Key Points
We live in the age of automated hacking systems, frequent data breaches and consumer protection regulations such as GDPR and PCI DSS. Penetration testing has become an essential security requirement for businesses of all sizes, rather than just banks and governments. What that means is lots of companies find themselves needing to choose a vendor and understand how much penetration testing costs for the first time, and it’s not easy.
Faced with the task of getting a penetration test done, the sheer number of providers can be daunting. How do you know if they’re any good? Can you tell what level of security expertise was delivered by reading the report? Was your application secure, or did the tester simply not find the serious weaknesses?
There’s no easy answers to these questions, but the good news is that you can help yourself out by asking the right questions up front. The most important considerations fall into three categories: certifications, experience, and as always - the cost of a penetration test.
How much does penetration testing cost?
People often ask what the cost of a standard penetration test is. Unfortunately, due to the variety in size and complexity of IT systems, this is like asking how long is a piece of string. It depends what you are working with, and how much depth you need to go to. If you imagine it like painting a bridge, it depends how big your bridge is, and how many coats of paint you want - just a thin covering might leave you exposed to the elements.
Average cost of a penetration test
Pen tests are usually quoted on a ‘day-rate’ basis. Very broadly, you can expect to pay anything in the range of $1000 - $3000 per day, or £800 - £2500 per day in the UK.
Day rates vary from vendor to vendor based on things like reputation, certifications, and special requirements for the tester’s experience, although discounts can be negotiated if you’re buying lots of days (anything more than fifteen days would be considered a large test).
Day rates are typically flat, or tiered based on the seniority of the consultant carrying out the test. The more complex your requirements, the higher the day rate, as a more senior and experienced security consultant will be needed.
Does the type of penetration test affect the cost?
You might be wondering if a particular type of pen test costs more than another, such as a network pen test, or an application pen test. As previously mentioned, penetration testing companies charge based on day rates, rather than charging for different types of tests. So regardless of what you are testing, the cost will come down to the scope and number of days required to complete the assessment.
How the scope affects the cost of a pen test
The scope of a penetration test is determined by various factors, such as the number of pages and features within a web application, how easy it is to access the systems, or the level of assurance needed.
To establish the scope, the vendor will often need to get a demo of your product, or gather information about your environment. As a rule of thumb, the less questions they ask at this stage, the less likely you are to get an accurately quoted piece of work.
The scope will determine how many days will be required to complete the assessment, as well as the seniority of the consultant required to give the assurance requested. Both of these factors will affect the price.
For example, the cost of a web application penetration test could range from $3000 - $22,500. This is because a small, non-complex web app test carried out by a junior tester could take 3 days, at a day rate of $1000 ($3000 in total). On the other hand, a large, complex web app test carried out by a senior tester could take 15 days, charged at a higher day rate of $1500 ($22,500 in total).
There’s also no standard when it comes to scoping a piece of work, so you might find estimates differ. One organization may scope a job as 3 days work, and another as 5, depending on their viewpoint. These are their best estimates, it’s hard to tell for sure until you’re doing the work exactly how long it will take.
Some vendors do offer "fixed-fee" penetration tests, but going back to the bridge analogy, you should probably be worried about coverage if they’re offering it for a fixed fee without asking how big the bridge is.
As with anything in life, the price you are quoted should reflect the quality that your penetration test will be delivered at - but in an industry where the quality of a test is hard to judge, there are bound to be some rogue traders out there. Take care to ask the right questions and don’t skip the due diligence process before deciding on a provider.
Certifications
As well as considering the cost of a pen test, certifications are one of the most important things a new buyer should look for, as they can provide a convenient shortcut for building trust with a vendor.
Some highly regarded certifications to look out for include Offensive Security’s OSCP OSCE(3) certifications. Other notable ones include the Penetration Testing Professional (PNPT) and SANS 542/560/588, all of which cover a broad range of topics including network infrastructure, cloud penetration testing, and web application testing.
In the UK, one of the most well-recognized certification bodies is CREST (Council of Registered Ethical Security Testers). CREST is now an internationally recognized hallmark of quality for a variety of cyber security disciplines.
The company-wide accreditation (‘CREST member company’) is given to companies that can prove their policies, processes and procedures are up to scratch. This allows penetration testing companies to show that they follow good practices on paper, and use appropriate security testing methodologies. However, asking a ‘CREST member company’ to carry out a pen-test does not guarantee that the consultant performing your test is certified themselves to an appropriate standard - merely that the company is morally obliged to provide you with a suitable tester:
When checking the credentials of a penetration testing company, make sure to ask about the actual tester that will carry out the work — do they have appropriate certifications and experience for the job at hand?
This is a key point to take away, the credentials and experience of the person who will carry out the work are equally important to those of the organization they work for!
For that reason, CREST also have a range of levels even for the individual testers, from entry-level certificates to complex practical examinations in different specialist areas. It’s important to look at both the level of certifications, and whether they’re specific to the type of penetration testing you are looking for. We’ve outlined the available CREST certifications for penetration testing below:
While certifications are useful, they can’t cover everything. There are many types of technology out there, and you can’t have an exam to cover every single one. As you can see from the diagram above, there is no CREST exam for AWS, or for embedded devices, or mobile applications. Being a penetration tester is sometimes like being a doctor, you have a very good set of knowledge and skills, but there isn’t always a textbook for the patient you’re dealing with. That’s when experience can come into play.
Experience
Besides a penetration tester’s certifications, another big factor in a pentest’s quality is the breadth of experience your pen tester has under their belt. The more exposure that a tester has had, the more likely they are to be proficient at discovering a wide range of security threats.
It’s also important to note that not all experience is equal, since some types of testing can involve specific skills in particular technologies, like AWS Cognito, or the Real Time Messaging Protocol. As far as possible, make sure your potential provider has relevant experience in the types of technology you’re working with.
Remember though, there may not always be a tester with experience in every technology out there, so you may need to be flexible. A good penetration tester will be able to learn about the technology you need testing, based on skills and principles from other disciplines, but it might take them slightly longer to become familiar with the technology at hand. This could have a knock-on effect on the price.
Defend against hackers with Intruder
Hopefully this article has explained a few of the most important factors to consider when choosing a penetration testing company, as well as helped you understand how much pen tests cost.
A tool like Intruder continuously monitors your network, helps you reduce your attack surface, and proactively scans your systems for new critical vulnerabilities – almost like having a pen tester watching over your systems! Intruder’s intelligent features also help optimize your budget. You can see how much it would cost using our pricing calculator, or get in touch for more information.