Penetration Testing Cost

Home - What - Why Pen Test - Why High Bit - Types - Reports - PTaaS - How Much?

Penetration Testing Costs are fully transparent - at High Bit Security

Many of our competitors try hard to convince search engines that they are publishing their penetration testing cost, without publishing any actual penetration testing prices at all. We think you are probably looking for a company that actually does publish penetration testing costs, which is why you searched for it. It's also why we have this page - to publish our itemized penetration testing cost card.

Contents

Penetration Testing Cost from High Bit Security
Pricing Background for Manual Penetration Testing
Is there a case for not publishing prices?
Pricing Impact: Automated, Manual, or Both?
Summary: How much does penetration testing cost?

How Much Does Penetration Testing Cost, by Item, from High Bit Security?

Here is a current penetration testing cost card for our most commonly encountered types of penetration testing. Some providers are reluctant to publish their penetration testing prices. With more than a decade of experience, a staff of well trained direct employees and quality manual penetration testing prices at highly competitive rates, we do not hesitate to quote pricing for standard types of penetration testing engagements.

Please keep in mind that the prices quoted are for standard cases, and about half of our engagements require adjustments, up or down.
Also keep in mind that we consider discounts on all engagements that involve more than one website or more than 32 IP addresses.
Other volume factors are also considered, so if you have questions, just contact us.

Go To Inquiry Form

Rate Card: High Bit Security Penetration Testing Costs
Provider Name: High Bit Security, LLC Provider Address: PO Box 533 Port Sanilac MI 48469 Service Area: Global	Telephone: 1-800-757-3144 Founded: 2010-05-10 Currency Accepted: USD Payment Types Accepted: Check, Credit Card, Wire, ACH Penetration Testing Cost Range $4650-$12300

Catalog of Penetration Testing Cost, by Standardized Item

Go To Inquiry Form

Background Information for Penetration Testing Costs and Rate differences

All penetration testing engagements require a certain amount of work before any testing can begin, and a certain amount of work for reporting and follow up activities. That's why our penetration testing costs for each standardized engagement start with a base engagement fee. The base engagement fee covers the things that are common to all engagements, but there is also flexibility in that base engagement fee, based on tester skill levels and our client's needs.

Tester Qualifications: Pre-Certified, Certified-Lead and Certified-Only are categories that represent different levels of certified tester involvement in a penetration testing engagement. We use this approach because it allows us to offer greater price flexibility to our clients. Unlike many of our competitors, we train almost exclusively from within, and have access to testers at various skill levels. That allows flexibility that may be an advantage to you.

In a nutshell:

Pre-Certified means we may use non-certified personel on your engagement.

Certified-Lead means that a certified lead penetration tester will be closely involved, and

Certified-Only means that only certified penetration testers may be used for any part of your engagement.

How do these categories impact penetration testing cost? First, Pre-Certified doesn't mean without skills. Everyone involved in a penetration test for High Bit Security meets the following criteria:

has passed a civil and criminal background check,
is a direct employee of High Bit Security,
is trained from the ground up, in house, at our own training facilities,
is certified through well recognized outside certification sources, or is in training and on a certification path.

Solving an Industry Problem:

Our inside training and outside verification process solves a pervasive problem within the industry: Learning validation conducted by the same entity that provides the training. It begins with a training organization providing some sort of technical training or material. After the training is delivered the same organization, or an affiliate with close ties, certifies the learning. That is the process that is followed by the most common certification organizations in Information Technology today. It is also the source of a lot of brand new "Certified Professionals" who know how to pass the exam but have little or no practical knowledge.

All certified penetration testers at High Bit Security receive intensive on the job training from inside, a process we control. They are then certified by outside entities, where we have no control over the exam at all. On top of that, they have at least one year of employment history with us and at least 1,000 hours of supervised, hands on experience with live engagements. The cost for all of our penetration testing is based on direct W2 employee testing. No remote contractors are used for any High Bit Security penetration testing.

What does this have to do with penetration testing cost and pricing?

Our direct, in house training provides many benefits to us and our clients, but one benefit is three distinct manual penetration testing price levels, with full transparency, as always.

So here is what Pre-Certified, Certified-Lead and Certified-Only mean, in detail, in terms of service and price:

Pre-Certified is the best choice for a low cost penetration test, while still maintaining manual quality. It means that the primary tester may be someone with a year or more of employment history with High Bit Security, with a minimum of 500 hours of hands on experience with live penetration testing engagements, who is in their second training phase and needs 500 hours of independent work to complete our pre-certification training. The individual has demonstrated sufficient skill to take on this role, has access to senior staff for guidance and junior staff for assistance if needed, but has sole responsibility for performance and reporting. If you are looking for the lowest cost penetration testing option for serious manual testing, this is it.

