Count Based Pricing Methodology

You provide a list of IP address and/or web applications (“Target”) to a penetration testing vendor.  That vendor then determines the price per Target based on volume.  The more Targets that you provide the lower the cost per Target and the less Targets you provide the higher the cost per Target.  The industry average cost per IP address ranges from a much as $2,000.00 per target to as little as $300.00 per target.  The industry average for Web Application’s is roughly $5,000.00 per target.

Pro’s of Count Based Pricing:

  • Very easy for customers to get a quote
  • Very easy for vendors to produce a quote
  • Faster quote generation
  • Satisfies most regulatory requirements

Con’s of Count Based Pricing

  • The count based pricing methodology does not provide any accurate method for measuring actual workload requirements.   As a result the risk of undercharging or overcharging is exceedingly high.
    • An example of overcharging which is far more common is as follows. Suppose that a customer approaches vendor with 64 IP addresses.   The vendor calculates price with $1093.75 x 64 IP’s = $70,000.00.  When testing begins the vendor discovers that only 11 of the 64 IP addresses are live (so 53 of them offer nothing to test).  This means that the customer ends up paying the vendor $57,968.75 to test 53 IP addresses that are not life (64 – 11 = 53).  More clearly, the customer pays $57,968.75 for absolutely nothing.
    • An example of the undercharge which is far less common is as follows.  Suppose that a customer approaches a vendor with 64 IP addresses.   Suppose that a customer approaches vendor with 64 IP addresses.   The vendor calculates price with $1093.75 x 64 IP’s = $70,000.00.  When testing begins the vendor discovers that each of the 64 IP addresses are live and offer very complex services that are very time consuming to manually test.  Unfortunately the vendor does not have sufficient budget allocated to the project to deliver genuine manual testing because that would result in the project running negative.  The vendor compensates by using automated vulnerability scanning rather than real manual penetration testing which by definition is not penetration testing at all but instead is vulnerability scanning.
  • It is impossible to use a count based pricing methodology to deliver manual penetration testing services because of the potential for significant workload discrepancies.