From: Matthew Caston (mattcaston@mchsi.com)
Date: Thu Feb 03 2005 - 12:37:43 EST
Andre,
For a good pentester using custom tools/script (not cots software) doing
a true pentest (not just a vuln scan) you should expect to pay between
$225-350usd per hour - in today's market. Although you may be able to
find independent contractors, or boutiques who do it for less. Either
way, make sure you do your due-diligence on the actual testers, not just
the companies. Many use a bait and switch and opt for automated tools
rather than true hands on expertise.
On average most of my previous clients were looking external pentests of
their DMZ environment which in turn contained 20-30 target servers -
depending on final scope we would charge from $25-40k on average, with
some of the more detailed tests reaching $60k and above. It really
does depend on the desired level of detail, reporting and explanation of
discovered vulns as well as the testing profile itself. I.e. do you
want a real world simulation to see if your HIDS/NIDS (CERT personnel)
picks up the test; is it a true blind test with no intel provided up
front and so on....
If you're interested, I can put you in touch with some former employees
and colleagues who are widely regarded as some of the best in the
business - even if you're not ready to buy, I'm sure they would be
willing to chat with you in re: objectives/options/cost.
Regards,
...
Andre Derek Protas wrote:
> Does anyone have any good figures on pricing for pen-tests? Is
> charging done per server, location, or hour? Any help would be
> appreciated.
>
> ::andre::
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:15 EDT