Certified-Lead is our standard approach and most popular option for a high quality manual penetration test at a reasonable cost. It means that all engagement work is performed by a team, managed by a Certified-Lead tester, who assigns work and closely supervises individuals deemed competent to perform the specific tasks they are given. Some of the work will be done by personnel who are in various training phases. All complex issues, fault chaining work, overall interpretation and final responsibility for context relevant testing and reporting remains with a certified tester.

Certified-Only is our premium option, the utmost quality and the highest cost penetration test we offer. With this option all work is performed by a certified tester, whether we think it makes sense from a human resource perspective or not. This is not the most cost efficient penetration testing engagement, but there are cases that require it and we do offer it for our clients who want it.

Now that we have explained those terms, we can put it in table form, and then you can see how it impacts penetration testing cost and know what it means:

Type	Base Engagement, Penetration Testing Cost, USD
Pre-Certified	$2400
Certified-Lead	$3600
Certified-Only	$7200

You will find that the common package prices for penetration testing listed on our rate card at the top of the page differ in price by exactly the difference in these base engagement prices.

If a package penetration testing deal is not what you need, here are more of our common scope items, just total up what you actually need and then add your chosen base engagement price (Pre-Certified, Certified-Lead or Certified-Only), to come up with the total cost of the penetration test:

Type	Penetration Testing Cost, itemized by testing component description	Item Cost, USD
Network	Network and Host Configuration penetration testing, block of 32 IP addresses, itemized cost.	$2250
Web Application or Web Service	A single, non-credentialed web application or web service penetration test, itemized cost.	$2250
Credentialed Testing	Surcharge for adding credentialed testing for a web application or web service penetration test, itemized cost. Includes 2 application roles or one web service role, and includes full horizontal and vertical access control boundary testing.	$2250
Internal Testing	Price is the surcharge for an internal penetration test.	$2400
Wireless	Wireless penetration test (in conjunction with internal testing only), itemized cost.	$3480
Social Engineering	Price is for a Remote social engineering test, including two separate electronic attack vectors including spear phishing email directed at human targets within your organization, in conjunction with an external network penetration test, itemized cost.	$4680

We do our best to be transparent about our penetration testing prices, but often the package deals and standard scope items aren't quite what you are looking for, or your total is high enough for volume discounts, or you just need more explanation.

We can't possibly cover every penetration testing price combination or circumstance, but we do try. If you are still not sure what you need, or what your penetration testing engagement will cost, you are not alone. Half or more of our penetration testing engagements have some unique factor that either impacts price or needs some explanation from us or open dialog with you before we can price it. We are happy to provide more information, including detailed, itemized cost quotes for any penetration test. Just contact us using the form at top the page.

We'll build the best itemized quote we can for you, with all penetration testing costs and methods explained in detail, and nothing hidden.

Go To Inquiry Form

You can find more information on our manual penetration testing methods in our methodology section

The information we give you above will help you determine exactly how much a penetration test from us will cost, at least for the more standard engagements.

Now we will cover a couple of the arguments against our published pricing.

Believe it or not, there are companies who react by claiming that it is impossible to publish pricing for penetration testing, and that only an inferior company would even consider it. If you've gotten this far with us you probably wouldn't fall for that, but we are going to cover it anyway.

Claim: Penetration testing is too complex to allow for quoting a standard price.

The implication of this statement is that anyone who quotes a fixed price must not understand the complexities involved in penetration testing.
Fact: Penetration testing is complex, but that complexity does not prevent a company from putting a published price on some kinds of standardized, well understood, penetration testing packages.
Fact: We don't publish pricing for everything, some of it is too complex to put a standardized price on, but much of it can be priced.
Fact: We do publish our pricing, and we do understand the complexity, because unlike most of the companies making this claim, penetration testing is all we do.
Penetration testing is complex, but so are most industries, under the surface. Whatever it is that your company does is almost certainly more complex than it looks, but you understand the complexity even if others don't. That complexity would be unlikely to prevent you from publishing prices for standardized products or services, if you wanted to do so.
Claim Conclusion: Nonsense.
Claim: "Most companies that have a fixed price for a pen test will not help you to improve your security due to limitations of the testing tools used".

