Re: Pen-testing - pricing model

From: Lee Lawson (leejlawson@gmail.com)
Date: Mon Dec 04 2006 - 11:13:15 EST


nobody has actually given their daily rates! I agree with everything
that everyone has said. It is very difficult to quote for consultancy
times without good, detailed information. But then you fall into the
trap of the client not wanting to give you that information because
they feel it would compromise the authenticity of the tests.

If a client is not willing to give you good, detailed information
(recently I had a client who would not tell me if their wireless
network was encrypted or not, so I quoted an extra day!), then you
have to over quote to protect yourselves.

I have worked for, and currently work for good pen testing
organisations that charge a variable rate of 800-1000 British pounds
per day. Depending on how long you reckon it will take to perform the
required testing depends on the final cost to the client. Excluding
tax and travel expenses.

So a 5 day, external pen test would cost anything from £4000 to £5000.
 We also give discounts for returning customers. But saying that, we
are good!

later,

On 12/3/06, intel96 <intel96@bellsouth.net> wrote:
> Stefano,
>
> Yes, I agree that this is very difficult in most cases. I recently had
> to prove that I was better than other bidders jocking to do a global
> pentest for a Fortune 1000. The customer had no idea what the
> differences were between a vulnerability test and a pentest. First, I
> had to educate the customer about security testing in general. Second,
> I had to provide the customer with strong references from other pentest
> project. Third, I had to explain why my pricing was up to 11 times
> higher than other bidders. Most of the other bidders were companies
> that sell security software and one was a MSSP, who pricing for the
> project was ZERO. The MSSP was also bidding to obtain a 1 million
> dollars managed services contract. Fourth, the customer provide each
> bidder a single IP to test. I was the only one that correctly
> identified the OS, web application and vulnerabilities on the system.
> Fifth, I had to provide a sample document, which I refused to do since
> even a sample reports can be too detail.
>
> I finally won the project, but only a piece of the overall project. The
> customer gave part to the MSSP who costs were nothing and the rest to
> me, but only after I cut my pricing based on the new project details.
>
> The biggest issue that I have in pricing projects today is with the
> security software vendors and MSSPs that want to sell their wares to the
> customer!!! BUT only after they do a vulnerability test or pentest for
> FREE!!!!
>
> Intel96
>
>
>
>
> Stefano Zanero wrote:
> >> And lastly you should always be prepared to negotiate the pricing with
> >> the customer. The customer will always find someone cheaper and you
> >> will have to prove why you are better for the extra cost.
> >>
> >
> > This is very difficult if your customer does not have an exact idea of
> > what a pen-test is supposed to be.
> >
> > What kind of proof would you suggest bringing to help a customer
> > understand the difference ?
> >
> > Stefano
> >
> >
> >
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>

-- 
Lee J Lawson
leejlawson@gmail.com
leejlawson@hushmail.com
"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."
"Quidquid latine dictum sit, altum sonatur."
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:24 EDT