Search for penetration testing quotes online, and you will find cost estimates ranging from a few hundred euros or pounds for an entire test to several times that amount for a single day’s work. That's quite a range.
Of course, some penetration test jobs will be much larger than others. However, even for the exact same testing scope, you can still get a wide range of price quotes. So why not just go with the cheapest pen testing quote?
This blog post, written with input from SECFORCE’s expert penetration testing team, explains why a low penetration testing quote can be dangerous and discusses what to look for when assessing penetration testing quotes.
Our advice is based on many decades of combined penetration testing experience within the SECFORCE team, which sometimes included situations where we identified vulnerabilities missed when the organisation previously chose an underskilled provider.
Here’s what we think you need to know before choosing a penetration testing quote.
How Penetration Testing Quotes Are Made
Regardless of what tech is used, penetration testing is, at a fundamental level, a human process. It involves a skilled, ethical hacker (or team of ethical hackers) trying to break into your application, website, API, etc., just like a real threat actor would.
Our experience shows that the biggest deciding factor in the cost is the amount of time and skilled personnel needed.
We know that every penetration test quote should factor in enough time and resources to systematically and thoroughly emulate the tactics and techniques a real-world attacker will likely try when attempting to compromise your systems.
Your organisation needs a testing firm to spend time to find everything a cybercriminal might realistically find when they look into your environment. The worst-case scenario is that a penetration tester misses a vulnerability that a hacker might identify and exploit.
Low penetration testing quotes can mean that the scoping of the target was not accurate. Therefore, the penetration testing provider will likely spend a lot less time than necessary testing your environment and will probably find fewer attack vectors as a result.
The lower the quote, the higher the risk that an exploitable vulnerability will be missed.
As security professionals know, most cybercriminals, especially APTs and nation-state-funded actors, will have significantly fewer restrictions than penetration testers.
Quality penetration testing firms can reduce the risk of a cyber attack by understanding what an actual attacker is likely to try and then scoping testing properly.
Testing vendors also need to ensure consistency and coverage by hiring skilled testers and investing in training and offensive security tools.
Exceptionally low quotes can mean that a pen testing vendor is skipping essential staff training and development.
At SECFORCE, we make sure our team spends 20% of their time on training and development.
Watch Out for Penetration Test Quote Shortcuts
Sometimes, it may not be possible to define an accurate scope. This can be due to a number of reasons, such as the fact that the information is not readily available or the target system is still under development.
When this happens, penetration testing providers may need to provide a time-bounded quote.
This is far from ideal, but it does happen. We always recommend that our customers provide enough information to scope the engagement accurately.
However, be careful. Some testing vendors ONLY quote based on standardised time-bound ranges.
For example, time-bounding a particular test type, like testing an API for a certain number of days and taking the mantra of “Whatever I can do in this time will be enough.”
Another thing to look out for is "one-way scoping." This is when a testing firm only examines a demo of an app or a list of users but does not interactively ask questions or actually look at the testing target before testing happens.
A poorly scoped time-bound test might over scope and cost more than it should due to taking longer than is really needed.
More commonly, a time-bound test might lead to unrealistic testing if testors under scope due to budget concerns.
Lower-quality penetration testing firms might cut corners by testing a system within a timeframe that does not simulate likely attack scenarios.
A test might be cut down to fit your budget and get approval, but it will ultimately leave you less safe than before.
Think about this: What’s the point of having an application half-tested?
Imagine that instead of penetration testing, you are looking for a medical checkup and have the choice of two doctors, one a bit more expensive and thorough, the other cheap and quick.
You could go to the cheaper doctor, who also takes less time, and get a clean bill of health because they don’t test for much. Or you could spend more time and money going to a better doctor who does a full range of tests and gives you a realistic judgement of your health.
One might cost more but will actually improve your health. The other is cheap and easy but is so surface level that it ends up being a complete waste of resources and will probably be very bad for you in the long run.
The same is true with offensive security.
For a penetration test provider to help improve your security posture, they will need to spend time evaluating your testing target's complexity. For instance, testing a web application demands scrutiny of various user roles like normal, read-only, and admin.
Scoping should involve actually looking at the target (especially if it's publicly available) and, if possible, checking the available functionality for each different user level. This could involve securely sharing test accounts beforehand, where possible.
What’s In a Good Pen Testing Quote
Cyber mature companies understand that penetration testing is an assurance assessment to help them manage their risk.
Here’s what they look for when comparing penetration testing quotes:
Extensive scoping
Before quoting you a price, a penetration testing firm should look for extensive information about your environment. They should also require you to provide things like technical specifications, user roles, solution architecture, etc., to assess the target’s attacking surface.
A reasonable amount of time allocated
What's the point of doing a half-test? If you get three quotes, one involving three days of work and two involving five, you will not get a full pen testing service in a shorter amount of time.
Avoid penetration test vendors who:
- Run a vulnerability scan and call it a pentest so the time allocated is too low.
- Intentionally over scope to make more money.
Experience
Watch out for quotes from firms that do not specialise in offensive security or lack a prolonged track record. Look for reputable companies with references, case studies, and focused offensive security practices.
The SECFORCE Approach to Pen Testing Quotes
Since 2008, SECFORCE has taken an uncompromising approach to quality and value. Our pen testing engagements are some of the most comprehensive and value-driven possible.
This means that when we quote our customers for a potential penetration testing engagement, we take the time to understand precisely what is needed for a comprehensive and accurate test and commit to delivering it.
Our quotes might not be the cheapest on the market, but our testing will deliver the best results and security value for your organisation.
Contact us to learn more.
