Penetration Testing CostHome - What - Why Pen Test - Why High Bit - Types - Reports - PTaaS - How Much?
Penetration Testing Costs are fully transparent - at High Bit Security
Many of our competitors try hard to convince search engines that they are publishing their penetration testing cost, without publishing any actual penetration testing prices at all. We think you are probably looking for a company that actually does publish penetration testing costs, which is why you searched for it. It's also why we have this page - to publish our itemized penetration testing cost card.
- Penetration Testing Cost from High Bit Security
- Pricing Background for Manual Penetration Testing
- How Much Should a Penetration Test Cost?
- Is there a case for not publishing prices?
- Pricing Impact: Automated, Manual, or Both?
- Summary: How much does penetration testing cost?
Here is a current penetration testing cost card for our most commonly encountered types of penetration testing. Some providers are reluctant to publish their penetration testing prices. With more than a decade of experience, a staff of well trained direct employees and quality manual penetration testing prices at highly competitive rates, we do not hesitate to quote pricing for standard types of penetration testing engagements.
- Please keep in mind that the prices quoted are for standard cases, and about half of our engagements require adjustments, up or down.
- Also keep in mind that we consider discounts on all engagements that involve more than one website or more than 32 IP addresses.
- Other volume factors are also considered, so if you have questions, just contact us.
All penetration testing engagements require a certain amount of work before any testing can begin, and a certain amount of work for reporting and follow up activities. That's why our penetration testing costs for each standardized engagement start with a base engagement fee. The base engagement fee covers the things that are common to all engagements, but there is also flexibility in that base engagement fee, based on tester skill levels and our client's needs.
Tester Qualifications: Pre-Certified, Certified-Lead and Certified-Only are categories that represent different levels of certified tester involvement in a penetration testing engagement. We use this approach because it allows us to offer greater price flexibility to our clients. Unlike many of our competitors, we train almost exclusively from within, and have access to testers at various skill levels. That allows flexibility that may be an advantage to you.
In a nutshell:
Pre-Certified means we may use non-certified personel on your engagement.
Certified-Lead means that a certified lead penetration tester will be closely involved, and
Certified-Only means that only certified penetration testers may be used for any part of your engagement.How do these categories impact penetration testing cost? First, Pre-Certified doesn't mean without skills. Everyone involved in a penetration test for High Bit Security meets the following criteria:
- has passed a civil and criminal background check,
- is a direct employee of High Bit Security,
- is trained from the ground up, in house, at our own training facilities,
- is certified through well recognized outside certification sources such as GIAC, CompTIA, or EC-Council or is in training and on a certification path.
All certified penetration testers are trained inside, certified outside, have at least one year of employment history with us and at least 1,000 hours of supervised, hands on experience with live engagements. The cost for all of our penetration testing is based on in house, on site or remote (via our networks), direct employee testing. No remote contractors are used for any High Bit Security penetration testing.
What does this have to do with penetration testing cost and pricing?
Our direct, in house training provides many benefits to us and our clients, but one benefit is three distinct manual penetration testing price levels, with full transparency, as always.
So here is what Pre-Certified, Certified-Lead and Certified-Only mean, in detail, in terms of service and price:
Pre-Certified is the best choice for a low cost penetration test, while still maintaining manual quality. It means that the primary tester may be someone with a year or more of employment history with High Bit Security, with a minimum of 500 hours of hands on experience with live penetration testing engagements, who is in their second training phase and needs 500 hours of independent work to complete our pre-certification training. The individual has demonstrated sufficient skill to take on this role, has access to senior staff for guidance and junior staff for assistance if needed, but has sole responsibility for performance and reporting. If you are looking for the lowest cost penetration testing option for serious manual testing, this is it.
