Penetration testing can be typically considered a consulting service provided by third party cybersecurity experts. Most cybersecurity service providers that conduct pentesting charge organizations by man-hours or man-days. In order for pentesters to estimate the time required, a process called scoping is first conducted, where the pentesters will peer through a client’s technical environment to look for targets. Obviously, the number and complexity of the targets required to be pentested will determine the amount of time needed for pentesting – and consequently, the cost.
Penetration testing (‘Pentest’) is an authorized hack of an attack on a system, network, web server, or application to find potential vulnerabilities that can be exploited. The most common types of pentests that are conducted today include pentests of web applications, mobile applications, wireless applications, networks, API testing, and physical security testing.
Customers can expect to pay USD4,000 for a baseline pentest of an acceptable quality — but depending on value provided by each pentest partner, the cost will vary. If service providers charge below that, customers can expect one of the following: (1) the quality of the pentest will tend to be lower, (2) this is only a vulnerability scan, (3) the pentest is outsourced to foreign third parties, (4) the pentest will not be delivered in a timely fashion. A vulnerability scan is not the same as a pentest. The former leverages software to automatically identify vulnerabilities, while a pentest is a focused hacking effort by trained consultants using any available means to break into the subject system, network, or application.
Identifying A Trustworthy Pentester
As government bodies apply more stringent business regulations for cybersecurity, more businesses are looking out for trustworthy pentesters to help them identify and potentially fix their vulnerabilities. What this means is that pentesters are in abundance today, and because of this large supply, it is critical for businesses to understand the differences between pentesting providers.
As with other cybersecurity services, security professionals need to have a number of certifications. When looking at pentesting, look out for these specific pentesting consultant certifications: Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), and Offensive Security Wireless Professional (OSWP) Certification. Other recognized certifications include Certified Ethical Hacker, CREST, GIAC GPEN, and GIAC GXPN. If you want to skip the step of scrutinizing the certifications, it is advisable to pick a pentest service provider that is CREST-accredited, like Horangi.
It pays to engage service providers with certified professionals as all these certifications require hundreds of hours of study, training and examinations.
Complexity of Pentesting
The pentests that almost all pentesters are qualified to do are web application pentests and network pentests. These have the most established methodologies and are hence taught by most certification bodies. As we move to pentesting of wireless networks, cloud environments, mobile applications, and APIs, these become more specialized, requiring specific certifications like OWASP and GMOB.
The popularity of technology stacks will also influence cost. It is much easier to find consultants qualified to conduct pentests on the most used stacks today, rather than on outdated technologies like Mainframe, which can only be tested by a few consultants.
The most complex of technologies like ICS/SCADA and hardware will require the expertise of very senior and specialized consultants, hence these will cost the most. The same applies for pentesting of integrations with other systems, which can take several days per system.
Because pentesting is such a popular service today, schedules of pentesters tend to be booked weeks (and sometimes even months) in advance. As a result, organizations who require immediate penetration tests will have to fork out a higher price. Same if pentesting is required to be done at off-peak hours like weekends or public holidays, and if pentesters are required to travel.
A solid pentesting partner does not only try to identify all forms of vulnerabilities, but also applies business expertise to contextualize each vulnerability to a customer’s organization. This is typically done in a pentest report, which is a manual process that takes up to a third of the total project time. A good report is the difference between providing clarity to all stakeholders and confusing them. Customers that require clear and concise reports will likely see the man-hours increase.