An external penetration test is designed to test the perimeter security of your organization. This test takes the role of an attacker from outside trying to breach your network, compromise your Internet-facing hosts, or discovering sensitive information on public assets that may damage your company’s reputation (for more information, read our complete external penetration test guide). As such, an external penetration test is one of the most important assessments for any organization. Not surprisingly, an external penetration test is a requirement for compliance with many standards, including PCI. Because of that, many of our clients are concerned about how much an external penetration test costs and what factors may increase or decrease that cost.
So how much does an external penetration test cost?
In almost every penetration testing service, this question boils down to time. The most expensive operating cost of any penetration testing firm is the salary of their engineers. The more qualified the engineer, the more expensive it is for that firm to keep them on staff, and therefore, the more cost that gets passed to the client. Additionally, the scope of the penetration test will play a large role in the cost. Simply speaking, the more IP addresses you have on your Internet perimeter, the more time an engineer must spend to provide a thorough test.
On average, for an organization with a limited number of Internet-facing hosts (ten or less), an external penetration test will start around $3,350. On the other end, for a company with a larger Internet presence (fifty or more), an external penetration test can cost upwards of $8,000. Again, this all boils down to how long it will take a skilled engineer to perform the assessment.
What factors into the cost of an external penetration test?
While the cost range above is a good starting point, the cost you receive from a penetration test could vary dramatically based on several factors. Although we cannot cover all of the factors, here are some major factors for you to consider when scoping and selecting a penetration testing firm.
- Number of IP Addresses – The biggest cost factor for an external penetration test is the number of IP addresses on your Internet perimeter. This will dictate how much time is spent in testing. One way to reduce this cost is to only perform a penetration test on the Internet hosts that have ports open and services listening on the Internet. Simply put, if a Internet host does not have any services listening, an attacker will not be able to attack it. Some organizations choose to test their entire range, to have a qualified third-party verify that there are no services listening, but a lot of times, especially if costs are a concern, this can be done internally.
- Black Box, White Box, or Gray Box Testing – Also known as zero knowledge testing, black box testing has the testing organization start without knowing the IP Addresses or hostnames of the systems in scope. As part of the test, the engineer will attempt to enumerate your organization’s hosts and then proceed to target them. This type of test has an advantage of being more realistic, and giving you a better understanding of what public information is available about your company. The disadvantage of this type of testing is cost, because the engineer has to spend an extra 8 to 16 hours performing enumeration before they can begin the assessment.
- Retests – Some organizations require a retest of the findings discovered during the penetration test. This is typically driven by a compliance requirement, but sometimes derives from the need to show the penetration test to a prospective/current client. Some penetration testing firms will bundle a retest as part of the up-front cost, but others will charge separately for it. On average, a retest will cost up to half of the cost of the original assessment, depending on the number of findings to be retested. This can be significantly reduced if you only want to retest the critical/high vulnerabilities.
- Night Testing – Although not every penetration testing firm will charge additionally for after hour testing, many do. Although after hour testing might reduce the impact of a penetration test, many times they are not necessary. Here are some things that can go wrong on an external penetration test and how to avoid them.
- Skill of the engineers – This one is much harder to quantify. We have clients come to us and ask why they are receiving quotes anywhere from $900 to $5,500 for a small external penetration test and wondering why the ranges vary so much. Although we have found that sometimes the issue comes down to scoping, a lot of the time, it varies depending on the level of engineer that will be performing your assessment, and therefore the quality of work you will get. On the lower range, these penetration tests will likely be little more than a vulnerability scan (here is the difference between a vulnerability scan and a penetration test), and not be a true assessment of the risks to your organization. On the higher end, these usually involve engineers who are very talented and are recognized leaders in the field of information security. Depending on the needs of your organization and the maturity of your security program, this might be overkill for what you are looking for.