Crazy variations in pricing between companies is one of the most common complaints we hear from clients comparing penetration testing quotes. This isn’t a new problem for the services industry as a whole, but it can be frustrating. Especially when you’re trying to compare services that are more technical in nature. Information security consulting engagements or penetration testing may require some in-depth industry knowledge or past experience to understand exactly what your money is buying. For these types of services, the problem is somewhat more unique and nuanced when compared to other industries though. Let’s explore some of the contributing factors to the variations in penetration testing quotes.
Why Do Penetration Testing Quotes Vary So Much?
1. Cost of penetration testers vary
A more skilled, senior-level penetration tester costs a lot more per hour than a junior-level penetration tester. That’s just the nature of the beast, much like how a partner at a law firm is going to cost more than a paralegal. Extending that metaphor, do you want a paralegal defending you on murder charges? Do you need the partner reviewing an employment contract? The point is, you want a skilled tester assessing the security of your organization, but there’s a cost-benefit trade-off that is important to consider. An extremely cheap quote, when compared to others, may speak to the quality of resources you’re getting to test your organization’s security. And if you are checking a box for compliance, maybe that’s OK for you. But quality assessments take quality people who require quality pay.
2. The scope of your assessment is wrong
Depending on who you talk to, the answers to those basic scoping questions everyone asks you could come out completely different. Maybe you’re talking to a sales guy who doesn’t quite understand the technical aspects of your network or application, or maybe there’s just a misunderstanding between you and whoever is scoping out the work to be performed. Either way, this can cost you money and you might not even realize it happened. It’s important to confirm an accurate scope of testing throughout the sales cycle. This ensures everyone is on the same page and you’re not paying too much for testing.
3. You’re scoped for an automated vulnerability scan rather than a true penetration test
We’ve talked about this in other posts, but it can help explain why some quotes are so much less than others. Real penetration testing takes manual assessment and exploitation above and beyond a baseline vulnerability identification exercise. This takes more time which in turn costs more money. Verify the testing methodology for an organization prior to engaging in an assessment to ensure it aligns with your testing expectations. Additionally, other activities may not be included, such as open source intelligence gathering during the discovery phase or lateral movement attempts during the post-exploitation phase.
4. Some companies charge a premium
May as well stick with the lawyer comparison here. A large, famous firm likely charges a premium when compared to other firms for the exact same service. Penetration testing companies can seem the same way basically a “brand” up-charge for big name companies or to play up the exclusivity of certain organizations. This kind of activity will generally be pretty easy to spot, with outliers on the high side when comparing quotes.
5. There are “sales guys” involved
What I mean by this is, whenever “sales guys” are involved there is some margin for price manipulation, for lack of a better term. Maybe you work for a large organization and the perception is, “these guys have lots of money, let’s toss a little contingency on the top”. Or on the flip side, maybe you’re getting a better deal because it’s a competitive bid. But there’s definitely an artistic side to the way some penetration testing companies come up with numbers for cost. For what it’s worth, we try and standardize cost where possible to avoid this. Our prices are based on the size of the assessment you need and the time it will take to complete, so we avoid traditional sales tactics that can just breed distrust and resentment.