-
June 2nd, 2006, 05:02 AM
#1
Junior Member
Time/fees for penetration tests
Can you tell me on average how much one would charge to conduct audit, penetration tests and document vulnerabilities for a start-up ?
Assume you have only two front-end end servers and one SQL db server.
Do you normally charge based on IP address/nodes or this has a fixed charge ?
Please advise.
-
June 3rd, 2006, 04:18 AM
#2
Not sure about what individuals might charge but I've hired a couple security pen-testing companies.
I wont name names but one was a MAJOR nationally known security management/pen testing company and they charged $15K to test one web site. The deliverables was an executive summary, a detailed technical report, list of tools used, all data output of tools, methodology used.
The other was a local security company with very good security folks and they charge $3-5K per web site. The deliverables was same as $15K vendor but without the output of the tools and methodology.
Having done a little pen-testing myself I was very satisfied with both vendors. Both were very thorough and flexible although the local one was probably more flexible meeting my adjustment requests.
Hope this helps you.
-
June 3rd, 2006, 05:14 AM
#3
Hey Hey,
When I was adminning at my last job I priced it out with two different companies...
Company 1: Full Internal and External Audit... Compliance and Policy Auditing.... With a walk through from them at the end.... 15K
Company 2: External Audit only... nothing else covered... 2K (I believe, but between 1500 and 2500 anyways)... With apaper report at the end (as far as I know)
prices vary depending on a number of things.
Skill sets involved
company reputation
competition in the area
tasks involved
etc.
Peace,
HT
-
June 3rd, 2006, 09:24 AM
#4
Personal Involvement:
The last time that I did pen-testing, I charged $400/ hour for comprehensive physical/computer based attack routes. I usually try to report my findings every few hours to some sort of log and at the end do a detailed presentation with reports and statistical crap.
If you don't have a physical location that you want the tester to attempt to access, such as a store front or office, it cuts the amount of time required in half.
But do remember that a significant portion of pen-testing is physical. It doesn't matter how hardened a server is, if you can simply walk into the server room while the secretary is ready and willing to give you a key if you are wearing a suit barking orders.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|