Re: Pen-test pricing

[Matthew Caston <mattcaston () mchsi com>]

Andre,
For a good pentester using custom tools/script (not cots software) doing 
a true pentest (not just a vuln scan)  you should expect to pay between 
$225-350usd per hour - in today's market.  Although you may be able to 
find independent contractors, or boutiques who do it for less.  Either 
way, make sure you do your due-diligence on the actual testers, not just 
the companies.  Many use a bait and switch and opt for automated tools 
rather than true hands on expertise.

On average most of my previous clients were looking external pentests of 
their  DMZ environment which in turn contained 20-30 target servers - 
depending on final scope we would charge from $25-40k on average, with 
some of the more  detailed tests reaching $60k and above.  It really 
does depend on the desired level of detail, reporting and explanation of 
discovered vulns as well as the testing profile itself.  I.e. do you 
want a real world simulation to see if your HIDS/NIDS (CERT personnel)  
picks up the test; is it a true blind test with no intel provided up 
front and so on....

If you're interested, I can put you in touch with some former employees 
and colleagues who are widely regarded as some of the best in the 
business - even if you're not ready to buy, I'm sure they would be 
willing to chat with you in re: objectives/options/cost.
Regards,
...
Andre Derek Protas wrote:

> Does anyone have any good figures on pricing for pen-tests?  Is 
> charging done per server, location, or hour?  Any help would be 
> appreciated.
>
> ::andre::
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's 
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/