Penetration Testing CostHome - What - Why Pen Test - Why High Bit - Types - Reports - PTaaS - How Much?
Penetration Testing Costs are fully transparent - at High Bit Security
Many of our competitors try hard to convince search engines that they are publishing their penetration testing cost, without publishing any actual penetration testing prices at all. We think you are probably looking for a company that actually does publish penetration testing costs, which is why you searched for it. It's also why we have this page - to publish our itemized penetration testing cost card.
- Penetration Testing Cost from High Bit Security
- Pricing Background for Manual Penetration Testing
- Is there a case for not publishing prices?
- Pricing Impact: Automated, Manual, or Both?
- Summary: How much does penetration testing cost?
Here is a current penetration testing cost card for our most commonly encountered types of penetration testing. Some providers are reluctant to publish their penetration testing prices. With more than a decade of experience, a staff of well trained direct employees and quality manual penetration testing prices at highly competitive rates, we do not hesitate to quote pricing for standard types of penetration testing engagements.
- Please keep in mind that the prices quoted are for standard cases, and about half of our engagements require adjustments, up or down.
- Also keep in mind that we consider discounts on all engagements that involve more than one website or more than 32 IP addresses.
- Other volume factors are also considered, so if you have questions, just contact us.
We do our best to be transparent about our penetration testing prices, but often the package deals and standard scope items aren't quite what you are looking for, or your total is high enough for volume discounts, or you just need more explanation.
We can't possibly cover every penetration testing price combination or circumstance, but publish our most common scenarios. If you are still not sure what you need, or what your penetration testing engagement will cost, you are not alone. Half or more of our penetration testing engagements have some unique factor that either impacts price or needs some explanation from us or open dialog with you before we can price it. We are happy to provide more information, including detailed, itemized cost quotes for any penetration test. Just contact us using the form at top the page.
We'll build the best itemized quote we can for you, with all penetration testing costs and methods explained in detail, and nothing hidden.
You can find more information on our manual penetration testing methods in our methodology section
Now we will cover a couple of the arguments against our published pricing.
Believe it or not, there are companies who react by claiming that it is impossible to publish pricing for penetration testing, and that only an inferior company would even consider it. If you've gotten this far with us you probably wouldn't fall for that, but we are going to cover it anyway.
Claim: Penetration testing is too complex to allow for quoting a standard price.
The implication of this statement is that anyone who quotes a fixed price must not understand the complexities involved in penetration testing.
Fact: Penetration testing is complex, but that complexity does not prevent a company from putting a published price on some kinds of standardized, well understood, penetration testing packages.
Fact: We don't publish pricing for everything, some of it is too complex to put a standardized price on, but much of it can be priced.
Fact: We do publish our pricing, and we do understand the complexity, because unlike most of the companies making this claim, penetration testing is all we do.
Penetration testing is complex, but so are most industries, under the surface. Whatever it is that your company does is almost certainly more complex than it looks, but you understand the complexity even if others don't. That complexity would be unlikely to prevent you from publishing prices for standardized products or services, if you wanted to do so.
Claim Conclusion: Nonsense.
Claim: "Most companies that have a fixed price for a pen test will not help you to improve your security due to limitations of the testing tools used".
The logical contortion in quotes above is actually copied verbatim from one of our competitors websites. There are other close variants of the statement, all sharing the same attempted implication: that companies who publish standardized penetration testing prices of any kind are only able to do so because they are using cheap automated tools and no manual effort.
Apparently we are also to assume that companies making statements like this are better than any company with published prices, and conclude that companies that don't publish prices also do not use testing tools with limitations. Further, having made those unsupported assumptions, we are to conclude that this whole chain of 'logic' in some way provides justification for them in keeping their prices a secret from the public. Well...
Fact: Some companies do use cheap automated tools and provide little or no manual effort, and also publish those prices. This appears to be the one fact this statement relies on to make the rest of it easier to believe.
Here's another fact: Many companies who charge a great deal and don't publish their prices are also using cheap automated tools.
Fact: We are very clear about our manual effort, and we publish our prices.
