Results 1 to 4 of 4
  1. #1
    Junior Member
    Join Date
    May 2006

    Time/fees for penetration tests

    Can you tell me on average how much one would charge to conduct audit, penetration tests and document vulnerabilities for a start-up ?

    Assume you have only two front-end end servers and one SQL db server.

    Do you normally charge based on IP address/nodes or this has a fixed charge ?
    Please advise.

  2. #2
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Not sure about what individuals might charge but I've hired a couple security pen-testing companies.

    I wont name names but one was a MAJOR nationally known security management/pen testing company and they charged $15K to test one web site. The deliverables was an executive summary, a detailed technical report, list of tools used, all data output of tools, methodology used.

    The other was a local security company with very good security folks and they charge $3-5K per web site. The deliverables was same as $15K vendor but without the output of the tools and methodology.

    Having done a little pen-testing myself I was very satisfied with both vendors. Both were very thorough and flexible although the local one was probably more flexible meeting my adjustment requests.

    Hope this helps you.

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    When I was adminning at my last job I priced it out with two different companies...

    Company 1: Full Internal and External Audit... Compliance and Policy Auditing.... With a walk through from them at the end.... 15K

    Company 2: External Audit only... nothing else covered... 2K (I believe, but between 1500 and 2500 anyways)... With apaper report at the end (as far as I know)

    prices vary depending on a number of things.

    Skill sets involved
    company reputation
    competition in the area
    tasks involved

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Senior Member
    Join Date
    Mar 2002
    Personal Involvement:

    The last time that I did pen-testing, I charged $400/ hour for comprehensive physical/computer based attack routes. I usually try to report my findings every few hours to some sort of log and at the end do a detailed presentation with reports and statistical crap.

    If you don't have a physical location that you want the tester to attempt to access, such as a store front or office, it cuts the amount of time required in half.

    But do remember that a significant portion of pen-testing is physical. It doesn't matter how hardened a server is, if you can simply walk into the server room while the secretary is ready and willing to give you a key if you are wearing a suit barking orders.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.