The True Cost of A Great Penetration Test

If you asked car salesmen from different dealerships the question, “How much does a great car cost?” you’re guaranteed to get different answers and rarely any consistent dollar amount, depending on who they are and the type of person they perceive you to be.

• “Never buy used American cars. Get Japanese ones. We have some in the lot. Cheap, but it works.”

• “Oh, you have kids? Our latest models have the highest safety ratings according to the IIHS, plus they look hip.”

• “We have an auction next month for the 1970 Corvette LT-1. Incredible mint condition. Jay Leno has nothing on our inventory.”

• “Electric cars help save you so much money, and it’s environment friendly to boot. Yelp loves us, too.”

• “If you love Le Mans, you’ll love our cars. Let’s get you some champagne on they way to our underground showroom.”
• “Our cars are the most popular ones used by college students. It’s cool yet reliable, not a lot of maintenance required, and the mileage goes far.”

The car question is very much akin to asking “How much does a great penetration test cost?” One man’s great penetration test is another man’s disaster. What does “great” mean in the first place? A quick search on Google for “great penetration test” yields 1,130,000 results. So, where do you start?

Penetration testers seem to be in abundance nowadays (based on Google Results), and you’d think there’d be a deadlock in competitive pricing at this point, but that’s not the case at all. Prices for their services vary extremely widely. Freelance pentesters offer their services starting as low as $15 per hour, while others pay obscene amounts for “corporate rates.” Some offer a $5,000 flat-rate, and some don’t even publish their prices online (NopSec falls in this camp, and you’ll soon know why).

Why the vast difference? And really, where do you start?

Before you get fixated on the cost, first, I’d like to present three questions for your consideration:

1. What’s the value of the assets you’re protecting (your crown jewels)?
2. How much will it cost your company to recover from a breach due, in part, to a bad pentest (hint: average is $7 Million)?
3. What’s your definition of a “great” penetration test?

Here at NopSec, these are some of the first questions we ask our prospective clients. It helps us gauge if we are the right people for your requirements (we’re not fans of time-wasting), and properly assess your needs for the pentesting engagement.

Logically, you wouldn’t spend $50,000 on an asset worth $5,000, nor would you skimp on millions of dollars worth of digital assets either. Your pentest investment should be commensurate to what you’re protecting. So before you go on a hunt for a pentest provider, take your time to know the true value of your business first, especially your crown jewels. It really is the best gauge on how much you should be investing on a pen test. And yes, pentesting is an investment, not just another unnecessary expense.

Speaking of expense, we all know that breaches are costly and messy business. Now that’s an “unnecessary expense,” if there ever was one. You’d have to pay legal fees, fines (if applicable), additional labor and technological investments, customer churn, and overall damage to your business reputation and credibility. This will cost you an average of 7 million dollars. In 2016, the median budget allotted to IT Security is between $1 to $10 million — doesn’t it make sense to invest in this than to just accept to risk it all? Building your business for many years and for it to crumble due to a breach is an incredibly preventable tragedy.

Now, for the definition of “great.” This can be tricky because there isn’t a universal standard for pentesting that exists at the moment. Regardless of the standards, it’s ultimately all about results, don’t you agree?

Here’s NopSec’s definition of great, based on the results we deliver:

• DREAD Score: You will get well-documented test results that provide robust insight using the following factors: Damage + Reproducibility + Exploitability + Affected Users + Discoverability

• Executive Readout: The higher-ups are getting involved and they want to know the results? We’re here to help. We’ll go through the results of the test with you, line by line, and address any questions they may have. This saves you time and energy.

• Remediation Assistance: When our pentesters find issues in your environment, you can speak with them and discuss actionable remediation steps to fix your environment. Everyone else will just give you the results and that’s it.

• Positive Control Validation: It’s easy to say, “you did x, y, and z wrong.” We always go the extra mile and tell you what you did right as well to prevent the hack.

• Retesting: When all is said and done, will your pentester offer a complimentary retesting of your environment to validate the fix is effective? No other company offers this perk.

• White Glove Service Approach: Overall, we offer you a great experience with great results.

So based on our definition of “great,” how much do we then propose these results will cost you? The seemingly cop out, yet completely reasonable answer is, “it depends… on you.” The size of your IT environment, scope of the project, timeline, etc. Each business, IT environment, and requirements are unique. If we gave you a flat-rate price regardless of the scope of the project, that should raise a giant cybersecurity red flag.

A quality penetration test from a proven and tested company like NopSec will not give you a price offhand. We take our time to know you and your needs, so we can accurately give you a price, which in turn will help you make the best decision for your team, whether you decide to go with us or not. No surprises. A reckless pricing quote is usually a reflection of the services you’ll get, so beware. We know it can be a hassle having to reach out just to get a price, but it’s worth it. Might as well do it right the first time, than waste time and money having to do something twice due to unsatisfactory results.

The true cost of a great penetration test is the amount you’re willing to invest to protect your company and its crown jewels, commensurate to its value.

We made it easy for you to reach us. Either give us a call at 646-502-7900 or email us at hello@nopsec.com and you’ll be immediately connected with a knowledgeable Account Executive who can provide you with more information.