Fact: We maintain data on hundreds of competing penetration testing companies worldwide, and our data shows that less than 3 percent of companies using either manual or automated methods are willing to publish standardized penetration testing prices. We are talking about a handful, worldwide, and as far as we can tell there are more offering manual than an automated approach.
Fact: Penetration testing tools and approach are factors for the price of a penetration test, but those factors do not preclude publishing that pricing.
The companies suggesting otherwise are also expecting you to trust them with your most sensitive data.
Here is our opinion:
- Companies that offer published pricing should clearly state what it is that they are offering, like we do.
- Companies that don't publish a price can safely ignore the previous point. They could remove any descriptions entirely, without impact to purchasers, because for the purchaser, a description without a price has the same value as a price without a description: zero.
- For the company, either case has value. Both cases allow them to vaguely suggest how much they might charge for whatever they might do, without ever coming close to committing to anything.
Claim Conclusion: Any company stating that giving you less information about them is better for you, while also expecting you to trust them with your most sensitive data, probably deserves whatever character judgement you arrive at for them.
In this section, we address the difference between automated testing and manual testing, discuss the impact of automated testing on price and quality, and offer some suggestions on how to ensure that you are getting what you think you are paying for.
Both of these approaches to penetration testing have value, and we use both. Automation has far less value as a stand alone service, but it is necessary for full testing coverage, and in some limited cases is actually better than manual testing. Examples of the latter include highly repetitive testing tasks such as port scanning, fuzzing, parameter manipulation, response analysis, enumeration tasks, brute force and dictionary attacks. The superiority of automation in these areas is undisputed. No one hand keys 100,000 web requests or port scans, and if they do, you shouldn't be paying for the practice. Automation by itself, however, is entirely incapable of identifying, let alone validating, some of the most important security flaws. The latter statement includes all so called 'AI' solutions.
There are a number of vendors currently offering 'penetration testing services' for advertised prices of $895, or even $700 or less. We do not object to this, as long as the 'service' is accurately described. Our objection is with vendors who devote an entire web page to the quality of their testing, including statements about the manual effort they employ, including the qualifications of the 'testers', and then disclose, in the fine print at the bottom of the page, that the testing is completely automated.
Automated penetration testing can not be considered thorough, but it may be suitable for you if:
1. You are testing for your own purposes and do not need to satisfy a third party requirement or compliance mandate.
2. You are willing to interpret automated reports yourself.
3. You understand that automation is significantly inferior to, and cannot be considered a replacement for, manual penetration testing.
Automated testing will not be thorough, can not be thorough no matter who provides it, and rarely satisfies third party requirements. Further, automated reports almost always contain false positives and will need to be reviewed in context. Finally, there is the issue of coverage and false negatives.
You cannot rely on automated reports for thorough testing. Only some security flaws can be identified through automation. Some of the most dangerous possibilities will not receive testing using any automated method. These possibilities include exploitation of business logic flaws and exploits resulting from complex fault chaining, side channel vectors, passive reconnaissance and plain old human recognition of the complex relationships between various attack vectors and observed faults. These are not occasionally missed by automation, they are routinely missed, and routinely found in manual testing. When it comes to web applications, the capabilities of automated testing is seriously inadequate. We discuss this at length and in far more detail in reference to the entire OWASP testing guide on our web application testing methodology page.
Automation is programmed, it cannot imagine and it cannot create. Conversely, human cognition is inventive, dynamic, contextual, and bounded only by human creativity itself. It represents a vast, fuzzy, shifting and dangerous attack surface that is exactly where the best attackers live. The most important attributes of this surface are not even measurable, let alone programmable. It is an attack surface that might be better described as an attack 'miasma', and it is only approachable through competent, creative and enthusiastic manual penetration testing.
To put it another way: The day we can rely on automated security testing is the same day we can replace human coders with their own code. Some may believe that day is just around the corner, but we rather doubt it, and that day certainly isn't today.
