How Much Does a Vulnerability Prioritization Tool (VPT) Cost
- Mar 24, 2023
- Michael Tucker
So, you’re looking to take your vulnerability management game to the next level with a vulnerability prioritization tool (VPT). Well, when considering adding a solution like a VPT to your security stack, cost is no doubt one of the first questions to come to mind. Ultimately, the answer to that question comes down to everyone’s favorite response – it depends. In this post, we’ll break down a few factors that can impact the cost of a VPT and the pricing models you may come across. To get that final answer, you’ll then need to take some inventory of your environment, define some success criteria, and do a little math.
First and foremost, vulnerability prioritization tools DO NOT scan. They do not replace vulnerability assessment scanners (VAS). They are supplemental tools that need data from scanners to perform their functions.
Vulnerability prioritization tools perform three core functions for Security teams. First, VPTs do a significantly better job of prioritizing vulnerability risk than traditional VASs. The addition of a VPT improves your ability to determine which risks are your actual top priority based on a wider range of threat context. The second function of a VPT is to improve the remediation workflows they automate. Vulnerability prioritization tools should integrate bi-directionally with ITSM ticketing systems to enable the pushing and syncing of tickets. This functionality dramatically reduces remediation and patching debates between ITOps and Security teams. Lastly, a VPT should provide a robust reporting suite and centralized console to help Security teams visualize the state of their risk. Such functionality provides all stakeholders (CISOs and analysts) with data narratives for their unique roles and a home base to perform VM operations.
How many assets do you have in your environment? You’ll want to have this number handy and be confident about it when you start talking to solution providers. The answer to this question will be the major driver of your VPT’s final price. You’ll see how this works out later when we get into pricing models.
As you likely know, assets can come in a lot of different shapes and sizes:
Remember that VPTs are not vulnerability scanners. Therefore, VPTs rely on different kinds of scanners to provide the identification of vulnerabilities related to their associated assets. Generally speaking, the larger the company, the larger and more complex the environment. As a result of this, more than one type of scanner will likely be employed. Ultimately, the greater the number of assets you have being scanned, the greater the price of your VPT, potentially.
Side note – While you can omit scanners and the vulnerabilities they identify from your VPT’s ingestion (lowering the cost), you will ultimately do yourself a disservice as it will dilute the accuracy of your prioritization output.
There are a several other factors that can impact the cost of your VPT as well, but they are far more circumstantial.
The first of which are custom integrations. The nature of how VPTs function requires them to have a wide breadth of integration capabilities. However, that doesn’t mean every VPT has EVERY third party security solution integration out-of-the-box. Custom integrations will usually add an additional one-time line item of several thousands of dollars to your quote. That price will vary based on the complexity of the integration and if the vendor sees carry-over value to other customers in building it.
Managed scanning as an add-on is the other potential cost impactor. In some cases, you may not own a license of a particular scanner, but assets that need to be scanned and their vulnerabilities identified. Some vulnerability prioritization vendors may offer the ability to leverage their scanner instances to perform this function for you and then feed that information into the VPT you’re purchasing. This service will increase your regular payments and the cost will likely scale based on the number of assets you need scanned.
The final factors to that will impact your cost will be implementation costs and professional services. Every vendor handles these expenses different. Some will charge flat rates for these line items, some will base them on a percentage on the platform’s cost.
Prices for various solutions will vary based on the pricing model the provider leverages. Here are a few different options you’ll likely come across:
One final note on pricing models – Most reputable companies will offer bulk pricing discounts if you have a large number of assets that need to be managed. Be sure to inquire about this if you are vetting solutions for a large company.
Long story short, if you’re looking for a quick back-of-the-napkin calculation for how much a VPT might cost you over a one year period, multiply your count of assets by $16.99 (the price for NopSec’s enterprise tier vulnerability prioritization tool). This will give you a starting point to begin your budgeting and evaluation process. In our experience, NopSec’s price usually runs middle of the road in terms of pricing when compared to other competitors in the landscape.
If you need additional help or want to discuss how to best evaluate or price a vulnerability prioritization tool, we invite you to contact us. Our team of security experts will be more than happy to answer your questions.
Multiply your total number of assets by $16.99 to get an initial estimate. For example- if you have 10,000 assets, you can expect to pay in the ballpark of $169,900 for a year of service.
On average, vulnerability prioritization tools cost about 20% less than vulnerability assessment scanners. Factors specific to your unique environment impact this cost comparison.