If you are reading this, then I am guessing you are in the process of evaluating penetration testing companies and have discovered that many of them are demanding a considerable fee for this task. If this is your first time getting involved with penetration testing ,you may be asking yourself if there are less-expensive alternatives. Like: can't we just do it in-house? Or: can't we just run an automated vulnerability scan? Or even: can we pay less for a test by going with a local IT services company, MSSP, or even offshoring? While we have articles that describe how to decrease the cost, this article will explain what drives the price, no matter what it is.
In truth, the answer to all of these questions is "maybe you can". It really depends on what is driving the penetration test. If, after doing your research, you are certain that you do need a penetration test from a professional company, then the rest of this article should be helpful in explaining why a penetration test costs as much as it does.
Let's start with the obvious: skilled and experienced penetration testers are expensive resources to hire. When you think about it, this makes sense. It is not unusual for a security consultant to have 8-12 years of IT experience before they can be a lead or senior penetration tester at a security consulting firm. Though penetration testers follow a less formal education path than, for example, medical professionals, the "time-in" requirement is not much different than going to college, med-school, and a residency. Especially when you consider that most penetration testers live and breath their craft 24/7. It is rarely just a nine-to-five job. I mean, let's face it: We are talking about people who analyze all kinds of technology and find ways to break or circumvent its security controls every day. Wouldn’t you want to do it all the time?
While most of the costs discussed here don’t directly impact you (well the resources one does since you want skilled consultants.), one of the driving factors of cost is the amount of work the consultant is doing directly instead of just running an automated scanner. Since you are hiring the consulting firm to test you stuff, in ways that you can’t simply do yourself, this manual testing factor is pretty important. We discuss how Secure Ideas tests in other articles, and those discussions can explain the cost. Since the tester is actually spending the time building test cases and tools, the time to do the testing increases. And this directly increases the cost for the test.
If you have ever been in a consulting role known someone who has, then you know that it can take its toll. For penetration testers there can be a lot of travel, many late nights, sometimes even working through weekends. In addition, many will spend the majority of their downtime learning more skills and keeping up with current events. So time with family can be very limited and burnout is, unfortunately, far too common in the field. Penetration testing companies know this and, if they want to hang on to their talented resources, will take precautions to prevent burnout and keep consultants happy in their work. These actions may involve direct compensation but more often involve other factors as well, such as extra paid time off, a training budget, computers and electronics, and so on. All of these are additional factors that are part of the costs you are finding.
Aside from compensation, one of the most significant expenses for penetration testing companies is insurance. Although a skilled and experienced penetration tester will take reasonable steps to prevent catastrophic outages or damage during an assessment, things have been known to go wrong on rare occasions. After all, they are essentially executing attack scenarios. Because of this, it has become more and more common for organizations to require that their penetration testing company carry significant amounts of insurance. As a result, you may find a cheaper penetration test from a company who doesn't carry such insurance, but this also speaks to the fact that the company likely has not done many assessments for larger clients or even smaller ones in regulated industries.
So as you can see, the reasons for costs are varied and significant. As you talk to the various companies you are looking into, ask them about their costs and break down of the price.