Re: Pen-testing - pricing model

From: intel96 (intel96@bellsouth.net)
Date: Sun Dec 03 2006 - 13:30:36 EST

• Next message: mjc001@juno.com: "MS VPN"
• Previous message: Roman Shirokov: "Re[2]: Generating awareness amongst IT staff"
• In reply to: Stefano Zanero: "Re: Pen-testing - pricing model"
• Next in thread: Lee Lawson: "Re: Pen-testing - pricing model"
• Reply: Lee Lawson: "Re: Pen-testing - pricing model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Stefano,

Yes, I agree that this is very difficult in most cases. I recently had
to prove that I was better than other bidders jocking to do a global
pentest for a Fortune 1000. The customer had no idea what the
differences were between a vulnerability test and a pentest. First, I
had to educate the customer about security testing in general. Second,
I had to provide the customer with strong references from other pentest
project. Third, I had to explain why my pricing was up to 11 times
higher than other bidders. Most of the other bidders were companies
that sell security software and one was a MSSP, who pricing for the
project was ZERO. The MSSP was also bidding to obtain a 1 million
dollars managed services contract. Fourth, the customer provide each
bidder a single IP to test. I was the only one that correctly
identified the OS, web application and vulnerabilities on the system.
Fifth, I had to provide a sample document, which I refused to do since
even a sample reports can be too detail.

I finally won the project, but only a piece of the overall project. The
customer gave part to the MSSP who costs were nothing and the rest to
me, but only after I cut my pricing based on the new project details.

The biggest issue that I have in pricing projects today is with the
security software vendors and MSSPs that want to sell their wares to the
customer!!! BUT only after they do a vulnerability test or pentest for
FREE!!!!

Intel96

Stefano Zanero wrote:
>> And lastly you should always be prepared to negotiate the pricing with
>> the customer. The customer will always find someone cheaper and you
>> will have to prove why you are better for the extra cost.
>>
>
> This is very difficult if your customer does not have an exact idea of
> what a pen-test is supposed to be.
>
> What kind of proof would you suggest bringing to help a customer
> understand the difference ?
>
> Stefano
>
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: mjc001@juno.com: "MS VPN"
• Previous message: Roman Shirokov: "Re[2]: Generating awareness amongst IT staff"
• In reply to: Stefano Zanero: "Re: Pen-testing - pricing model"
• Next in thread: Lee Lawson: "Re: Pen-testing - pricing model"
• Reply: Lee Lawson: "Re: Pen-testing - pricing model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:24 EDT