The logical contortion in quotes above is actually copied verbatim from one of our competitors websites. There are other close variants of the statement, all sharing the same attempted implication: that companies who publish standardized penetration testing prices of any kind are only able to do so because they are using cheap automated tools and no manual effort.
Apparently we are also to assume that companies making statements like this are better than any company with published prices, and conclude that companies that don't publish prices also do not use testing tools with limitations. Further, having made those unsupported assumptions, we are to conclude that this whole chain of 'logic' in some way provides justification for them in keeping their prices a secret from the public. Well...
Fact: Some companies do use cheap automated tools and provide little or no manual effort, and also publish those prices. This appears to be the one fact this statement relies on to make the rest of it easier to believe.
Here's another fact: Many companies who charge a great deal and don't publish their prices are also using cheap automated tools.
Fact: We are very clear about our manual effort, and we publish our prices.
Fact: We maintain data on hundreds of competing penetration testing companies worldwide, and our data shows that less than 3 percent of companies using either manual or automated methods are willing to publish standardized penetration testing prices. We are talking about a handful, worldwide, and as far as we can tell there are more offering manual than an automated approach.
Fact: Penetration testing tools and approach are factors for the price of a penetration test, but those factors do not preclude publishing that pricing.
The companies suggesting otherwise are also expecting you to trust them with your most sensitive data.
Here is our opinion:
1. Companies that offer published pricing should clearly state what it is that they are offering, like we do.
2. Companies that don't publish a price can safely ignore the previous point. They could remove any descriptions entirely, without impact to purchasers, because for the purchaser, a description without a price has the same value as a price without a description: zero.
3. For the company, either case has value. Both cases allow them to vaguely suggest how much they might charge for whatever they might do, without ever coming close to committing to anything.
Claim Conclusion: Any company stating that giving you less information about them is better for you, while also expecting you to trust them with your most sensitive data, probably deserves whatever character judgement you arrive at for them.

Go To Inquiry Form

How much does a penetration test cost? Automated, Manual, or Both?

Go To Inquiry Form

In this section, we address the difference between automated testing and manual testing, discuss the impact of automated testing on price and quality, and offer some suggestions on how to ensure that you are getting what you think you are paying for.

Both of these approaches to penetration testing have value, and we use both. Automation has far less value as a stand alone service, but it is necessary for full testing coverage, and in some limited cases is actually better than manual testing. Examples of the latter include highly repetitive testing tasks such as port scanning, fuzzing, parameter manipulation, response analysis, enumeration tasks, brute force and dictionary attacks. The superiority of automation in these areas is undisputed. No one hand keys 100,000 web requests or port scans, and if they do, you shouldn't be paying for the practice. Automation by itself, however, is entirely incapable of identifying, let alone validating, some of the most important security flaws. The latter statement includes all so called 'AI' solutions.

There are a number of vendors currently offering 'penetration testing services' for advertised prices of $895, or even $700 or less. We do not object to this, as long as the 'service' is accurately described. Our objection is with vendors who devote an entire web page to the quality of their testing, including statements about the manual effort they employ, including the qualifications of the 'testers', and then disclose, in the fine print at the bottom of the page, that the testing is completely automated.

Automated penetration testing can not be considered thorough, but it may be suitable for you if:

1. You are testing for your own purposes and do not need to satisfy a third party requirement or compliance mandate.

2. You are willing to interpret automated reports yourself.

3. You understand that automation is significantly inferior to, and cannot be considered a replacement for, manual penetration testing.

Automated testing will not be thorough, can not be thorough no matter who provides it, and rarely satisfies third party requirements. Further, automated reports almost always contain false positives and will need to be reviewed in context. Finally, there is the issue of coverage and false negatives.

You cannot rely on automated reports for thorough testing. Only some security flaws can be identified through automation. Some of the most dangerous possibilities will not receive testing using any automated method. These possibilities include exploitation of business logic flaws and exploits resulting from complex fault chaining, side channel vectors, passive reconnaissance and plain old human recognition of the complex relationships between various attack vectors and observed faults. These are not occasionally missed by automation, they are routinely missed, and routinely found in manual testing. When it comes to web applications, the capabilities of automated testing is seriously inadequate. We discuss this at length and in far more detail in reference to the entire OWASP testing guide on our web application testing methodology page.

Automation is programmed, it cannot imagine and it cannot create. Conversely, human cognition is inventive, dynamic, contextual, and bounded only by human creativity itself. It represents a vast, fuzzy, shifting and dangerous attack surface that is exactly where the best attackers live. The most important attributes of this surface are not even measurable, let alone programmable. It is an attack surface that might be better described as an attack 'miasma', and it is only approachable through competent, creative and enthusiastic manual penetration testing.