Certified-Lead is our standard approach and most popular option for a high quality manual penetration test at a reasonable cost. It means that all engagement work is performed by a team, managed by a Certified-Lead tester, who assigns work and closely supervises individuals deemed competent to perform the specific tasks they are given. Some of the work will be done by personnel who are in various training phases. All complex issues, fault chaining work, overall interpretation and final responsibility for context relevant testing and reporting remains with a certified tester.
Certified-Only is our premium option, the utmost quality and the highest cost penetration test we offer. With this option all work is performed by a certified tester, whether we think it makes sense from a human resource perspective or not. This is not the most cost efficient penetration testing engagement, but there are cases that require it and we do offer it for our clients who want it.
Now that we have explained those terms, we can put it in table form, and then you can see how it impacts penetration testing cost and know what it means:
You will find that the common package prices for penetration testing listed on our rate card at the top of the page differ in price by exactly the difference in these base engagement prices.
If a package penetration testing deal is not what you need, here are more of our common scope items, just total up what you actually need and then add your chosen base engagement price (Pre-Certified, Certified-Lead or Certified-Only), to come up with the total cost of the penetration test:
We do our best to be transparent about our penetration testing prices, but often the package deals and standard scope items aren't quite what you are looking for, or your total is high enough for volume discounts, or you just need more explanation.
We can't possibly cover every penetration testing price combination or circumstance, but we do try. If you are still not sure what you need, or what your penetration testing engagement will cost, you are not alone. Half or more of our penetration testing engagements have some unique factor that either impacts price or needs some explanation from us or open dialog with you before we can price it. We are happy to provide more information, including detailed, itemized cost quotes for any penetration test. Just contact us using the form at top the page.
We'll build the best itemized quote we can for you, with all penetration testing costs and methods explained in detail, and nothing hidden.
You can find more information on our manual penetration testing methods in our methodology section
The information we give you above will help you determine exactly how much a penetration test from us will cost, at least for the more standard engagements. Now we will cover some of the factors that influence penetration testing costs in general.
In this section we cover some the of factors that influence penetration testing cost in general, whether published or not. Some of these you might expect, like experience, methods, duration and other quality factors. These are all very significant and important considerations, but they are not the biggest factors influencing cost. There are factors that are easy to understand and have a bigger influence on cost, but are, nonetheless, often overlooked. One reason they are overlooked is that almost no one in the industry wants to talk about them, so buyers tend to think that it can't be that significant. The truth is, overhead is the single most significant factor in penetration testing cost, and we are going to lay it out for you.
There is an old saw that you are probably familiar with: You get what you pay for.
Most of us have heard that expression, and tend to more or less agree with the premise - that value and price tend to go together. It's a great adage. As a statement of fact, however, it's just plain wrong, at least sometimes. If it were always true none of us would ever look for a true bargain, yet we all look for, and sometimes find, true bargains.
It might be more accurate to say: You get some of what you pay for.
That revised statement may lack something as a catchy adage, but at least it implies that overhead ought to be considered.
The truth is: You get what you pay for, and you also commonly pay for things that you don't get and wouldn't want. It's not fraud, it's just reality, though sales operators often try to present the entire package as a cost of quality deliverables. In other words, they use the adage you get what you pay for, even though they (and probably you) know that it isn't exactly true. We all know that prices for everything commonly includes overhead, but how does that knowledge help?
Some overhead is always legitimately in play, no one has zero overhead, that is true. For our purposes, the imporant piece to know is: The overhead varies dramatically with the vendor. That means it may be actionable for buyers who can identify and discriminate the variation. Getting less overhead for your money is the basis for an effective form of true bargain shopping, and in penetration testing that overhead can be a whopping percentage of the total.
How much of the total? Hold onto your chair. When we say whopping percentage, we mean it. The overhead we are about to describe is not minor, it can easily triple or quadruple the price, without adding any benefit that you are likely to care about, at all. It is also not uncommon. It is so common that more than half, maybe as much as 90% of all penetration testing quotes are inflated by at least one half to double due to overhead from these areas. That's for most. A smaller but still significant percentage are paying the triple or quadruple multipliers.
