Re: pricing model for Pen-test

From: dave@immunitysec.com
Date: Fri Nov 14 2003 - 05:55:08 EST

Next message: Jimi Thompson: "Re: How do you become a Cyber Bounty Hunter?"
Previous message: Clement Dupuis: "Re: CEH and Intense School"
Maybe in reply to: a55mnky@yahoo.com: "pricing model for Pen-test"
Next in thread: Bojan Zdrnja: "RE: pricing model for Pen-test"
Reply: Bojan Zdrnja: "RE: pricing model for Pen-test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <20031112204753.26518.qmail@sf-www3-symnsj.securityfocus.com>

Any pricing based on a per-IP is bogus anyways. The client knows you are doing a time-based estimate. Just say "6 Class C assessment for 2 weeks is 10K" the same as a "1 Class C assessment for 2 weeks" . As long as you define the scope to basically be a nessus scan plus any extra time that you have goes into "verification" you have all the wiggle room you need. And pricing based on a time estimate is more honest, in my opinion, than tried to develop some complex price scaling algorithm based on scope. Your SOW should have the time limit explicitly in it.

IMO,
Dave Aitel
Immunity, Inc.

>From: <a55mnky@yahoo.com>
>To: pen-test@securityfocus.com
>Subject: pricing model for Pen-test
>
>
>
>We are responding to an RFP with very little detail - client has 6 class C networks. We have been given no information on how many hosts are live on each and/or how many services are offered on any hosts. Any suggestions on how to price the engagement - certainly there is a significant difference in effort between one web server per subnet and 100+ hosts with multiple services on each.
>
>Thnaks in advance.
>
>a55mnky
>
>---------------------------------------------------------------------------
>Network with over 10,000 of the brightest minds in information security
>at the largest, most highly-anticipated industry event of the year.
>Don't miss RSA Conference 2004! Choose from over 200 class sessions and
>see demos from more than 250 industry vendors. If your job touches
>security, you need to be here. Learn more or register at
>http://www.securityfocus.com/sponsor/RSA_pen-test_031023
>and use priority code SF4.
>----------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------

Next message: Jimi Thompson: "Re: How do you become a Cyber Bounty Hunter?"
Previous message: Clement Dupuis: "Re: CEH and Intense School"
Maybe in reply to: a55mnky@yahoo.com: "pricing model for Pen-test"
Next in thread: Bojan Zdrnja: "RE: pricing model for Pen-test"
Reply: Bojan Zdrnja: "RE: pricing model for Pen-test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:42 EDT