RE: pricing model for Pen-test

From: Bojan Zdrnja (Bojan.Zdrnja@LSS.hr)
Date: Sat Nov 15 2003 - 21:54:51 EST

• Next message: dave@immunitysec.com: "Re: pricing model for Pen-test"
• Previous message: Jimi Thompson: "Re: bluetooth pin-cracker"
• In reply to: dave@immunitysec.com: "Re: pricing model for Pen-test"
• Next in thread: dave@immunitysec.com: "Re: pricing model for Pen-test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: dave@immunitysec.com [mailto:dave@immunitysec.com]
> Sent: Friday, 14 November 2003 11:55 p.m.
> To: pen-test@securityfocus.com
> Subject: Re: pricing model for Pen-test
>
> In-Reply-To:
> <20031112204753.26518.qmail@sf-www3-symnsj.securityfocus.com>
>
>
>
> Any pricing based on a per-IP is bogus anyways. The client
> knows you are doing a time-based estimate. Just say "6 Class
> C assessment for 2 weeks is 10K" the same as a "1 Class C
> assessment for 2 weeks" . As long as you define the scope to
> basically be a nessus scan plus any extra time that you have
> goes into "verification" you have all the wiggle room you
> need. And pricing based on a time estimate is more honest, in
> my opinion, than tried to develop some complex price scaling
> algorithm based on scope. Your SOW should have the time limit
> explicitly in it.

I agree with Dave, a total price should depend upon time it took you to run
the penetration test, analyze the results and create the final report (plus
eventually presentation).

The problem is that the customer usually wants a fixed price. As a rule of
thumb, you can use OSSTM rules. However, what I usually like is that we give
a top price to the customer (like this is the biggest price it'll cost you)
and then, at the end, calculate used hours. Obviously, if our estimation of
top price was correct, used hours * price per hour will be near that. If
it's below, even better for the customer (that means we spent less time then
we thought we'll need). On the other hand, if price is above the agreed top
price - then we charge agreed top price and loose the rest.

I think this is pretty fair to the customer, you just have to be good in
predictions :)

Regards,

Bojan Zdrnja
CISSP

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------

• Next message: dave@immunitysec.com: "Re: pricing model for Pen-test"
• Previous message: Jimi Thompson: "Re: bluetooth pin-cracker"
• In reply to: dave@immunitysec.com: "Re: pricing model for Pen-test"
• Next in thread: dave@immunitysec.com: "Re: pricing model for Pen-test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:42 EDT