From: Derek Vadala (derek@cynicism.com)
Date: Mon Oct 13 2003 - 17:05:41 EDT
A question was raised among some friends and colleagues recently. Many of
us often perform pen tests as subcontractors for VARs, system integrators,
or even other consulting firms. This seems to be a fairly common practice,
because many solution providers simply don't have the in house expertise
to perform a penetration test (or at least a good one), but it's a service
offering that often comes up during the course of a typical technical
sales meeting. So rather than turn away a potential sale, there's a lot of
outsourcing, at least in my experience.
My question to the list is how do you price this kind of work, assuming
that it's a percentage of revenue. I have heard some differing opinions
that range across the entire spectrum. Obviously resellers favor
themselves, and consultants have the opposite view. I am curious to know
what others think is a fair cut.
To make things easier let's assume the following.
You (or you and your colleagues):
- develop the scope of during the pre-sales phase
- perform all technical work during the course of the audit.
- route appropriate disclosures through the partner company if serious
issues are discovered during the audit, but prior to the final report
- write and deliver a final report that enumerates the work performed,
provides recommendations for remediation of architectural issues, and
outlines specific device/service vulnerabilities
- occasionally interact directly with the client via telephone or on-site
at follow-up or pre-sales meetings
The partner company:
- gets the sale, closes the deal, works out the contract
- manages the customer relationship (attends meetings, fields customer
phone calls, etc.)
- prints and delivers the final report (which you provided)
- manages billing
In short, there's a clear division of labor: all technical work versus the
sales process and customer relationship management. I'm curious to know
what others have encountered in these types of relationships, and am
specifically interested in what everyone feels is a fair distribution of
revenue. If you want to contact me off-list, I'll happily write-up an
anonymous summary of the responses that I get.
---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT