How Much does a Penetration Test Cost?

This is the time of the year that we get a lot of inquiries about performing an annual penetration test. In every organization there are trade-offs of time, resources and budgets. So the inevitable question that arises is, “How much does/should a penetration test cost?” The truthful answer to this question is, it depends.

Deciding what and when to test can be the hardest step. You should have a clear reason and objective for penetration testing. We encourage the customers we work with to scope a penetration test from a risk-based and asset-focused perspective. That usually includes of all the Internet-facing services and infrastructure but sometimes involves other critical infrastructure and applications. (See all the areas we cover in penetration testing services.)

Why such a disparity of price range?

We have witnessed a wide range of prices being offered by competing penetration testing vendors. The differences can often be attributed to inaccurate definitions of “penetration testing services”, a poorly defined scope of work, or a lack of knowledge on the part of the client.

Factors that determine the cost of a penetration test:

Scope – The cost of a penetration test is dependent on the size and complexity of the IT environment and the rigor with which the testing is performed (See methodology below). A small IT footprint can be completed in a few days. If your environment is large or complex, penetration testing may take several weeks. Detection, penetration, and exploitation of vulnerabilities can be time consuming.

Methodology – This is often where pricing differences manifest. Is the service an off-site, non-exploitative test? Does the process include automated tools that generate a generic report? Is it an in-depth test that seeks to actively exploit detected vulnerabilities in order to demonstrate the ability to compromise specific systems? Is the penetration test performed by experienced security engineers? You need to decide the level of confidence you have in the methodology and how comprehensive the penetration test needs to be in order to meet your risk tolerance and/or achieve compliance.

Qualifications – Expertise of the vendor providing the services. Is the penetration test being delivered by a specialized security firm, network service provider, accounting firm, or consultant? Are the practitioners qualified and accredited?

Food for thought regarding the cost of penetration testing:

Beware of a false sense of security. The adage, “you get what you pay for” is as true for penetration testing as any other product or service. Credible penetration vendors will not negotiate much on price if they have determined an accurate project scope. Vendors should deliver a proposal with a realistic cost of labor, and a specific time-frame for service delivery. Beware of penetration testing vendors that offer “too good to be true” prices because they could be providing inadequate services that ultimately will leave your company at risk.

A penetration testing vendor needs to be considered a partner. Ensure that you have an NDA in place and help the provider to understand your organization and its infrastructure. A penetration test can only identify those problems that it is designed to look for. If a particular system, service or application is not tested, then there will be no information about its security or insecurity.

Make sure the penetration test agreement includes help with the remediation phase. Vulnerabilities may be challenging to remediate and you should enlist the help of the penetration tester to verify the fixes have been implemented successfully.

The cost of a penetration test is a fraction of the cost of a security breach. The “2013 Cost of a Data Breach” study released by the Ponemon Institute and Symantec reported that the average cost for U.S. businesses was $188 per compromised record. These costs are incurred for detection, remediation, notification, fines and resolution of the breach, but do not reflect lost business due to the long term erosion of customer confidence.

Learn more about NopSec’s approach to penetration testing and the methodology we use to secure applications, infrastructure, and devices from security breaches. Best Practices Guide: Penetration Testing.