Re: Pen-test pricing

From: Nathan Sportsman (nathan@praetoriansolutions.com)
Date: Thu Feb 03 2005 - 12:22:09 EST


The client is interested in the bottom line: how much am I going to pay
and what am I getting for my money. Generally, what the client wants is an
estimate for the total cost of the project. At my company, the estimation
is derived by the number of man hours required to fulfill the project's
deliverables.

I have seen some companies follow a per server based pricing model;
however, it has been my experience that the level of service these
companies offer is nothing more than an automated vulnerability scan.
Because the quality of work isn't very good, the time spent on each system
isnt very long. Subsequently, the consulting company can significantly
beef up its margins by charging on a per server rather than a per hour
basis. In the end, the client pays for it, figuratively and literally. I
do not agree with this. As you know the complexity between servers varies
and subsequently the time needed to test varies as well. I believe the an
hourly rate is the best way to charge for your services, where the rate
you charge depends on your credentials and the quality of service your
service.

Nathan Sportsman
Praetorian Security Solutions

> Does anyone have any good figures on pricing for pen-tests? Is charging
> done per server, location, or hour? Any help would be appreciated.
>
> ::andre::
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:15 EDT