Making sense of pen test pricing
Commissioning a penetration test is an important step in helping to enhance your organisation’s cyber security resilience. Pen testing costs vary from a few thousand pounds to several thousand more, so it’s essential to ensure that the pen testing you select enables you to achieve the best security outcomes from your budget.
Every organisation has its own testing requirements and penetration testing pricing varies according to the type of test performed, as well as its overall objectives and duration. Penetration testing costs ultimately depend on the issues and requirements identified during the initial scoping phase.
The importance of pen test scoping
Most penetration testing companies charge for pen testing on the basis of a day rate. As a result, it’s important that the scoping stage of an assessment is conducted effectively to ensure that a quotation is as accurate as possible and that you don’t end up paying extra for unwanted elements.
At Redscan, we focus on ensuring that our clients gain the maximum value from their investment in a pen test. The scoping process allows us to identify the type of assessment best suited to your needs. It is the point when we work with you to define the full remit and goals of the pen test, including itemising the systems, assets and applications to be assessed.
When reaching out to us for a pen test quote, providing the most complete and accurate information possible will not only guarantee a swifter turnaround, but will also ensure we are not under or over-scoping the engagement and that the cost fits within your budget.
Factors that affect pen testing costs
The number of days required to perform a pen test depends on factors including:
1. Type of test
Timeframes differ between types of test. Two of the most common types that we perform are web application tests and internal and external infrastructure pen tests.
The length of a web application test is heavily influenced by whether it is unauthenticated (black box) or authenticated (white box or grey box). An unauthenticated test typically takes much less time to perform while authenticated testing is longer, taking around four to ten days. See section 3 to learn more about the differences between black box and white box pen pests.
External infrastructure testing can take around two to four days while the duration of internal infrastructure testing depends upon company size. For example, for a small company of 20 people, testing could take two or three days but for a larger company, it could take much longer. Full manual testing can be time-consuming but we typically offer a mixed approach, combining automated and manual testing to keep costs manageable.
2. Automated vs manual testing
Manual penetration testing is performed by a qualified human tester. As a result, it takes longer but will identify issues that automated tools can miss. Unlike automated penetration testing, manual assessments also involve exploitation of vulnerabilities, which is important for helping to understand how easily weaknesses can be exploited by attackers.
Some organisations that advertise penetration testing might rely heavily on automated tools, so it is always worth checking the extent to which the testing is undertaken manually by specialists.
3. Testing methodology
Pen testing costs are strongly influenced by the approach of the test, whether it’s white box, black box or grey box. We identify the most appropriate testing methodology at the scoping stage.
Black box testing more realistically replicates the approach of an attacker because no information about the target environment or application is shared with the tester in advance. Black box pen testing demonstrates how an adversary with no inside knowledge could seek to attack and compromise an organisation.
White box testing involves sharing full network and system information with the tester, including network maps and credentials. In a grey box penetration test, a limited amount of information is shared with the tester, usually login credentials.
Due to the lack of access to an organisation’s systems, black box testing is typically the shortest and therefore often the lowest cost methodology.
4. Remote or on-site testing
In some instances, it may be necessary for internal network penetration testing to be conducted on-site. This could be because it provides organisations with the reassurance of having oversight and visibility. However, on-site testing can be costlier due to the need for additional day-to-day expenses.
5. Experience of tester
Organisations typically charge more for experienced testers that possess more qualifications. Assessments performed by testers with pen testing certifications from international accreditation body CREST, for example, will typically command a higher rate. It takes a pen tester 6,000 hours to become CREST-registered, so commissioning a CREST pen test provides additional peace of mind that testing will be performed to the highest technical standards.
6. When the test is conducted
Testing out of core office hours can be highly advantageous to further mitigate the risks of operational disruption. It may also be beneficial if a client requires specific systems to be tested when they are not in use. However, the requirement for overnight working or antisocial hours can increase pen test pricing.
7. Level of reporting
A key aspect to check when commissioning a pen test is whether the testing process includes a formal written report. Some quotes might not include a thorough reporting stage or allow adequate time for reporting so we always recommend that sufficient time for reporting is allocated as the end of testing. A detailed report will help to ensure that the findings of the testing and resultant recommendations are clearly communicated to stakeholders.
8. If retesting is included
The post-test report may identify the need to undertake a retest to determine that remediation steps have been effective. The aim of this is not to identify new vulnerabilities but to mark issues as closed.
When obtaining penetration testing quotations, check whether a free retest is included as part of the service or if there is an additional cost.
If an organisation requires a high level of remediation following their pen test, there is a risk that they may introduce new vulnerabilities. We only recommend full retesting where many vulnerabilities are identified.
Maximising the value of pen testing
Pen test and VAPT pricing can vary significantly but identifying the right provider to help accurately scope requirements makes assessing pen test quotations much more straightforward. As a CREST-certified company, Redscan performs testing to the highest technical, legal and ethical standards.
To learn more about how to achieve the best from penetration testing and how our services can support your security needs, feel free to schedule a quick no-obligation call with our experts. We can tell you more about what’s involved and the techniques we use, as well as advise on how to achieve the best value from the pen testing that’s right for your organisation.