Yes, that's a big statement, and it demands a good defense. We are going to explain, starting with the most obvious overhead factor:
- Sales and Marketing
We will need to use ourselves as an example here, simply because that is where our most complete information comes from, and we are the best case for comparison that we know of because we have done this both ways. So, please consider these three points first, which taken together make us an almost perfect case for comparison:
- Since 2014 our sales spend has been $0.
- We have an outstanding client retention rate (we actually gain, due to client employee transfers, mergers and acquisitions).
- We have some limited marketing spend but no dedicated sales staff (not one, though we all serve our customers).
So there we are, as a comparison case. This is the way we look today, but it has not always been that way. We will return to us in a moment, at an earlier time when we were not different at all, but doing business just as our competitors do today.
For most of our competitors, half to two thirds of the fee is probably charged to advertising, sales salaries and commissions. We are NOT saying that there is anything wrong with sales, but we ARE saying that it adds up to a lot of overhead that has nothing to do with testing or quality of deliverables. How do we know this?
Well, first, advertising costs are well understood. It is generally accepted to run at around 1/3 of gross revenues for most big ticket sales. Those are not our numbers, you can check around and you will find that most marketing and sales agencies will agree to roughly that ratio as representative. So, one third, just for advertising as a general rule, and also according to our own experience. Yes, we once did business much differently than we do today.
We can’t know exactly how much our competitors spend, but their model was once our model too, so we do know it quite well. Until 2014 two thirds of our own incoming revenue was charged to advertising, sales commissions, marketing, and related overhead. Then, in 2014, we made the big change: We stopped the ads, released the sales contracts, adopted and openly published reasonable prices, went completely transparent and focused on quality, training and service. It was a really big risk and it took time, but it paid off.
Our margins are better now than they were then, so is our quality, which is now second to none. Yet most of our competitors are charging a lot more than we do, and in many cases, for substantially lower quality. How can that be? You get what you pay for, right? Yes, you get what you pay for. You also commonly pay for things you don't get, don't need and wouldn't pay for if given a choice.
So, assuming that you don't want to pay for your vendor to find their NEXT client, what do you do aboout it? How do you know how much of your fee goes toward that effort? You can probably assume that they will not tell you. So how do you know?
- Do they buy advertising?
- Did you contact them, or did they contact you?
- Are you speaking with sales staff?
If they are advertising, one third of your fee is probably paying for that. If you are talking with sales, another third of your fee goes there. Rough numbers, but it's going to be something. That something is probably doubling the price or more. They are not likely to tell you what it really is, but you can bet it is not insignificant.
OK, so Sales and advertising could easily double the price, with no impact on quality. Probably not a big surprise when you think about it. The next one, however, is not well known outside of established penetration testing companies and the subcontractors who work with them. It is also a price factor, and it can dwarf sales and advertising overhead. Once again, the knowledge expressed here comes from our direct experience.
Consider the following table. The names are obfuscated because we must. The client in blue is exactly the same client each year. That client is in fact a direct High Bit Security client today, and has been since 2010. In every year between 2008 and 2010, the client was served by exactly the same person, the current owner of High Bit Security, who was doing subcontract work for the final company in the food chain for this client until 2010.
We cannot identify the companies involved, and some of them no longer exist, but we can tell you that the reason the client eventually ended up being served directly by High Bit Security is because the client found us directly, and serving them directly did not violate any of the intermediate contracts under the circumstances.
How much did the client save by eliminating 4 companies from the food chain? We don't know, but we don't imagine that any of those companies were holding their contracts for free. It was only due to the direct efforts of this client that they escaped the massive repetitive margins they were paying. The real irony? For all three years the client had exactly the same tester, but in the end, much better quality to go with their much better price because the tester was finally able to communicate directly with the client.
