More companies are investing in penetration testing than ever. Whether it’s for regulatory compliance or for preventing breaches by finding vulnerabilities in exposed applications before cybercriminals do, penetration testing is a fantastic security process.
However, the penetration testing services market is still highly variable. A seemingly similar pen test could cost £ or £££+, so what’s the difference?
Some pen testing vendors might quote tens of thousands of pounds or euros for a web application pen test; others might ask for a few hundred pounds or euros for what appears to be the same result, i.e., a “pen test report.”
With regulations like DORA making some level of testing mandatory (e.g., threat-led penetration testing) for many organisations, buyers need more clarity about what they are getting.
To help security and IT teams make more informed buying decisions when it comes to offensive security, here’s what you need to know about how penetration test pricing really works.
Pen Test Pricing Can Be Broken Down Into 3 “Levels”
If we were to give just one piece of advice, it would be to look for a test that is correctly scoped.
Scoping is the process a testing service provider uses to decide the right amount of time and correct methodology to test your environment thoroughly.
Fair test pricing reflects realistic scoping.
Here’s what to watch out for in today’s pen testing market to make sure you get a fair pen test price that is properly scoped.
1. A “too good to be true” pen test price (underscoped)
A pen test that costs a few hundred euros/pounds is unlikely to be high quality – or safe.
A pen test at this price likely means that the vendor is cutting corners somewhere, whether that’s not having proper insurance in case something goes wrong, not giving you enough time, or even that the testers are not properly qualified.
At this price, there are serious risks for companies not included in the price.
Any company that wants to conduct a pen test also needs to make sure that the penetration test they buy is not a vulnerability scan (some less reputable firms will sell vulnerability scans as pen tests).
That’s why it is extremely important to query the pen testing provider about what testing methodologies will be used during the test. A pen test will likely include a vulnerability scan, but should not solely consist of one.
Another reason a pen test cost might be very low, even if the vendor is a high-quality provider and all seems to be above board, is that the project may not have been correctly scoped.
It’s possible that a vendor hasn’t taken your unique situation into consideration, or you’re getting a standardised time-bound range (aka “one-way scoping”) that is incorrect in terms of what you need to test.
2. A fair price pen test
The rough price of a quality pen test from trained testers backed by insurance and quality processes starts at around £1200 per day.
However, even if the price seems to check out, you still need to do some research.
We recommend that all companies considering a pen testing provider ask them for their:
- Insurance in case of damage to their environment.
- Methodologies, because even reputable providers can sometimes position a vulnerability scan as a pen test.
- Qualifications and accreditations. CREST is the gold standard.
- Speciality in offensive security.
When it comes to scoping, make sure the statement of work is tailored and details the vendor’s approach, i.e., we will be testing for x, y, and z in this environment.
3. Too expensive (overscoped)
It is possible to pay too much for a pen test, even if it is high-quality. However, it’s also surprisingly easy to avoid getting ripped off when entering into a contract with a pen test provider.
Typically, when you get a range of quotes, one might be considerably higher than the rest (possibly double what others are).
However, this doesn’t necessarily mean that the company giving you a high quote for a pen test is trying to take advantage of you or is overcharging for their time. It could just mean that they have overscoped your situation.
If the day rate quoted is fair (i.e., roughly in line with other quotes), but the total engagement price is much higher, the company giving the quote may have overestimated the time needed for your project.
How to Guarantee a Fair Price Pen Test
The best way to get a fair price for a pen test is to be involved in the scoping process, i.e., going back and forth with the pen testing provider to determine exactly what will be tested, how it will be tested, and for how long.
This also helps you vet the pen testing provider. As a general rule, the more interested a company is in scoping your test correctly, the better.
Have a conversation with the people who will be providing the pen testing service to get an understanding of what they will be testing and how they will be testing. Does their methodology cover your needs and give you the assurance you’re looking to get out of the penetration test?
If there are zero scoping questions, the engagement will probably be overscoped by default.
Disclaimer: This article contains sponsored marketing content. It is intended for promotional purposes and should not be considered as an endorsement or recommendation by our website. Readers are encouraged to conduct their own research and exercise their own judgment before making any decisions based on the information provided in this article.