Given the limitations, you may wonder why anyone would buy automated testing at all? We don't mean to suggest that there is no value to automated testing. It is (or should be) much cheaper, and there are cases where it may make sense. Maybe you are building a new system or application and want a quick check for the most easily detectable issues before you continue with your next development phase. Maybe you know you could obtain similar testing software yourself, and are comfortable interpreting results, but you lack the time or expertise to properly set everything up.
There could be many scenarios where a quick and cheap automated test may have some value. Whatever your reasons, our purpose is not to judge but to provide you with enough information to understand the limitations, and some pointers on how to tell what you are getting when you run across a vendor who is using all or mostly automated testing and passing it off as manual work. It can be difficult to tell in advance if the vendor is intentionally doing it, and that's the point.
If you suspect you are being told one thing and sold another, we can give you a few pointers on what to ask:
- Ask the vendor to provide a copy of the automated scan report as a seperate deliverable, along with your penetration test report.
- Ask for and check references.
- Ask the vendor if they will provide a manual activity report along with the penetration testing report.
If they claim their scanner doesn't produce a report, ask them to zip up whatever automated scanner output their testers look at and send you that.
If they claim they don't do any automated scans, then you might wonder how are they going to check hundreds of thousands of payload/parameter combinations manually, without using a scanner at all, for the price they quoted?
We always include all automated testing reports, including network, application, port scans, everthing, free of charge, as an addendum to our full penetration testing reports. It allows our clients to see how much more they are getting with manual penetration testing and demonstrates, with evidence, that the testing was thorough.
In our opinion, there is no legitimate reason to resist this request. Automated scanner reports are, after all, reports on the security posture of your systems, paid for by you, generated at your request, and should be part of any thorough penetration test. If you can think of a legitimate reason for a company to refuse to provide it to you, we'd like to hear it.
If they resist, it's probably because they don't want you comparing their 'pen test' report with the automated scan report. You can probably figure out why.
When you call or email their references, make sure you ask if they felt comfortable that the vendor used substantial manual effort.
This may be one of the most important questions to ask. Any vendor who is actually performing manual penetration testing is sure to be keeping records that will demonstrate it and should be glad to have the chance to prove it to you.
If they claim that this will take too much time and will increase the price, tell them it doesn't have to be pretty and you're not expecting to pay for it.
In our case, we are happy to provide our manual testing notes, which are full of half formed suspicions, false starts, dead ends, on-the-fly vulnerability research, screen captures taken for later use, typos, and yes, even mistakes. In other words, exactly the kind of thing you would expect to see from live human beings trying to figure out what is going on with your applications and systems. When you see it, you will know three things: It isn't pretty, it wasn't generated by a scanner, and we actually did the work.
One word of caution about evidence: Be wary of any vendor who tells you that you will see the evidence in your logs. It is very difficult to tell the difference between scanner traffic and manual effort, especially if the scanner is configured to randomize timing. Some scanners even have configuration options intended to mimic human behavior.
So, that's our current guidance on how to ensure that you are actually getting at least some manual testing. It's worth repeating that we are not opposed to testing that is entirely automated. Automated testing alone will not be thorough but there may be cases where it is appropriate. Our objection is with vendors who try to sell a simple automated scan to clients who are expecting significant manual effort.
Our view is that no penetration test can be considered reasonably thorough without both automated scanning and substantial manual testing. We are not alone in that opinion. The PCI-DSS council as of PCI-DSS v3, along with a growing number of software purchasing departments, and the OWASP testing guide all support that view.
Our web application testing covers the entire OWASP testing guide, not just the top 10 or top 25, and makes extensive use of manual testing using qualified, certified testers as well as automation.
We assume that you got to this page because a price for a penetration test is what you are looking for, and we have done our best to provide you with exactly that. The cost of our standard penetration testing plans are not secret. We value transparency far more than most, and we do our level best to provide you with full information, but we know that we cannot cover every scenario that might impact penetration testing pricing on one web page.
Please compare our penetration testing fees, our decade + of experience, our reputation for transparency, and our published methods, with the information provided from other vendors.
Then ask us for a free, quick, no hassle penetration testing quote using the contact form above.