What Does a Penetration Test Cost? Scope Factors That Matter
Some might say a good decision is based on knowledge and not on numbers.
Others might instead argue that a good decision is largely based on knowledge of the numbers. It’s no secret that price is always a big factor when making a purchase, particularly when budgets can be a deciding factor. But unfortunately for those considering compliance, it’s oftentimes hard to get straightforward numbers right off the bat.
For instance, if you were to ask, “how much will a penetration test cost,” the answer would be “it depends.”
But we don’t have to leave it at that. Without knowing any additional details about the environment, an organization wanting to have a penetration test performed should assume the cost starts at $15,000. (That’s for a fairly small scope.)
At Schellman, we perform over 200 penetration tests annually, and we can attest that those “additional details” mean quite a lot when it comes to your final price. In this article, we’re going to outline some of those particulars that will drive up the final price of testing your environment.
That way, you don’t have to settle for an “it depends.” You may not be able to discern a definitive final price, but you’ll understand more about your own environment. That will help when you do get into negotiations with a penetration tester because you’ll have set better expectations and will be less likely to be blindsided.
How Much Does a Penetration Test Cost?
How Your Scope Affects Your Penetration Test Price
First, it’s important to understand why pricing on these kinds of initiatives fluctuates so much.
You’ll find that the price for many compliance services primarily correlates to the level of effort (LOE) needed to deliver the service. Penetration tests are no exception, and their LOE is predominantly driven by the scope of the assessment.
When we say “scope,” what we actually mean is the amount of discrete or interrelated tests of different elements. You may need or choose to include testing of several, if not all the following elements:
- External (Internet-facing) hosts
- Internal hosts
- Wireless networks
- Web applications
- Application Program Interfaces (APIs)
- Mobile applications
- Thick clients and/or agents
- Social Engineering
The more types of tests you include, the more effort will be involved from your auditor, which means your final price will be higher. But within all these separate tests, you should also know that there are more granular components that will affect your price.
External (Internet-Facing) Testing
For these kinds of tests, your chosen tester will generally take the perspective of anyone on the Internet and attempt to break through your outer defenses.
Scoping these kinds of tests will involve two price-affecting factors:
- Size of the IP Address Space: How many potential hosts could exist in the environment. A scope that only includes a single /28 will take less time than one with a full Class B (i.e. /16).
- Number of Live Hosts: The number of systems that should be reachable to a user on the Internet. If one environment has four live hosts and a second environment has 250, the second one will take much longer.
Scoping an internal penetration test has some similarities, but also includes several additional considerations compared to an external test—the main one being that the number of systems or network ranges in scope and number of live hosts is important.
Once again, a larger IP address space and more live hosts mean more time spent, but there are also other factors you may choose to include or implement that will impact your final price:
- Authentication: Whereas external testing is typically unauthenticated, internal testing may be authenticated, or take the perspective of an assumed breach.
- Scenario Type: Whereas external testing is straightforward—the scenario is an attacker on the Internet—an internal penetration test can occur from different assumed breach positions, including the following:
- Low-level user (e.g. employee, contractor) malicious insider threat
- Admin-level malicious insider threat
- Stolen VPN credentials
- Rogue device on the network (wired or wireless)
- Time-Boxed Assessments: When testing large internal networks, it may make sense to limit testing to a certain number of days or weeks.
Wireless Network Testing
The following will influence the price of testing your wireless local area network (WLAN):
- Number of Locations: I.e., the number of facilities and/or sites being assessed.
- Size of Locations: Large campus headquarters will take longer than a small outpost for a few remote users.
- Number of Networks: While not as big of a concern as the first two, the number of wireless networks also impacts the LOE.
Other Considerations with Infrastructure Testing
Though we’ve just outlined particular facets of each of these three previous types of tests, all of them can be considered infrastructure testing. Here are a few more considerations that affect infrastructure testing:
- IP Addresses vs. Hosts: When scoping an external or internal assessment, it is commonly asked how many IP addresses exist, though a better approach would be to ask about the number of hosts. (A single IP address may support multiple hosts.)
- IPv6: When scoping an external or internal assessment, be sure to include hosts using IPv4 or IPv6 addresses. More organizations are leveraging IPv6, yet it may not be listed in an organization’s inventory, especially, if IPv6 is newer to the environment.
- Accessibility: This is more for internal and wireless testing, but some locations are harder to test and may take more time due to needing to go through multiple systems to access, supported via low bandwidth connections, or lack of local support to properly gain access.
