Why Some Penetration Tests Cost $10K and Others $3K

Read this blog to discover what determines the cost of a penetration test, what cheaper and more expensive penetration tests include, which fit your needs, and the major red flags to avoid.

Penetration Testing
Audit
Auditor Tips
Pen Test
Why Some Penetration Tests Cost $10K and Others $3K

If you’ve looked into hiring a penetration testing team to exploit your vulnerabilities, you likely have realized that there can be a huge cost range for a pen test. So, I consulted with Terrill Thorn, the Director of Penetration Testing at SecurityMetrics, to identify why some pen tests cost so much more than others. 

Read this blog to discover what determines the cost of a penetration test, what cheaper and more expensive penetration tests include, which fit your needs, and the major red flags to avoid. 

What Drives the Cost of a Penetration Test?

When it comes to determining the price of a penetration test, Terrill explains that “time is the BIGGEST factor in cost.” 

When you hire a penetration team, you typically pay for their time in daily increments. This means that you can purchase, say, three days of a pentester’s time to exploit your network. When the three days are over, the test is finished, your pen tester isn’t going to work extra hours without your go-ahead and payment. Pentests should always have a set quote before they are conducted, with NO additional or hidden costs. 

Terrill also warns that you “have to be wary of 'pentests' that are really just automated tools scanning your targets. You should look for actual exploitation that was done as part of the test, and not just what an attacker might be able to do.” In essence, make sure you’re paying for an actual penetration test, with an ethical hacker exploiting your vulnerabilities, not a vulnerability scan. 

Here are the top factors that affect the cost of your penetration test: 

  • Scope (internal pen test, external pen test, application, cloud, etc.)
  • Manual vs automated testing
  • Your pentesters qualifications, certifications, and experience
  • Level of detail in reporting
  • Any remediation support
  • Compliance requirements (such as PCI, SOC 2, or HIPAA) 
  • Amount of hours purchased for the test
  • Follow-up and support/retesting

Terrill advises that “a bigger investment will allow the pentester more time to exploit vulnerabilities, and cover the targets more in depth. There is a limit to this where too much time can also be an issue.” 

What does a lower-cost Penetration Test include? 

When it comes to lower cost penetration tests, Terrill explains that a “lack of manual testing and exploitation are the main exclusions you see in lower cost pentests.” 

Automated testing can mean you're getting an automated vulnerability test, instead of an actual penetration test where an actual human ethical hacker exploits your environment. An automated test has set things it looks for in your environment, but it won’t act and react like an actual human would. For example, an ethical hacker will be able to chain multiple misconfigurations together that automated tools might miss. 

But what does that actually mean? It means that an actual threat actor will be able to exploit your environment in a way that an automated test won’t be able to recreate. This level of pen test will “give you a high level overview of WHAT you should look for but won't go into a lot of detail about HOW to look for the issues.” 

What does a higher cost pentest include? 

Terrill explains that “higher cost pentests should be exploiting issues they find, and the main difference between a high cost test and a low cost test is that the higher cost test will be able to chain vulnerabilities together to further their access into your system. Automated tools tend to just find a standalone issue, and often provide false positives.” 

When you partner with a company like SecurityMetrics, you pay by the day, with the most typical purchase being three to four days. All penetration tests conducted by SecurityMetrics are fully remote, with costs like shipping hardware for internal network testing included in your quote. 

From Backup to Breach: A SecurityMetrics Pentester's Account

It all began with a simple penetration test. A SecurityMetrics pentester was sifting through the client's network when he made a stunning discovery: a full backup of the customer's source code. Finding this was the key that unlocked the entire operation. Terrill states that "he then reviewed the source code and found a private email address for a developer who had been involved in a compromise and listed the associate's password.” 

It turned out the password had been exposed in a previous breach, and critically, it was reused. 

"The password was reused by the developer and allowed the pentester to log into their website as that developer." This single, small error was all it took for the pentester to begin the next phase of the attack.

With access to the developer's account, the SecurityMetrics pentester had a perfect foothold. He uploaded a malicious file, which gave him a reverse shell and remote access to the system. From there, he didn’t just stop at initial access. He used PowerShell to bypass the client's malware detection software. This demonstrated that even with standard security measures in place, a determined attacker can find a way around them. 

The final step was the most significant, "They were then able to use PowerShell to bypass the malware detection software and run an exploit in system memory to get full admin access to the system." 

Questions to Ask when Choosing a Penetration Testing Partner

So, how do you know what to ask when you’re vetting potential pen test partners? Terrill suggests the following questions as a great place to start the conversation: 

  1. How in-depth do you want to test? Not everyone will necessarily need a super extensive pen test, whereas others need to go the extra mile to protect their company. Knowing the scope of what you want tested is an important first step.
  2. What information can we provide ahead of time to the pentest team to get the most from our test? Remember, you’re paying for the pentester’s time and expertise, so don’t waste your expensive investment on discovering information you already know. If you can easily discover an item, this frees up time for your pentester to discover the harder to find vulnerabilities. 
  3. What are your objectives for the pentest? Another way to think of this is “what data, if compromised, would be devastating to your business?” Letting your penetration team know what data you're most concerned about can prioritize their approach so you get the best value. 

Terrill finds that “just like so many other things, the more you put into your pentest and work WITH the pentesting firm the more you will get out of your test.”

Which Pen Test is the Best Fit For You?

The best pen test for your business is the one that helps you get secure and identifies where you’re truly weak. Terrill recalls that “we've had customers in the past leave us for lower cost alternatives, and then come back to us the next year unhappy with what they received from the low cost alternative.” 

Be aware that if you choose a lower cost test, there’s a chance you’ll end up spending even more money if you do in fact need an in-depth penetration test that’s not automated. 

The best place to start is by speaking directly with a professional about your goals for your penetration test and getting an idea of what you want tested.

Join thousands of security professionals.
Subscribe Now
Interactive Penetration Testing Timeline Checklist
Download
Get Quote for Penetration Testing
Request a Quote