Is this a common scenario? We don't use contractors and no longer take sub contract work, but when we did, it was day to day business, we saw it all the time. Perhaps not to the ridiculous depth shown at far left above, but one or two companies providing only sales and 'customer support', with a final sub contractor silently doing all of the actual work, including indirectly answering questions from the client, was very common. At one time prior to 2010 the owner of High Bit Security had active penetration testing contracts with seven different companies. There were more companies doing it than not, and we see no indication that this has improved today. We maintain data on almost 300 penetration testing companies worldwide, and our data shows that less than 2 percent of those companies make any public statement at all about limitations of any kind on the use of sub contractors.
In our experience, it's the companies with the biggest names that are functioning mostly as sales organizations, and are likely to be the ones with the most subcontractor relationships, both up and down. They are also the ones most likely to justify the resulting high prices with their name and quality statements that boil down to: You get what you pay for. Yes indeed, but the answer that might interest you the most is: How many others also get what you pay for?
So what should you do to find out?
This one is easy: Ask them.
If they tell you they don't use contractors, then they shouldn't have a problem with the following: politely but firmly insist on a written clause that precludes subcontracting your work. If you find, at that point, a sudden lack of availability or lack of urgency in finishing your paperwork, go look for a real penetration testing company, one that uses only direct employees and does not subcontract to other companies and will put that in writing for you. You don't want your data passing through unknown contractor companies anyway, and you almost certainly don't want to pay for two or more profit margins.
Believe it or not, there are companies who are reacting to our decision to publish pricing by claiming that it is impossible to do, and that only an inferior company would even consider it. If you've gotten this far with us you probably wouldn't fall for that, but we are going to cover it anyway.
Claim: Penetration testing is too complex to allow for quoting a standard price.
The implication of this statement is that anyone who quotes a fixed price must not understand the complexities involved in penetration testing.
Fact: Penetration testing is complex, but that complexity does not prevent a company from putting a published price on some kinds of standardized, well understood, penetration testing packages.
Fact: We don't publish pricing for everything, some of it is too complex to put a standardized price on, but much of it can be priced.
Fact: We do publish our pricing, and we do understand the complexity, because unlike most of the companies making this claim, penetration testing is all we do.
Penetration testing is complex, but so are most industries, under the surface. Whatever it is that your company does is almost certainly more complex than it looks, but you understand the complexity even if others don't. That complexity would be unlikely to prevent you from publishing prices for standardized products or services, if you wanted to do so.
Claim Conclusion: Nonsense.
Claim: "Most companies that have a fixed price for a pen test will not help you to improve your security due to limitations of the testing tools used".
The logical contortion in quotes above is actually copied verbatim from one of our competitors websites. There are other close variants of the statement, all sharing the same attempted implication: that companies who publish standardized penetration testing prices of any kind are only able to do so because they are using cheap automated tools and no manual effort.
Apparently we are also to assume that companies making statements like this are better than any company with published prices, and conclude that companies that don't publish prices also do not use testing tools with limitations. Further, having made those unsupported assumptions, we are to conclude that this whole chain of 'logic' in some way provides justification for them in keeping their prices a secret from the public. Well...
Fact: Some companies do use cheap automated tools and provide little or no manual effort, and also publish those prices. This appears to be the one fact this statement relies on to make the rest of it easier to believe.
Fact: We are very clear about our manual effort, and we publish our prices.
Fact: We maintain data on almost 300 penetration testing companies worldwide, and our data shows that less than 3 percent of companies using either manual or automated methods are willing to publish standardized penetration testing prices. We are talking about a handful, worldwide, and as far as we can tell there are more offering manual than an automated approach.
Fact: Penetration testing tools and approach are factors for the price of a penetration test, but those factors do not preclude publishing that pricing.
Fact: The companies suggesting otherwise are also expecting you to trust them with your most sensitive data.
- Companies that offer published pricing should clearly state what it is that they are offering, like we do.
