How Much Does Penetration Testing (Pen Test) Cost? by: Gary Glover, Director of Security Assessments at SecurityMetrics
Apr 20, 2015
How Much Does Penetration Testing (Pen Test) Cost?
Ethical hacking. It’s a great way to discover where your business security fails. Gary Glover, Director of Security Assessments at SecurityMetrics
Your company may have the technology in place to prevent data theft, but is it enough? How do you prove it? The most accurate way to know if you’re safe from a hacker is through live penetration testing, also called pen testing, or ethical hacking. How much does a penetration test cost?
What is penetration testing?
To beat a hacker, you have to think like a hacker. Penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors) just like a hacker would. In simpler terms, they try to break into your company’s network to find security holes.
The Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 requires both an internal and external penetration test (What is PCI?), so most companies regularly receive penetration tests to comply with that requirement. But penetration testing isn’t limited to the PCI DSS. Any company can request a penetration test whenever they wish to measure their business security.
The time it takes to conduct a pen test varies based on the size of a company’s network, the complexity of that network, and the individual penetration test staff members assigned. A small environment can be done in a few days, but a large environment can take several weeks.
Vulnerability scanning and penetration testing are different. Some people mistakenly believe vulnerability scanning or antivirus scans are the same as a professional penetration test. Even some companies tout ‘penetration testing services’ when in fact, they only offer vulnerability scanning services. As a general rule, any ‘pen test’ that is listed for less than $3,000 is probably not a real penetration test.
An external vulnerability scan is an automated, affordable, high-level test that identifies known weaknesses in network structures. Some are able to identify more than 50,000 unique external weaknesses. Don’t get me wrong, vulnerability scans have their place. In fact, I highly recommend them as weekly, monthly, or quarterly insight into your network security. penetration testing
Here are the two biggest differences. A vulnerability scan is automated, while a penetration test includes a live person actually digging into the complexities of your network. A vulnerability scan only identifies vulnerabilities, while a penetration tester digs deeper to identify, then attempt to exploit those vulnerabilities to get access to secure systems or stored sensitive data.
Understand the difference?
So what’s the actual cost of a penetration test? With any business service, cost varies quite a bit based on a set of variables. The following are the most common variables with regard to penetration testing services:
Complexity: the size and complexity of your environment and network devices are probably the biggest factors of your penetration test quote. A more complex environment requires more labor to virtually walk through the network and exposed web applications looking for every possible vulnerability.
Methodology: each pen tester has a different way they conduct their penetration test. Some use more expensive tools than others, which could jack up the price. That’s not necessarily a bad thing. More expensive tools could reduce the time of your test, and produce higher quality results.
Experience: pen testers with more experience will be more expensive. Just remember, you get what you pay for. Beware of pen testers that offer prices that are too good to be true. They probably aren’t doing a thorough job. I suggest looking for penetration testers with credentials behind their name like CISSP, GIAC, CEH, or OSCP.
Onsite: most penetration tests can be done offsite, however; in rare cases that involve very large/complex environments, an onsite visit could be required to adequately test your business security. Onsite visits are also required if you request a physical security or social engineering penetration test.
Remediation: some pen testers include remediation assistance and/or retesting in their price. Others provide test results and disappear.
With everything above accounted for, typically penetration tests start around $4,000 but can rise well above $20,000.
Penetration tests are worth it, every time If you think that price is unreasonable, think of this. A hacker only has to find one hole to get into your network and steal data. A pen tester works hard to find as many holes as possible that could allow you to be compromised. You are paying a professional to look through every nook and cranny of your business to find each possibility of compromise. There is no better way to test the actual effectiveness of your security systems than by the skills of an experienced penetration test team.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience.