Re: What to spend on a pentest

From: Jason T. Hallahan (jthallah@gmail.com)
Date: Thu Aug 03 2006 - 09:21:17 EDT

• Next message: El Camino: "Re: Checklist for checking the security of internet banking"
• Previous message: faisalrdanka@fastmail.co.uk: "Re: Checklist for checking the security of internet banking"
• In reply to: Michael Weber: "Re: What to spend on a pentest"
• Next in thread: Intel96: "Re: What to spend on a pentest"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Is $175 really the going hourly rate for a capable vulnerability/pentester?

On 8/2/06, Michael Weber <mweber@alliednational.com> wrote:
> I would use a formula like this:
>
> (# of targets in network) * (# of services per target to be tested) * (testing time average of 15 min per service per target) * (hourly rate of tester) + (cost of documenting the results) = cost of a pen test
>
> So, a 10 target network with an average of 5 services per host to be tested by a competent pen tester would run
> (10 * 5 * .25 * 175) + 1000 = $3187.50
>
> This is pretty rough and includes a LOT of assumptions, but it should get you in the ball park. If you want a real number, your best bet would be to run nmap to enumerate your network and take the results to a pen tester for a bid.
>
> -Michael
>
> >>> "Jacob Weeks" <jaweeks@gmail.com> 8/2/2006 9:19:51 AM >>>
> I would say it depends more on the types of servers and number of
> services offered on the network rather than purely the number of
> systems on the network. As that would give an indication as to how
> long it might take, and what kind of resources the tester would need
> to bring.
>
>
>
> On 1 Aug 2006 15:32:51 -0000, mttdavis@hotmail.com <mttdavis@hotmail.com> wrote:
> > Can someone tell me what is a fair amount to spend on a decent pen-test with a simple class C network?
> >
> > ------------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Concerned about Web Application Security?
> > Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> > Choice Award from eWeek. As attacks through web applications continue to rise,
> > you need to proactively protect your applications from hackers. Cenzic has the
> > most comprehensive solutions to meet your application security penetration
> > testing and vulnerability management needs. You have an option to go with a
> > managed service (Cenzic ClickToSecure) or an enterprise software
> > (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> > help you: http://www.cenzic.com/news_events/wpappsec.php
> > And, now for a limited time we can do a FREE audit for you to confirm your
> > results from other product. Contact us at request@cenzic.com for details.
> > ------------------------------------------------------------------------------
> >
> >
>
>
> --
> -- Never do today, what you can blame someone else for not doing tomorrow.
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to rise,
> you need to proactively protect your applications from hackers. Cenzic has the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>
>
>
>
> E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
> file(s) may contain privileged, confidential or proprietary
> information or be protected from disclosure under law ("Confidential
> Information"). Any use or disclosure of this Confidential Information,
> or taking any action in reliance thereon, by any individual/entity
> other than the intended recipient(s) is strictly prohibited. This
> Confidential Information is intended solely for the use of the
> individual(s) addressed. If you are not an intended recipient, you
> have received this Confidential Information in error and have an
> obligation to promptly inform the sender and permanently destroy,
> in its entirety, this Confidential Information (and all copies
> thereof). E-mail is handled in the strictest of confidence by
> Allied National, however, unless sent encrypted, it is not a secure
> communication method and may have been intercepted, edited or
> altered during transmission and therefore is not guaranteed.
>
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to rise,
> you need to proactively protect your applications from hackers. Cenzic has the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: El Camino: "Re: Checklist for checking the security of internet banking"
• Previous message: faisalrdanka@fastmail.co.uk: "Re: Checklist for checking the security of internet banking"
• In reply to: Michael Weber: "Re: What to spend on a pentest"
• Next in thread: Intel96: "Re: What to spend on a pentest"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:31 EDT