- Companies that don't publish a price can safely ignore the previous point. They could remove any descriptions entirely, without impact to purchasers, because for the purchaser, a description without a price has the same value as a price without a description: zero.
- For the company, either case has value. Both cases allow them to vaguely suggest how much they might charge for whatever they might do, without ever coming close to committing to anything.
Claim Conclusion: Any company stating that giving you less information about them is better for you, while also expecting you to trust them with your most sensitive data, probably deserves whatever character judgement you arrive at for them.
In this section, we address the difference between automated testing and manual testing, discuss the impact of automated testing on price and quality, and offer some suggestions on how to ensure that you are getting what you think you are paying for.
Both of these approaches to penetration testing have value, and we use both. Automation has far less value as a stand alone service, but it is necessary for full testing coverage, and in some limited cases is actually better than manual testing. Examples of the latter include highly repetitive testing tasks such as port scanning, fuzzing, parameter manipulation, response analysis, enumeration tasks, brute force and dictionary attacks. The superiority of automation in these areas is undisputed. No one hand keys 100,000 web requests or port scans, and if they do, you shouldn't be paying for the practice. Automation by itself, however, is entirely incapable of identifying, let alone validating, some of the most important security flaws. The latter statement includes all so called 'AI' solutions.
There are a number of vendors currently offering 'penetration testing services' for advertised prices of $895, or even $700 or less. We do not object to this, as long as the 'service' is accurately described. Our objection is with vendors who devote an entire web page to the quality of their testing, including statements about the manual effort they employ, including the qualifications of the 'testers', and then disclose, in the fine print at the bottom of the page, that the testing is completely automated.
Automated penetration testing can not be considered thorough, but it may be suitable for you if:
1. You are testing for your own purposes and do not need to satisfy a third party requirement or compliance mandate.
2. You are willing to interpret automated reports yourself.
3. You understand that automation is significantly inferior to, and cannot be considered a replacement for, manual penetration testing.
Automated testing will not be thorough, can not be thorough no matter who provides it, and rarely satisfies third party requirements. Further, automated reports almost always contain false positives and will need to be reviewed in context. Finally, there is the issue of coverage and false negatives.
You cannot rely on automated reports for thorough testing. Only some security flaws can be identified through automation. Some of the most dangerous possibilities will not receive testing using any automated method. These possibilities include exploitation of business logic flaws and exploits resulting from complex fault chaining, side channel vectors, passive reconnaissance and plain old human recognition of the complex relationships between various attack vectors and observed faults. These are not occasionally missed by automation, they are routinely missed, and routinely found in manual testing. When it comes to web applications, the capabilities of automated testing is seriously inadequate. We discuss this at length and in far more detail in reference to the entire OWASP testing guide on our web application testing methodology page.
Automation is programmed, it cannot imagine and it cannot create. Conversely, human cognition is inventive, dynamic, contextual, and bounded only by human creativity itself. It represents a vast, fuzzy, shifting and dangerous attack surface that is exactly where the best attackers live. The most important attributes of this surface are not even measurable, let alone programmable. It is an attack surface that might be better described as an attack 'miasma', and it is only approachable through competent, creative and enthusiastic manual penetration testing.
To put it another way: The day we can rely on automated security testing is the same day we can replace human coders with their own code. Some may believe that day is just around the corner, but we rather doubt it, and that day certainly isn't today.
Given the limitations, you may wonder why anyone would buy automated testing at all? We don't mean to suggest that there is no value to automated testing. It is (or should be) much cheaper, and there are cases where it may make sense. Maybe you are building a new system or application and want a quick check for the most easily detectable issues before you continue with your next development phase. Maybe you know you could obtain similar testing software yourself, and are comfortable interpreting results, but you lack the time or expertise to properly set everything up.
There could be many scenarios where a quick and cheap automated test may have some value. Whatever your reasons, our purpose is not to judge but to provide you with enough information to understand the limitations, and some pointers on how to tell what you are getting when you run across a vendor who is using all or mostly automated testing and passing it off as manual work. It can be difficult to tell in advance if the vendor is intentionally doing it, and that's the point.
