Penetration Testing mailing list archives
Re: Pen-testing - pricing model
From: Davide Carnevali <carnevali () protechta it>
Date: Mon, 04 Dec 2006 12:13:54 +0100
Generally Pen Test should be a "time based" activity. You define targets, goals and TIME within achieve these goals. Once TIME is defined, with the client, you get the price. Skills are not part of the pricing model: skills affect TIME and goals. My 2 cents Chris Stromblad ha scritto:
Hi list,Those of you who work with this professionally, what sort of pricing model do you use? How do you assess what should be charged for the test? Considering the fact that there are many types of pen-tests and all have different scope. I'm having a hard time figuring out if the prices that has been given to me are reasonable.Say I were to give you one of the following scenarios, what would you charge (roughly):1. "Black box with shades of gray", 2 /24 networks, not all devices are active. External scan.2. Internal scan, only devices 3. Internal scan, procedures, physical security and devicesI know this question is somewhat difficult to answer, because there is no correct answer, but any advice is welcome.Cheers, Chris ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW------------------------------------------------------------------------
-- Davide Carnevali CEO Protechta - Information Security OPST, CCSP Tel. +39 0521 2021 Fax. +39 0521 207461 http://www.protechta.it/ e-mail: davide () protechta it Disclaimer: http://www.protechta.it/disclaimer ------------------------------------------------------------------------ Chi riceve il presente messaggio e' tenuto a verificare se lo stesso non gli sia pervenuto per errore. In tal caso e` pregato di avvisare immediatamente il mittente e, tenuto conto delle responsabilita' connesse all'indebito utilizzo e/o divulgazione del messaggio e/o delle informazioni in esso contenute, voglia cancellare l'originale e distruggere le varie copie o stampe. The receiver of this message is required to check if he/she has received it erroneously. If so, the receiver is requested to immediately inform the sender and - in consideration of the responsibilities arising from undue use and/or disclosure of the message and/or the information contained therein - destroy the original message and any copy or printout thereof. ------------------------------------------------------------------------- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Pen-testing - pricing model Chris Stromblad (Dec 01)
- RE: Pen-testing - pricing model Omar Herrera (Dec 03)
- Re: Pen-testing - pricing model Michael Weber (Dec 03)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 03)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 04)
- Re: Pen-testing - pricing model Kish Pent (Dec 10)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 11)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 13)
- Re: Pen-testing - pricing model Clint Laskowski (Dec 16)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
- Re: Pen-testing - pricing model Christine Kronberg (Dec 16)
- Re: Pen-testing - pricing model Davide Carnevali (Dec 16)
- LophtCrack and SAM Passwd William Woodhams (Dec 19)
- Re: LophtCrack and SAM Passwd Jerome Athias (Dec 20)
- Re: Pen-testing - pricing model Kish Pent (Dec 10)