We should also note that, during this kind of infrastructure penetration testing and others, the process can be streamlined if the tester is provided a network diagram of the environment, a data flow diagram of key business transactions, and/or an inventory list as part of the scoping discussion.
Web Application Testing
A very popular type of testing, the key factors that impact how long a web application penetration test will take—as well as the final price—include the following:
- Overall Size: Having an idea of the application’s size is a good start, though this is not always accurate or even relevant with some modern applications.
- Complexity: The business purpose of the application influences how long it will take to fully test (e.g. a small static nonprofit site will take far less time than a large, enterprise data analysis SaaS offering).
- Integrations: Some applications are built on top of or require a third-party application to function properly. This can add to the aforementioned complexity.
- Setup / Prep Time: Closely tied with integrations. Certain applications require a lot of setup, particularly if third parties are needed.
- Authentication / Authorizations Considerations: Most application penetration testing requires some level of credentials, but applications can sometimes have many levels of authorization or provide very granular role-based access control, which will affect timeline and price.
- Deployment Model: Whether collocated, single-tenant, private cloud, or multi-tenant public cloud, the deployment model of the application can impact timing.
Application Program Interfaces (APIs)
Oftentimes conducted at the same time as a web application penetration test, when testing an API, the following can impact the length of time it takes and its price:
- Number of Endpoints: The main determiner of the necessary level of effort.
- Number of APIs (i.e. versions): Some organizations support more than one version of an API, which could increase the amount of time it takes to test.
- Type of API: SOAP, REST, GraphQL, etc. the type (or style) of the API may impact the level of effort.
- Controls in Place: While most APIs require some authentication, some APIs have several layers of security included with additional headers, rate limiting, and other controls in place, which can slow down testing.
iOS and Android applications are generally the primary mobile applications in scope, and sometimes can be performed concurrently with API penetration testing. A few other items that could impact the timing and price of this testing include:
- Specific / Enhanced Functionality: If additional functionality of the mobile phone is leveraged, such as GPS, the test may take longer.
- Accessibility: If the apps are available in the App Store and Play Store, the scope is easier to understand than if the application is only available by sideloading (a.k.a. installing software on a device without using the approved app store or distribution channel).
- Controls in Place: Certificate pinning is one example of a technical control in place that can increase the amount of time it takes to test mobile applications
Thick Clients and/or Agents
Another component of application penetration, thick clients indicate workstations that include most or all of the components necessary to operate and execute software applications independently—meaning no help from a server. Pricing factors to consider here are:
- Supported Versions: Some applications may support multiple operating systems and distributions. The more thick clients and agents, the longer it will take to assess.
- Configuration Effort: Software residing locally may be quickly and successfully installed for use, while others may take extensive time to properly configure.
Types of social engineering include physical and phone-based social engineering, as well as phishing. Each of these has its own factors in determining how long each will take and how much it’ll cost:
- Physical: The number of locations, types of attempts, etc., and the actual location.
- Phone-Based: The number of targets (i.e. individuals being called) and the number of scenarios attempted.
- Phishing: Because this is email-based against your entire population or a subset, the number of targets and the number of campaigns affect the level of effort.
More Pricing Considerations for Your Penetration
As we’ve just deconstructed all the high-level details, scope is the primary factor in determining the price of a penetration test. However, there are a few other items that can also impact your final cost:
- Additional Services: Some other services complement a penetration test and when combined can provide efficiencies. Cloud Security Configuration Reviews are a prime example, as the results can help provide visibility into the environment.
- Timing: When you need your penetration test needs to occur affects price. Projects with short turnaround requirements may cost more than ones with more notice.
- Delivery Team: Occasionally, a specific pen tester or pen test team is requested, and some projects require team members to have specific clearances. If this occurs, it may impact the overall delivery schedule, as well as price.
This has been a lot of information, and no doubt it’s a lot to take in. Should you have any questions, our penetration test team would be happy to speak with you regarding the price of your specific environment. If you’re interested, please complete our scoping questionnaire so that we can get a complete picture and nail down your prospective costs.
About MATT WILGUS
Matt Wilgus is a Principal at Schellman, where he heads the delivery of Schellman’s penetration testing services related to FedRAMP and PCI assessments, as well as other regulatory and compliance programs. Matt has over 20 years’ experience in information security, with a focus on identifying, exploiting and remediating vulnerabilities. In addition, he has vast experience enhancing client security programs while effectively meeting compliance requirements. Matt has a strong background in network and application penetration testing, although over the past 10 years most of his focus has been on the application side, with extensive experience testing some of the most well-known IaaS, PaaS and SaaS providers.