Re: Pen-testing - pricing model

[Davide Carnevali <carnevali () protechta it>]

Generally Pen Test should be a "time based" activity.

You define targets, goals and TIME within achieve these goals.

Once TIME is defined, with the client, you get the price.

Skills are not part of the pricing model: skills affect TIME and goals.

My 2 cents

Chris Stromblad ha scritto:
> Hi list,
>
> Those of you who work with this professionally, what sort of pricing 
> model do you use? How do you assess what should be charged for the test? 
> Considering the fact that there are many types of pen-tests and all have 
> different scope. I'm having a hard time figuring out if the prices that 
> has been given to me are reasonable.
>
> Say I were to give you one of the following scenarios, what would you 
> charge (roughly):
>
> 1. "Black box with shades of gray", 2 /24 networks, not all devices are 
> active. External scan.
>
> 2. Internal scan, only devices
>
> 3. Internal scan, procedures, physical security and devices
>
> I know this question is somewhat difficult to answer, because there is 
> no correct answer, but any advice is welcome.
>
> Cheers,
> Chris
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW 
>
> ------------------------------------------------------------------------

--

Davide Carnevali
CEO
Protechta - Information Security
OPST, CCSP
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/
e-mail: davide () protechta it
Disclaimer: http://www.protechta.it/disclaimer

------------------------------------------------------------------------
Chi riceve il  presente  messaggio e' tenuto a  verificare  se lo  stesso
non gli sia pervenuto per  errore.  In  tal caso e` pregato  di avvisare
immediatamente  il   mittente  e,  tenuto  conto  delle   responsabilita'
connesse  all'indebito  utilizzo  e/o  divulgazione  del  messaggio  e/o
delle  informazioni  in esso contenute,  voglia  cancellare  l'originale
e distruggere  le varie copie  o stampe.

The receiver of this message is required to check if he/she has received
it  erroneously.  If  so,  the   receiver  is  requested  to immediately
inform the sender and - in consideration of the responsibilities arising
from undue use and/or disclosure of the message  and/or  the information
contained therein - destroy the original message and any copy or printout
thereof.
-------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------