Penetration Testing mailing list archives
Re: Pen-testing - pricing model
From: intel96 <intel96 () bellsouth net>
Date: Sun, 03 Dec 2006 13:30:36 -0500
Stefano, Yes, I agree that this is very difficult in most cases. I recently had to prove that I was better than other bidders jocking to do a global pentest for a Fortune 1000. The customer had no idea what the differences were between a vulnerability test and a pentest. First, I had to educate the customer about security testing in general. Second, I had to provide the customer with strong references from other pentest project. Third, I had to explain why my pricing was up to 11 times higher than other bidders. Most of the other bidders were companies that sell security software and one was a MSSP, who pricing for the project was ZERO. The MSSP was also bidding to obtain a 1 million dollars managed services contract. Fourth, the customer provide each bidder a single IP to test. I was the only one that correctly identified the OS, web application and vulnerabilities on the system. Fifth, I had to provide a sample document, which I refused to do since even a sample reports can be too detail. I finally won the project, but only a piece of the overall project. The customer gave part to the MSSP who costs were nothing and the rest to me, but only after I cut my pricing based on the new project details. The biggest issue that I have in pricing projects today is with the security software vendors and MSSPs that want to sell their wares to the customer!!! BUT only after they do a vulnerability test or pentest for FREE!!!! Intel96 Stefano Zanero wrote:
And lastly you should always be prepared to negotiate the pricing with the customer. The customer will always find someone cheaper and you will have to prove why you are better for the extra cost.This is very difficult if your customer does not have an exact idea of what a pen-test is supposed to be. What kind of proof would you suggest bringing to help a customer understand the difference ? Stefano
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: LophtCrack and SAM Passwd, (continued)
- Re: LophtCrack and SAM Passwd Brendan Dolan-Gavitt (Dec 20)
- Re: LophtCrack and SAM Passwd jm (Dec 20)
- Re: Pen-testing - pricing model intel96 (Dec 16)
- Re: Pen-testing - pricing model Kish Pent (Dec 17)
- Re: Pen-testing - pricing model Sels, Roger (Dec 19)
- Re: Pen-testing - pricing model crazy frog crazy frog (Dec 03)
- Re: Pen-testing - pricing model intel96 (Dec 03)
- Re: Pen-testing - pricing model Stefano Zanero (Dec 03)
- Re: Pen-testing - pricing model Ozan Ozkara (Dec 03)
- Re: Pen-testing - pricing model intel96 (Dec 03)
- Re: Pen-testing - pricing model Lee Lawson (Dec 04)
- RE: Pen-testing - pricing model Erin Carroll (Dec 04)