If you suspect you are being told one thing and sold another, we can give you a few pointers on what to ask:
- Ask the vendor to provide a copy of the automated scan report as a seperate deliverable, along with your penetration test report.
- Ask for and check references.
- Ask the vendor if they will provide a manual activity report along with the penetration testing report.
If they claim their scanner doesn't produce a report, ask them to zip up whatever automated scanner output their testers look at and send you that.
If they claim they don't do any automated scans, then you might wonder how are they going to check hundreds of thousands of payload/parameter combinations manually, without using a scanner at all, for the price they quoted?
We always include all automated testing reports, including network, application, port scans, everthing, free of charge, as an addendum to our full penetration testing reports. It allows our clients to see how much more they are getting with manual penetration testing and demonstrates, with evidence, that the testing was thorough.
In our opinion, there is no legitimate reason to resist this request. Automated scanner reports are, after all, reports on the security posture of your systems, paid for by you, generated at your request, and should be part of any thorough penetration test. If you can think of a legitimate reason for a company to refuse to provide it to you, we'd like to hear it.
If they resist, it's probably because they don't want you comparing their 'pen test' report with the automated scan report. You can probably figure out why.
When you call or email their references, make sure you ask if they felt comfortable that the vendor used substantial manual effort.
This may be one of the most important questions to ask. Any vendor who is actually performing manual penetration testing is sure to be keeping records that will demonstrate it and should be glad to have the chance to prove it to you.
If they claim that this will take too much time and will increase the price, tell them it doesn't have to be pretty and you're not expecting to pay for it.
In our case, we are happy to provide our manual testing notes, which are full of half formed suspicions, false starts, dead ends, on-the-fly vulnerability research, screen captures taken for later use, typos, and yes, even mistakes. In other words, exactly the kind of thing you would expect to see from live human beings trying to figure out what is going on with your applications and systems. When you see it, you will know three things: It isn't pretty, it wasn't generated by a scanner, and we actually did the work.
One word of caution about evidence: Be wary of any vendor who tells you that you will see the evidence in your logs. It is very difficult to tell the difference between scanner traffic and manual effort, especially if the scanner is configured to randomize timing. Some scanners even have configuration options intended to mimic human behavior.
So, that's our current guidance on how to ensure that you are actually getting at least some manual testing. It's worth repeating that we are not opposed to testing that is entirely automated. Automated testing alone will not be thorough but there may be cases where it is appropriate. Our objection is with vendors who try to sell a simple automated scan to clients who are expecting significant manual effort.
Our view is that no penetration test can be considered reasonably thorough without both automated scanning and substantial manual testing. We are not alone in that opinion. The PCI-DSS council as of PCI-DSS v3, along with a growing number of software purchasing departments, and the OWASP testing guide all support that view.
Our web application testing covers the entire OWASP testing guide, not just the top 10 or top 25, and makes extensive use of manual testing using qualified, certified testers as well as automation.
Companies either decide to publish their pricing or they decide not to, most decide not to. They either publish their contractor policy or they don't, most don't. They either publish details of their methodologies, or they don't, most don't. They either pay for sales or they don't, most do. Those decisions imply nothing about a companies experience or the tools and methods employed or the quality of their service. Those decisions do imply something about where the fees end up going, and point to lines of questioning that may well be to your benefit.
We assume that you got to this page because a price for a penetration test is what you are looking for, and we have done our best to provide you with exactly that. The cost of our standard penetration testing plans are not secret. We value transparency far more than most, and we do our level best to provide you with full information, but we know that we cannot cover every scenario that might impact penetration testing pricing on one web page.
Please compare our penetration testing fees, our 10 years of experience, our reputation for transparency, and our published methods, with the information provided from other vendors.
Then ask us for a free, quick, no hassle penetration testing quote using the contact form above.