If you are new to organizing a third-party penetration test, chances are you will face the question: how much money do we need to budget for this thing? Unfortunately, there is a considerable amount of cost variance for penetration tests, so there is no straightforward answer. One option is to gather quotes from different penetration testing companies or send out a formal Request For Proposal (RFP), but this can be much up-front work if all you are looking for is a ballpark figure.
The good news is that we have a few ideas to pull an estimate together quickly.
Here is what you can do:
Review Last Year's Statement of Work
If you are fortunate to have access to your third-party pentest company's statement of work from last year, you can use that as a basis to estimate future tests. Most pentest work is time-boxed, so as long as it was scoped accurately last time and your supplier's rates have not increased much, the cost should be about the same.
Use a Swag from Published Ranges
Some pentest companies will publish their estimated ranges for pentesting services. For example, we have an article that details many aspects of a test that contribute to its cost. In this article, we state that the average base cost of a penetration test is between $10,000 and $45,000. This is a significant range that works to set expectations but may not be suitable for setting a budget. It is prudent to be wary of companies that advertise unusually low price ranges, as they may be cutting corners to do so.
Ask for an Estimate
Most pentest companies will be more than happy to supply a quote for their services. But your time is valuable, so unless you are ready to start the actual sales process, it may not make sense to go through a full scoping call and then wait (sometimes several days, depending on your pentest company) for a statement of work. Here at Secure Ideas, we are happy to provide a quick estimate and have even built a tool to streamline that process. Check it out: