How Much Does a Vulnerability Prioritization Tool (VPT) Cost

So, you’re looking to take your vulnerability management game to the next level with a vulnerability prioritization tool (VPT). Well, when considering adding a solution like a VPT to your security stack, cost is no doubt one of the first questions to come to mind. Ultimately, the answer to that question comes down to everyone’s favorite response – it depends. In this post, we’ll break down a few factors that can impact the cost of a VPT and the pricing models you may come across. To get that final answer, you’ll then need to take some inventory of your environment, define some success criteria, and do a little math.

A Quick Refresher on What a Vulnerability Prioritization Tool is

First and foremost, vulnerability prioritization tools DO NOT scan. They do not replace vulnerability assessment scanners (VAS). They are supplemental tools that need data from scanners to perform their functions.

Vulnerability prioritization tools perform three core functions for Security teams. First, VPTs do a significantly better job of prioritizing vulnerability risk than traditional VASs. The addition of a VPT improves your ability to determine which risks are your actual top priority based on a wider range of threat context. The second function of a VPT is to improve the remediation workflows they automate. Vulnerability prioritization tools should integrate bi-directionally with ITSM ticketing systems to enable the pushing and syncing of tickets. This functionality dramatically reduces remediation and patching debates between ITOps and Security teams. Lastly, a VPT should provide a robust reporting suite and centralized console to help Security teams visualize the state of their risk. Such functionality provides all stakeholders (CISOs and analysts) with data narratives for their unique roles and a home base to perform VM operations.

The Biggest Factors that will Impact Your Vulnerability Prioritization Tool’s Cost

How many assets do you have in your environment? You’ll want to have this number handy and be confident about it when you start talking to solution providers. The answer to this question will be the major driver of your VPT’s final price. You’ll see how this works out later when we get into pricing models.

As you likely know, assets can come in a lot of different shapes and sizes:

• Routers
• Switches
• Endpoints
• Printers
• Virtual machines
• Applications
• Software
• Hubs
• Containers/Images
• Github repositories
• IOT and OT devices

Remember that VPTs are not vulnerability scanners. Therefore, VPTs rely on different kinds of scanners to provide the identification of vulnerabilities related to their associated assets. Generally speaking, the larger the company, the larger and more complex the environment. As a result of this, more than one type of scanner will likely be employed. Ultimately, the greater the number of assets you have being scanned, the greater the price of your VPT, potentially.

Side note – While you can omit scanners and the vulnerabilities they identify from your VPT’s ingestion (lowering the cost), you will ultimately do yourself a disservice as it will dilute the accuracy of your prioritization output.

There are a several other factors that can impact the cost of your VPT as well, but they are far more circumstantial. 

The first of which are custom integrations. The nature of how VPTs function requires them to have a wide breadth of integration capabilities. However, that doesn’t mean every VPT has EVERY third party security solution integration out-of-the-box. Custom integrations will usually add an additional one-time line item of several thousands of dollars to your quote. That price will vary based on the complexity of the integration and if the vendor sees carry-over value to other customers in building it.

Managed scanning as an add-on is the other potential cost impactor. In some cases, you may not own a license of a particular scanner, but assets that need to be scanned and their vulnerabilities identified. Some vulnerability prioritization vendors may offer the ability to leverage their scanner instances to perform this function for you and then feed that information into the VPT you’re purchasing. This service will increase your regular payments and the cost will likely scale based on the number of assets you need scanned.

The final factors to that will impact your cost will be implementation costs and professional services. Every vendor handles these expenses different. Some will charge flat rates for these line items, some will base them on a percentage on the platform’s cost.

Different Vulnerability Prioritization Tool Pricing Models

Prices for various solutions will vary based on the pricing model the provider leverages. Here are a few different options you’ll likely come across:

• Asset count pricing models – As you may have already guessed from the information above, charging based on a per-asset basis is a relatively common pricing model. Take the advertised price per asset and multiply it by the number of assets in your environment. This is the most transparent and straight forward pricing model.
• Flat rate + asset threshold pricing models – Similar to the previous model, however in this instance the customer will pay a standardized flat rate that will include some limit on the number of assets that will be managed. If your environment is larger than the starting limit, you can purchase additional assets to increase your managed threshold. These additional thresholds are usually sold in standardized increments. The difference in the number of assets initially covered versus the total number of assets in your environment is the delta to determine final price.
• Custom pricing models – The least transparent pricing model you’ll run into. Companies with this pricing model are essentially forcing you to talk with them to reveal what the price of their solution might be. Custom pricing models usually leverage some aspects of the previous two models, but also commonly include other dimensions. One you might run into is some degree of modular pricing, where different product functionality modules are required to enhance the platform’s capabilities. This can be initially appealing as a way to manage costs, but you will eventually start playing the piecemeal game and regularly increase your expense when you inevitably hit functionality limitations. Regardless, do your homework thoroughly when asked to contact a company for their pricing.

One final note on pricing models – Most reputable companies will offer bulk pricing discounts if you have a large number of assets that need to be managed. Be sure to inquire about this if you are vetting solutions for a large company.

Long story short, if you’re looking for a quick back-of-the-napkin calculation for how much a VPT might cost you over a one year period, multiply your count of assets by $16.99 (the price for NopSec’s enterprise tier vulnerability prioritization tool). This will give you a starting point to begin your budgeting and evaluation process. In our experience, NopSec’s price usually runs middle of the road in terms of pricing when compared to other competitors in the landscape.

If you need additional help or want to discuss how to best evaluate or price a vulnerability prioritization tool, we invite you to contact us. Our team of security experts will be more than happy to answer your questions.

FAQ

Question #1: How much does a vulnerability prioritization tool cost?

Multiply your total number of assets by $16.99 to get an initial estimate. For example- if you have 10,000 assets, you can expect to pay in the ballpark of $169,900 for a year of service.

Question #2: Is a vulnerability prioritization tool more expense that a vulnerability assessment scanner?

On average, vulnerability prioritization tools cost about 20% less than vulnerability assessment scanners. Factors specific to your unique environment impact this cost comparison.