Channel About Photos Files Calendar Webpages Directory Help Language Like Us Public Stream Random Channel Report Bug Search Support Hub.7T4

What does a pen test cost?

A quick online search, well maybe it's not that quick, will show that pen test costs start in the neighborhood of $5000-$25,000. And yes, that is for generally the same base system and scope. According to most sources, anything less than that is considered a rather simple vulnerability scan which is mostly, if not completely, an automated scan and report. There's more or less breakdowns of cost based on particular type of pentest and rough scope that can be found out there on the interwebs.

The bottom line is it all depends... There are too many open/unknown variables. That said...

Here at 7T4, anything but the simplest vulnerability scan/report includes both automated and manual methods, but if the simple auto scan is all you need, it'll be $1000.

A vulnerability assessment with more manual human involvement, applied intelligence and interpretation - $3000. This may include methods to verify certain scan results, but will not consist of the intrusion methods applied in an actual penetration test.

The most basic black box pen test for the average small business or home office with a single IP/network/webapp would start at $5000 and take about two weeks. Typically the amount of time spent on manual intrusion in this case will be limited and the scope may not cover all compliance requirements.

For the 'standard' black box penetration test, figure around $8,000-$10,000 and about a month to complete. This would be the proverbial middle of the road, best bang for your buck, greatest value option.

Add $1500-$2500 per additional web app, for cloud infrastructure, or for a particular compliance purpose.

For gray box (user credentialed testing) or the inclusion of social engineering methods add $5000 minimum, depending on scope.

The inclusion of wireless or other onsite testing starts at $3000. Availability is location dependent and may incur additional fees for travel costs.

Of course, for more comprehensive testing (e.g. white box) or if you have a larger and/or more complex environment than you're looking at some multiple of the above figures.

Now, you may ask yourself, how did I get here? ... Uhh.. No, wait, that's a song...
Why are these prices so high? Well they aren't really. They are on the low end of any estimated pentest pricing. But for arguments' sake, they are paying for 30 years of experience, not a glorified script kiddie, well trained monkey, or marked up offshore subcontractor.
Or you may ask yourself, Why are these prices so low? It's true that they are considerably lower than specific cyber security firms. That would be one reason, I am not such a firm so I don't have their kind of overhead or a team of employees to pay. And while I may be part of what some have called the first generation of hackers, I'm probably half a generation behind Mitnick and certainly don't have his type of name recognition. Overall these prices are roughly aligned with my rates.

The negotiation of a specific limited scope to meet a particular budget is always a possibility. Send an email to admin to discuss.