The decision to conduct penetration testing requires the consideration of a lot of factors – necessity, areas to be tested, the implication of its findings on business, and finally cost. While it’s the last item on the list, the cost of penetration testing is an equally important factor, especially since a lot of small and medium-sized companies need to carve out the required space in their finances.
It’s easier to read in detail about all of the steps involved in a typical penetration testing procedure than to arrive at a price estimate. This is not always due to the lack of transparency but because of the number of aspects that influence the pricing such as the comprehensive nature of testing.
Pricing a Penetration Testing Procedure
The broad range of a penetration test, including the maximum criteria of certain additions, ranges around USD 10,000 – 45,000. It is possible to get price quotes smaller or larger than this, depending on the variations of influencing aspects.
- Scope of testing
This is an important step in designing the penetration testing procedure as well as in deciding Pentesting cost. The scope of testing, be it a small web application or an entire internal network, impacts the design, time taken, and resources required by the penetration test.
- Potential attack surface
Once the scope of testing is defined, we settle on the exact area that falls under the attack surface. This means that if a network is being tested, its domains and network ranges fall under the testing scope. If you’re dealing with an application, you usually test the boundaries of accessing and sending data, such as APIs and other associated services.
Under this aspect, testing teams usually prefer automated detection methods based on the statistics on the number of servers, dynamic pages in an application, or the workstations within a network. Testing teams will also request further documentation to understand the required functioning of the system and the context of construction.
Therefore, one needs to watch out for pentesting companies that offer a lower quote for their services, but at the expense of manual testing techniques. Instead, automated vulnerability scans are conducted which simply detect the obvious issues without a proper resolution, further exploitation and discovery of other security risks, or security recommendations.
- In-depth testing and exploitation
Your ethical hacking team will also require instructions on the detailed nature of the testing process. This usually implies the extent of exploitation of listed and explored vulnerabilities within the application or system to gain an overall risk profile. You will need to iron these details out with your chosen vendor and including any additions to the scope before getting started.
For example, if the testing team discovers the potential for an XSS attack, will they be required to exploit it further to uncover another vulnerability within an employee’s browser session? In case there’s a command injection attack possibility, testers could either detect the vulnerability or they could escalate privileges and attack internal systems. The depth of penetration testing thus depends on understanding the objectives of the entire process.
A fine line should be drawn between detecting basic issues using automated techniques and exploiting further manually. It also depends on the pre-existing measures kept in place by the organization – if there’s an effective vulnerability detection process, testers only need to work off of this list. Here, further manual efforts exerted for in-depth discovery and exploitation of vulnerabilities is a waste of time and resources.
- Added features
Sometimes, your vendor may place additional features under the charge sheet. Hourly rates constitute an important part of the price estimation process. This will include the number of hours involved in the actual testing process and providing deliverables such as the final report. When given a rate, usually between USD 200 – 500, always ask for a detailed justification on what services you receive.
Retesting of a set of vulnerabilities initially discovered and given recommendations for may be included in the vendor’s pricing, or you can ask for this specifically. Some organizations don’t wish to disturb their operating hours and may request after-hours testing. Vendors may also charge extra for the attestation letter, claiming that the test was conducted by the concerned company.
Beyond these, any special testing equipment or other requirements also attract additional fees. Extra labs, devices, or more detailed reporting requirements are included under these criteria. Some testing providers may also offer discounts on the number of tests conducted, even if they’re different in nature, or if the same testing is done multiple times over a specified period.
These are only a few of the generalized factors that determine the pricing of penetration testing procedures. Referring to a trusted third-party service provider after adequate background information is gathered will provide a detailed picture of the costs, objectives, and scope of conducting a penetration test for your company.