways)... With apaper report at the end (as far as I know)
prices vary depending on a number of things.
Skill sets involved
competition in the area
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
June 3rd, 2006, 10:24 AM
The last time that I did pen-testing, I charged $400/ hour for comprehensive physical/computer based attack routes. I usually try to report my findings every few hours to some sort of log and at the end do a detailed presentation with reports and statistical crap.
If you don't have a physical location that you want the tester to attempt to access, such as a store front or office, it cuts the amount of time required in half.
But do remember that a significant portion of pen-testing is physical. It doesn't matter how hardened a server is, if you can simply walk into the server room while the secretary is ready and willing to give you a key if you are wearing a suit barking orders.