Let’s remove some of the mystery behind how web application penetration tests are priced. One of our core tenets is honesty and transparency, so if we can clarify the process of scoping out a penetration test and help you understand how much a web application penetration is going to cost, it may make you more comfortable when comparing penetration testing firms. I want to specifically focus on web application penetration testing here, as this can be one of the most wildly different in terms of cost that we see across the industry.
At the end of the day, penetration testing companies should base the cost of an assessment on the time it takes an engineer to do the required work. Using some pretty basic questions, these companies will estimate this bucket of time to perform an assessment. For us, if you have a small web app with one role, it will cost ~$4,790 as a baseline. But on the other hand, if your web application has multiple roles to test and a significant number of unique pages/forms, that takes longer for an engineer to adequately test, and might cost closer to ~$8,000.
Scope = Cost
It’s important to understand how this type of testing is scoped to understand how penetration testing companies derive a cost. What we’ve seen across the industry is that there are a couple of main components that matter:
- Unique Applications – The number of different applications that need to be tested.
- Different Roles – Dictates how many different “angles” the application will be assessed from based on the different types of accounts that exist within the application (user, administrator, etc.).
- Screens or Forms – A count of the number of unique screens that are associated with the web application. This can be a really amorphous number that is hard to quantify, making it a fairly inaccurate part of scope.
Ultimately, the more accurate the scope is, the more accurate your testing price should be. Too much time and you’ll be paying for more than you need. Too little time and you’re likely not going to get a thorough and accurate assessment.
Now, you might take the same website to three different companies and get three very different quotes. We’ve tried to explain some of the reasons for that in a separate post here. Our goal is to standardize and take some of the guess-work out of this process for you.