The True Cost of A Great Penetration Test
- Jun 28, 2017
- Guest Author
If you asked car salesmen from different dealerships the question, “How much does a great car cost?” you’re guaranteed to get different answers and rarely any consistent dollar amount, depending on who they are and the type of person they perceive you to be.
The car question is very much akin to asking “How much does a great penetration test cost?” One man’s great penetration test is another man’s disaster. What does “great” mean in the first place? A quick search on Google for “great penetration test” yields 1,130,000 results. So, where do you start?
Penetration testers seem to be in abundance nowadays (based on Google Results), and you’d think there’d be a deadlock in competitive pricing at this point, but that’s not the case at all. Prices for their services vary extremely widely. Freelance pentesters offer their services starting as low as $15 per hour, while others pay obscene amounts for “corporate rates.” Some offer a $5,000 flat-rate, and some don’t even publish their prices online (NopSec falls in this camp, and you’ll soon know why).
Before you get fixated on the cost, first, I’d like to present three questions for your consideration:
Here at NopSec, these are some of the first questions we ask our prospective clients. It helps us gauge if we are the right people for your requirements (we’re not fans of time-wasting), and properly assess your needs for the pentesting engagement.
Logically, you wouldn’t spend $50,000 on an asset worth $5,000, nor would you skimp on millions of dollars worth of digital assets either. Your pentest investment should be commensurate to what you’re protecting. So before you go on a hunt for a pentest provider, take your time to know the true value of your business first, especially your crown jewels. It really is the best gauge on how much you should be investing on a pen test. And yes, pentesting is an investment, not just another unnecessary expense.
Speaking of expense, we all know that breaches are costly and messy business. Now that’s an “unnecessary expense,” if there ever was one. You’d have to pay legal fees, fines (if applicable), additional labor and technological investments, customer churn, and overall damage to your business reputation and credibility. This will cost you an average of 7 million dollars. In 2016, the median budget allotted to IT Security is between $1 to $10 million — doesn’t it make sense to invest in this than to just accept to risk it all? Building your business for many years and for it to crumble due to a breach is an incredibly preventable tragedy.
Now, for the definition of “great.” This can be tricky because there isn’t a universal standard for pentesting that exists at the moment. Regardless of the standards, it’s ultimately all about results, don’t you agree?
Here’s NopSec’s definition of great, based on the results we deliver:
So based on our definition of “great,” how much do we then propose these results will cost you? The seemingly cop out, yet completely reasonable answer is, “it depends… on you.” The size of your IT environment, scope of the project, timeline, etc. Each business, IT environment, and requirements are unique. If we gave you a flat-rate price regardless of the scope of the project, that should raise a giant cybersecurity red flag.
A quality penetration test from a proven and tested company like NopSec will not give you a price offhand. We take our time to know you and your needs, so we can accurately give you a price, which in turn will help you make the best decision for your team, whether you decide to go with us or not. No surprises. A reckless pricing quote is usually a reflection of the services you’ll get, so beware. We know it can be a hassle having to reach out just to get a price, but it’s worth it. Might as well do it right the first time, than waste time and money having to do something twice due to unsatisfactory results.
The true cost of a great penetration test is the amount you’re willing to invest to protect your company and its crown jewels, commensurate to its value.
We made it easy for you to reach us. Either give us a call at 646-502-7900 or email us at hello@nopsec.com and you’ll be immediately connected with a knowledgeable Account Executive who can provide you with more information.