One of the first things people ask when they are looking to buy any service is how much it costs. Many businesses prefer not to tell you that until later in the sales process when you are more invested but it’s good to have a general idea of what something will cost you before you look into it. Now many factors will affect how much a penetration test will cost you but generally, you can expect around $5,000 for a web application, $2,500 for an external network test, $10,000 for an internal network test, and $5,000-$7,500 for a purple team simulation exercise. Now, remember these are some very rough estimates that will vary depending on the following factors.
1) Company Size
If you are a larger company with several hundred or thousands of devices that need to be tested then you can expect to pay a lot more than a smaller company would. A bigger project means more man-hours required and therefore a higher price for you. Lastly, many companies will look at a larger business, assume you can pay more, and therefore charge you more. It’s in your best interest if you are a larger business not to make this known so that you can avoid paying those higher prices.
2) Scope of Requirements
Just because your company is large doesn’t mean that all of your devices are within the scope of the project. The number of devices that you need to be tested will typically be the biggest factor that determines your price. Also, it depends on the depth of the test that you need to be done. If you are looking for more of a vulnerability scan, that will be cheaper than a full-fledged penetration test where they are doing full exploitation of the vulnerabilities to see how far they can get.
3) Packaging of Services
If you buy a penetration test as a stand-alone service from a company you will typically pay more than if you buy multiple services from the same vendor. Companies love to give you discounts if you buy multiple services from them. In their mind, they get more revenue by upselling and for you, you save money by getting discounts on products that you would have needed to buy anyway. So for example you could buy a bundle that includes penetration testing, security awareness training, and compliance consulting all in one and get discounts on each of those individual packages.
4) Manual vs Automated Testing
If the company you choose to go with does manual testing, then you can expect to pay more because every activity will need to be done by hand. Comparatively, if you have a vendor that does automated testing, using proprietary software and computer scripts it will typically be cheaper because they will use fewer man-hours to perform the same job. Some manual testing is good to make sure that the tools didn’t miss anything but if a company does every aspect of the testing themselves, it may get quite expensive. The best use case for automated testing would be compliance testing, where you know exactly what you are testing for and there isn’t as much of a need to be creative.
5) Work Experience & Qualifications
No matter what industry it is, people that know what they are doing will be able to get the job done more effectively and efficiently than someone who doesn’t. While you may think that paying for expertise may be more expensive than paying for someone new, you need to consider that if the inexperienced company doesn’t do the job correctly you will have to pay for someone else to fix their mistakes down the line. It’s cheaper to pay for someone with the right experience, certifications, etc upfront than it is to try and get a cheap deal and pay to fix poor work later on.
How to get more free content
If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.