The right way versus the wrong way to price a penetration test
The most common question asked is “how much will it cost for you to deliver a penetration test to us?”. Rather than responding to those questions each time with the same exact answer, we thought it might be best to write a detailed yet simple blog entry on the subject. We suspect that you’ll have no trouble understanding the pricing methods described herein because they’re common sense. The price for a genuine penetration test is based on the amount of human work required to successfully deliver the test.
The amount of human work depends on the complexity of the infrastructure to be tested. The infrastructure’s complexity depends on the configuration of each individual network connected device. A network connected device is anything including but not limited to servers, switches, firewalls, telephones, etc. Each unique network connected device provides different services that serve different purposes. Because each service is different each service requires different amounts of time to test correctly. It is for this exact reason that a genuine penetration test cannot be priced based on the number of IP addresses or number of devices. It does not make sense to charge $X per IP address when each IP address requires a different amount of work to test properly. Instead, the only correct way to price a genuine penetration test is to assess the time requirements and from there derive workload.
At Netragard the workload for an engagement is based on science and not an arbitrary price per IP. Our pricing is based on something that we call Time Per Parameter (TPP). The TPP is the amount of time that a Netragard researcher will spend testing each parameter. A parameter is either a service being provided by a network connected device or a testable variable within a web application.Higher threat penetration tests have a higher TPP while more basic penetration tests have a lower TPP. Certainly this makes sense because the more time we spend trying to hack something the higher the chances are of success. Netragard’s base LEVEL 1 penetration test is our most simple offering and allows for a TPP of 5 minutes. Our LEVEL 2 penetration test is far more advanced than LEVEL 1 and allows for a TPP of up to 35 minutes. Our LEVEL 3 penetration test is possibly the most advanced threat penetration test offered in the industry and is designed to produce a true Nation State level threat (not that APT junk). Our LEVEL 3 penetration test has no limit on TPP or on offensive capabilities.
The details of the methodology that we use to calculate TPP is something that we share with our customers but not our competitors (sorry guys). What we will tell you is that the count based pricing methodology that is used by our competition is a far cry from our TPP based pricing. Here’s one example of how our pricing methodology saved one of our customers $49,000.00.
We were recently competing for a Penetration Testing engagement for a foreign government department. This department received a quote for a Penetration Test from another penetration testing vendor that also created software used by penetration testers. When we asked the department how much money the competitive quote came in at they told us roughly $70,000.00. When we asked them if that price was within their budget they said yes. Our last question was about the competitive pricing methodology. We asked the department “did the competitor price based on how many IP addresses you have or did they do a detailed workload assessment?”. The department told us that they priced based on the number of IP addresses that they had and that the number was 64.
At that moment we understood that we were competing against a vendor that was offering a Vetted Vulnerability Scan and not a Genuine Penetration Test. If a vendor prices an engagement based on the number of IP addresses involved then that vendor is not taking actual workload into consideration. For example, a vendor that charges $500.00 per IP address for 10 IP addresses would price the engagement at $5,000.00. What happens if those 10 IP addresses require 1,000 man-hours of work to test because they are exceedingly complex? Will the vendor really find a penetration tester to work for less than $1.00 an hour? Of course not. The vendor will instead deliver a Vetted Vulnerability Scan and call it a Penetration Test. They will scan the 10 IP addresses, vet the results that are produced by the scanner and exploit things where possible, then produce a report. Moreover they will call the process of vetting “manual testing” which is a blatant lie. Any vendor that does not properly evaluate workload requirements must use a Vetted Vulnerability Scan methodology to avoid running financially negative on the project.
The inverse of this (which is far more common) is what happened with the foreign government department. While our competitor priced the engagement at $1093.75 per IP for 64 IP’s which equates to $70,000.00, we priced at $21,000.00 for 11 IP’s (each of which offered between 2 and 6 moderately complex Internet connectable services). More clearly, our competitor wanted to charge the department $57,968.75 for testing 54 IP addresses that were not in use which equates to charging for absolutely nothing! When we presented our pricing to the department we broke our costs down to show the exact price that we were charging per internet connectable service. Needless to say the customer was impressed by our pricing and shocked by our competitor, we won the deal.
While we wish that we could tell you that being charged for nothing is a rare occurrence, it isn’t. If you’ve received a penetration test then you’ve probably been charged for nothing. Another recent example involves a small company that was in need of Penetration Testing for PCI. They approached us telling us that they had already received quotes from other vendors and that the quotes were all in the thousands of dollars range. We explained that we would evaluate their network and determine workload requirements. When we did that we found that they had zero responding IP addresses and zero Internet connectable services which equates to zero seconds of work. Instead of charging them for anything we simply issued them a certificate that stated that as of the date of testing no attack surface was present. They were so surprised by our honesty that they wrote us this awesome testimonial about their experience with us.
Finally, our TPP based pricing doesn’t need to be expensive. In fact, we can deliver a Penetration Test to any customer with any budget. This is because we will adjust the engagement’s TPP to match your budget. If your budget only allows for a $10,000.00 spend then we will reduce the TPP to adjust the project cost to meet your budgetary requirements. Just remember that reducing the TPP means that our penetration testers will spend less time testing each parameter and increasing the TPP means that they will spend more time. The more the time, the higher the quality. If we set your TPP at 10 but we encounter services that only require a few seconds of time to test then we will allocate the leftover time to other services that require more time to test. Doing this ensures that complex services are tested very thoroughly.