Penetration testing is incredibly important for the cybersecurity of your business. Like anything else, however, you have to balance the cost of a penetration test against the return on investment. Unfortunately, it can be difficult to get a straight answer from a quick look at a penetration tester’s website because there are so many factors that go into determining the pricing.
Here are 5 main factors that help determine the cost of a pentest:
1. The project scope and the efforts required
Bigger tests, simply put, require more time on the part of the pentester–and, therefore, cost more. It seems quite straight-forward, but there is an abundance of elements that will affect the size of a project and the efforts required to perform the test. Here are some of the main factors that can affect the efforts required for various types of penetration tests.
The efforts required for a Network Penetration Test will vary considerably according to the volume of IP addresses and internal servers that are being targeted by the test. The pricing will also be affected by the amount of devices on the network, which requires further investigation by the specialist to document the full impact a vulnerability could have on the network.
For a Web Application Penetration Test, the efforts will vary greatly according to the features available on the application and the technologies on which it was developed. For instance, a web application with authentication features and various user roles that also handles credit card payments will require more efforts than a simple application without authentication or payments. An application that offers a variety of non-authenticated and authenticated features might also require multiple phases to ensure that every scenario of exploitation has been tested.
In some instances, specialized types of tests such as SCADA / ICS Penetration Testing might require presence from a specialist on-site to test components and devices which should not be accessible anywhere else. For example, a pentester might need to be in your facilities to validate that your industrial network is properly segmented and that it cannot be potentially hijacked by malicious actors, both from inside or outside your organization.
Other factors, such as the state of the targeted system, might also affect the cost of the penetration test. For example, an industrial network currently in production which cannot be replicated in a testing environment will require the specialists to be extra vigilant in their approach and in some cases, will force them to use specific techniques that will not compromise the integrity of the system or cause interruptions within the production line, requiring more efforts in the long run.
2. The approach (automated vs manual testing)
The approach used in a penetration test is one of the main factor that determines the time spent on the assessment. Automated tests are often seen as a cheap alternative to conduct Penetration Tests, but they are both performed in different contexts and should not be misconstrued as equivalents, as they deliver completely different results.
Automated penetration tests, also known as vulnerability scans or vulnerability assessments, are a cheap and efficient to identify common misconfigurations, unpatched software and known vulnerabilities within your systems. Vulnerability scanners provide a list of known vulnerabilities associated with the technologies available within your ecosystem, which often creates false positive or false negatives that are assumed by IT teams to be accurate. An incorrect interpretation of these false positives could leave your IT team spending a great deal of time and resources on a vulnerability that either doesn’t exist or has little to no impact on your business’s actual security. As a result, automated scans, while cheap and efficient at identifying common mistakes, should not be your only resort to validate the security of your systems.
Manual penetration testing goes beyond the identification of vulnerabilities. A manual penetration test aims to validate the existence of the vulnerabilities within your systems and exploits them to provide evidence of their potential impact on your company. It requires an in-depth knowledge of various programming languages, technologies, and environments in order to exploit the vulnerabilities using similar techniques and advanced tools used by hackers. As a result, the company will get a better idea of what the direct impact could be if a hacker exploited to that vulnerability. These tests leverage recognized methodologies, including OSSTMM or OWASP, to gain a deeper understanding of any vulnerabilities within your system and ways in which they could be exploited. Because of their nature, manual tests require a great deal more time and commitment on the part of the penetration tester than automated testing. Your stakeholders can count on the results delivered by a manual penetration test to make decisions that will secure their systems from cyberattacks, guaranteeing a direct return on their investment.
3. The goals that you’re looking to accomplish
The cost of a penetration test may also vary considerably according to the specific goals a company intends to meet with those tests.
For instance, the PCI-DSS regulatory requirements, which calls for annual penetration testing, requires evidence that any exploitable vulnerabilities within card processing systems have been properly mitigated. In some case, a second testing phase might be required to prove that the vulnerabilities identified during the initial test have been successfully fixed.
In some cases, companies will perform a test as part of their development cycle before they release a new feature for an application. The testing scope will be focused on new features that are being added rather than testing the entire application, which will require less efforts and decrease the cost of the penetration test drastically.
In other cases, companies who are looking to comply with the minimum requirements of their business partners might only need to test a specific application or network shared by both parties in order to meet their requirements, which requires less efforts than a company looking to secure their systems from cyberattacks in any way possible.
4. The level of expertise
The cost and the quality of a penetration test will often differ according to the level of expertise of the specialists in charge of your test, as they will have a direct impact on your return on investment.
The majority of highly-skilled pentesters have successfully completed various certifications – such as GWAPT (learn more about the top penetration testing certifications) – requiring lengthy and advanced training to be certified. These certifications, usually quite expensive for the testers, offer some hands-on experience exploiting and documenting vulnerabilities within some of the most complicated environments and scenarios faced regularly in the industry. Some of these certifications, such as OSCP and OSCE, require the tester to complete an intensive assessment lasting sometimes as long as 48h.
These certifications, combined with years of experience in the industry, deliver reliable results that can be used to make accurate decisions, helping your company’s stakeholders to invest their precious resources in areas where the risks are the most prominent.
5. The type of penetration test
The efforts required for a penetration test will also vary quite a lot depending on the component that is being tested. Web application penetration tests, for example, require more thorough testing as the testers are looking for complicated logic flaws often introduced during the development of the app.
For some types of advanced tests, such as IoT penetration tests, more research and reverse-engineering might be required to learn about potential exploits of a given technology. As a result, the type of penetration test you need can have a significant impact on the overall efforts required and therefore, a direct impact on the cost of your penetration test.
Before a company can provide you with an estimated cost for a penetration test, many factors (such as the scope of the project and the context in which it is being performed) will have to be determined and established in detail. To ensure a great return on the cost of your penetration test, there are many things you should expect, such as the level of expertise and the approach used in the test.
Reach out to a certified specialist to get a cost estimate for the type of penetration test adapted to your company and your specific needs.