The cost of a pentest is very difficult to generalize, especially when considering the broad range of activities performed and varying scope of each individual engagement. Almost all penetration tests can be completed within a budget ranging from $5K-$150K depending on the purpose, scope, type of testing, and what types of threats you’d like to protect your business from.
During a pentest, it is far quicker to check two vulnerabilities rather than two hundred. Layering on top of this are the qualifications of the pentest team. The scale of experience and qualifications may impact the lower end of pricing meaning if you see a quote that is too good to be true, be skeptical. When investing in penetration testing it is crucial to understand your requirements, and the objectives you are looking to achieve with them.
What are you investing for?
It is important to understand why you are investing in penetration testing. Data breaches are expensive. The average data breach in Canada in 2018 cost roughly $4M dollars. This is overshadowed by the loss of customer privacy, confidence and fines. Canadian Privacy Law was recently revised to introduce mandatory breach notifications. Failure to notify the privacy commissioner within a reasonable amount of time may result in a $100K fine.
Beyond these reasons, your customer may be mandating that you perform one. In this case, most businesses elect to minimize their investment or seek out the cheapest vendor. This is not the best approach because it is the least cost-efficient. To draw an analogy. If you’re going to Mars, and NASA is mandating that you have a physical, you’re not going to look for the cheapest doctor. You should be equally invested in ensuring your business is protected because the cost of a low-quality pentest is much higher if you are breached. Various compliance requirements mandate a penetration test given their effectiveness; included in these compliance requirements is PCI which clearly defines what you should be testing.
What is the scope of your pentest?
PCI requires penetration testing of the cardholder data environment (CDE) to validate the security within your environment. Beyond compliance, it is often difficult to select what is in-scope versus what is out. It is tempting to exclude legacy devices because you cannot patch them – this is a terrible idea. Real attackers do not exclude devices from the scope, they follow the path of least resistance. If you haven’t patched that legacy system in 5 years and it’s exposed on your network, you should understand its impact on the security of your business.
There may be an opportunity to test a sample of systems if they are all identical. For example, if your organization makes use of containers, such as Google’s Kubernetes, or any other templated systems. There may not be value in testing each individual instance which may result in cost savings. This may also apply to users endpoints, but not if your users have Administrative privileges over their systems.
Web applications require continuous testing. At Packetlabs, we routinely find vulnerabilities which enable unauthorized access to sensitive information; in some cases entire customer data sets.
How do you know which applications require testing? Custom applications should be the highest priority. Applications are split between three groups, commercial off the shelf software (COTS), custom web applications, and somewhere in-between. For example, a web application can make use of a commercial publishing platform such as SAP Hybris, Adobe CQ5, Oracle ATG, Umbraco, WordPress and more while using custom code. These platforms are widely used and have been subject to countless assessments. The most value is realized when testing custom code which may not have been as extensively tested.
What impacts the cost of a pentest?
Knowing what should be tested, it is important to understand the impact of scope on the cost of a penetration test. The key metrics that impact the cost of a pentest are, how many assets are being tested, measured in IPs, how many web applications require testing, and how many roles are there in your applications. While it sounds counter-intuitive, the more assets that are included in the scope, the more cost-effective the assessment will be. The more restrictive the scope, the less value and the more cost per asset of testing.
For an infrastructure penetration test, it is also important to understand how thoroughly each of your systems will be tested. If your scope is 1000 IPs and the vendor is proposing 200 IPs per day, there may not be enough time to complete testing which may result in missed findings. An ideal pace is 20-50 IPs/day depending on the type of systems being tested.
The size of web applications is measured in page counts, and role counts. These are fairly simple metrics and there are other factors which help refine estimates but it is a great starting point. Page counts help outline the difference between a brochure website and Facebook.com. The most accurate way to estimate effort requirements for a given web application is a walkthrough. A walk through is exactly as it sounds, a walk-through of your application usually delivered by customer service or sales to illustrate the functionality within your application and how it is used by your customers or employees.
How does experience and qualifications impact the cost of a pentest?
A very important factor in pricing is the qualifications of the team performing testing. As the old adage goes, you get what you pay for. This factor is important because it’s where you get the most value from the assessment. It is important to pay for proper testing but do not simply pay for the name of the company doing the testing. You will be surprised to learn that most ‘names’ you buy will sell your business and subcontract to a partner in order to improve their bottom line. We will never outsource our engagements because it is far more important to improve the security of our clients than our bottom line. This factor proves so difficult that we wrote an article outlining the questions and criteria for helping choose an effective penetration tester.
On top of this, there are various threats which you may be looking to simulate during your assessment. From casual attackers (e.g., script kiddies) to APTs, there is a wide variety of skill sets to evaluate during a pentest. The ideal threats to prepare for are those you are more likely to encounter which requires some level of sophistication from the team you choose to work with. If you’re working with an inexperienced team, expect to discover and address only the most obvious findings which are picked up with automated tools.
Putting it all together
In summary, there are so many variables that affect the price of a penetration test and while the industry would love to commoditize this process there are important factors that must be considered to understand what you’re investing in. If a price is too good to be true, it likely is. It is important to work with a qualified team that can help navigate each of your requirements and come up with the most effective solution. At Packetlabs, we stand behind our testing and mandate continual training to ensure only the highest quality testing for our customers. This is the only way we can help protect Canadian business and mitigate the potential for a breach. We must collectively try harder in order to ensure customer confidence in our brands and protect our customers.