To put it another way: The day we can rely on automated security testing is the same day we can replace human coders with their own code. Some may believe that day is just around the corner, but we rather doubt it, and that day certainly isn't today.

Given the limitations, you may wonder why anyone would buy automated testing at all? We don't mean to suggest that there is no value to automated testing. It is (or should be) much cheaper, and there are cases where it may make sense. Maybe you are building a new system or application and want a quick check for the most easily detectable issues before you continue with your next development phase. Maybe you know you could obtain similar testing software yourself, and are comfortable interpreting results, but you lack the time or expertise to properly set everything up.

There could be many scenarios where a quick and cheap automated test may have some value. Whatever your reasons, our purpose is not to judge but to provide you with enough information to understand the limitations, and some pointers on how to tell what you are getting when you run across a vendor who is using all or mostly automated testing and passing it off as manual work. It can be difficult to tell in advance if the vendor is intentionally doing it, and that's the point.

If you suspect you are being told one thing and sold another, we can give you a few pointers on what to ask:

Ask the vendor to provide a copy of the automated scan report as a seperate deliverable, along with your penetration test report.

If they claim their scanner doesn't produce a report, ask them to zip up whatever automated scanner output their testers look at and send you that.

If they claim they don't do any automated scans, then you might wonder how are they going to check hundreds of thousands of payload/parameter combinations manually, without using a scanner at all, for the price they quoted?

We always include all automated testing reports, including network, application, port scans, everthing, free of charge, as an addendum to our full penetration testing reports. It allows our clients to see how much more they are getting with manual penetration testing and demonstrates, with evidence, that the testing was thorough.

In our opinion, there is no legitimate reason to resist this request. Automated scanner reports are, after all, reports on the security posture of your systems, paid for by you, generated at your request, and should be part of any thorough penetration test. If you can think of a legitimate reason for a company to refuse to provide it to you, we'd like to hear it.

If they resist, it's probably because they don't want you comparing their 'pen test' report with the automated scan report. You can probably figure out why.

Ask for and check references.

When you call or email their references, make sure you ask if they felt comfortable that the vendor used substantial manual effort.

Ask the vendor if they will provide a manual activity report along with the penetration testing report.

This may be one of the most important questions to ask. Any vendor who is actually performing manual penetration testing is sure to be keeping records that will demonstrate it and should be glad to have the chance to prove it to you.

If they claim that this will take too much time and will increase the price, tell them it doesn't have to be pretty and you're not expecting to pay for it.

In our case, we are happy to provide our manual testing notes, which are full of half formed suspicions, false starts, dead ends, on-the-fly vulnerability research, screen captures taken for later use, typos, and yes, even mistakes. In other words, exactly the kind of thing you would expect to see from live human beings trying to figure out what is going on with your applications and systems. When you see it, you will know three things: It isn't pretty, it wasn't generated by a scanner, and we actually did the work.

One word of caution about evidence: Be wary of any vendor who tells you that you will see the evidence in your logs. It is very difficult to tell the difference between scanner traffic and manual effort, especially if the scanner is configured to randomize timing. Some scanners even have configuration options intended to mimic human behavior.

So, that's our current guidance on how to ensure that you are actually getting at least some manual testing. It's worth repeating that we are not opposed to testing that is entirely automated. Automated testing alone will not be thorough but there may be cases where it is appropriate. Our objection is with vendors who try to sell a simple automated scan to clients who are expecting significant manual effort.

Our view is that no penetration test can be considered reasonably thorough without both automated scanning and substantial manual testing. We are not alone in that opinion. The PCI-DSS council as of PCI-DSS v3, along with a growing number of software purchasing departments, and the OWASP testing guide all support that view.

Our web application testing covers the entire OWASP testing guide, not just the top 10 or top 25, and makes extensive use of manual testing using qualified, certified testers as well as automation.

Go To Inquiry Form

Summary: How much does a penetration test cost?

We assume that you got to this page because a price for a penetration test is what you are looking for, and we have done our best to provide you with exactly that. The cost of our standard penetration testing plans are not secret. We value transparency far more than most, and we do our level best to provide you with full information, but we know that we cannot cover every scenario that might impact penetration testing pricing on one web page.

Please compare our penetration testing fees, our decade + of experience, our reputation for transparency, and our published methods, with the information provided from other vendors.

Then ask us for a free, quick, no hassle penetration testing quote using the contact form above.

Go To Inquiry Form

Penetration Testing Cost