If you are reading this than you or your organization has made the decision that you need, or may need, a penetration test. Depending on how much previous experience and reading you have done, you probably already have an idea of what a penetration test is. But how much does one of these tests cost? That might seem like a relatively simple question, but the answer is complex. In this article, we'll break down the main components to the cost in a way that should apply to most penetration testing companies. The goal is to give you a better idea of what to expect and details that help you control the cost.
Penetration testing services are usually quoted as a fixed price for the estimated effort to test the target. Without looking at scope and specifics, the average base cost of a penetration test is between $10,000 and $45,000. It is, of course, possible to receive more substantial or smaller quotes, depending on the details of the test. But most penetration tests fall somewhere in this territory. If you're new to penetration testing, it is unlikely that your first experience with a credible firm will extend too far outside this range.
Let's take a look at the primary factors that are used to estimate effort, and will ultimately determine this base price: Scope and Rate.
There's a substantial difference between the effort required to test a small web application versus the effort needed to test an extensive internal network. The scope can be expressed in part by the type of penetration test (e.g., a network, a building, an application, an organization, etc…), and then by the breadth and depth which may take on slightly different meanings depending on the type of test.
Penetration testing is, in essence, an effort to breach the security controls of a system of assets. So what are the assets that need to be tested? For example, a network penetration test is a very common type, which is usually scoped as a test of network security controls plus all the devices connected to the network. A test of just an internal network will often carry a lower base price than a test of both the internal and external (i.e., the part available to the Internet) networks. The base price for testing a single web application is usually a bit less than the base price for testing a network.
Another aspect of type is if the test serves a specific purpose, such as PCI-DSS compliance. In these cases, a scope may be more than that of a non-PCI penetration test because of the additional effort required to meet the specific tasks required by the standard. Internally each penetration testing vendor will establish a base price for each type of test, which is used as a starting point.
This dimension is more widely known as the potential attack surface that is in scope for a test. Its exact meaning depends on the type of penetration test. For example, if it is a network that is being tested, then the breadth is usually expressed as the network ranges and domains of the network that are in scope. For an application, you would express the breadth by defining boundaries such as APIs and microservices that are in or out of scope. For a test of physical locations, the breadth may be specified as a subset of available retail stores.
Some testing companies rely very heavily on automated scoping using statistics like the number of servers and workstations for a network test, or the number of dynamic pages in a web application. While these numbers may be useful in the scoping discussion, most professional firms will expect more context on the functionality and purpose of the system. For example, a chain of small locations with 100 identical sites may have more hosts, but less complexity than a single location site. If a pen testing company depends primarily on statistics for scoping and submits a quote significantly lower than others, it is likely that their testing methodology is based mostly on automated vulnerability scanning. See our article on how pen tests differ from vulnerability scans.
The depth of the test is a determination of how far the vendor should exploit vulnerabilities to assess the true risk to the organization. This can be a touchy subject with some penetration testing vendors because there are those in the industry who believe that your security assessment is not a penetration test unless it includes full exploitation of the organization. Unfortunately, the pendulum has also swung in the opposite direction, where some security assessments are dubbed as penetration tests when they are, in fact, just automated vulnerability assessments. No matter your definition of depth, it is vital to work with your vendor to determine it before the test starts. For example, for a web application, if the tester discovers XSS, is it in scope to leverage that flaw to hijack the browser session of your employee? If a command injection flaw is found, should the testers demonstrate the flaw and move on, or attempt to escalate privileges on the host machine and pivot onto other internal systems?
The depth of a penetration test depends on the specific objectives of the test. Though an automated vulnerability assessment is never an acceptable replacement for a penetration test, there are also many cases where granting free reign to exploit and pivot may not be necessary. For example, if your organization has an effective vulnerability remediation process, then a penetration test of an application may only require that vulnerabilities be identified with steps to reproduce. In this situation, spending additional effort to pivot from the application to unrelated systems inside an organization is frivolous and wastes time during the testing window.
The estimation process will usually start with an estimate of how much effort will be needed to perform the penetration testing plus some additional effort for generating the deliverables (i.e., the report) and project management. Once this can be expressed in hours, it is a simple exercise of multiplying the effort estimate by an hourly rate. The final number will be the unmodified fixed effort quote.
Hourly rates for security consulting services typically run anywhere from about $200 / hr to $500 / hr. With such a big range, it is a good idea to ask your vendor what their rate is and how they justify it. (And to be transparent, Secure Ideas bills at $250 per hour.) Just like any experience-based trade, it may be worth paying a little more for top talent.
Your penetration testing vendor may consider additional factors when producing a quote for a penetration test. Some of these may be itemized in the quotation, while others may be invisibly rolled into the price. Common modifiers include:
So as you look to purchase a penetration test of any type, think about how you can affect the cost. Some examples are:
If you are looking for a deal from your penetration testing vendor, it may help to understand the work cycle in the industry. The brunt of both compliance-driven work and budget-driven work falls in the fourth quarter of the year. As a result, the first quarter of the year tends to be light on work. If your schedule is flexible, you may be able to negotiate a better price for a penetration test by timing it for the first quarter or even early in the second quarter of the year.