Perhaps an employee in your organization finds out that he or she is about to be fired and goes on a hacking spree. Or maybe Sally from accounting (sorry Sally) is always clicking on links that she receives in emails and you want to determine the risk to your network associated with that. An internal penetration test is designed to evaluate the risk of a malicious insider or an attacker who has successfully gained access to your organization. As such, an internal penetration test is one of the most important assessments for any organization. Not surprisingly, an internal penetration test is a requirement for compliance with many standards, including the PCI DSS. Because of that, many of our clients are concerned about internal penetration test cost and what factors may increase or decrease that cost.
So how much does an internal penetration test cost?
In almost every penetration testing service, this question boils down to time. The most expensive operating cost of any penetration testing firm is the salary of their engineers. The more qualified the engineer, the more expensive it is for that firm to keep them on staff, and therefore, the more cost that gets passed on to the client. It stands to reason then, that the more time it takes an engineer to test your network, the more it will cost. In an internal penetration test, that time estimate boils down to the number of systems that need to be tested. Simply speaking, the more devices that have an IP address on your network, the more time an engineer must spend to provide a thorough test and the higher the cost will be.
Therefore, an internal penetration test’s cost will vary. With that being said, a small to midsize business with 100 systems can expect to pay $5,670.
What factors into the internal penetration test cost?
The pricing you receive for a penetration test could vary dramatically based on several factors. Although we cannot cover all of the factors, here are some of the big ones you’ll want to consider when scoping and selecting a penetration testing firm.
- Number of IP Addresses – The biggest cost factor for an internal penetration test is the number of systems. This will dictate how much time is spent testing.
- Retests – Some organizations require a retest of the findings discovered during the penetration test. This is typically driven by a compliance requirement, but sometimes derives from the need to show the penetration test to a prospective/current client. Some penetration testing firms will bundle a retest as part of the up-front cost, but others will charge separately for it. On average, a retest can cost up to half of the original assessment, depending on the number of findings to be retested. This can be significantly reduced if you only want to test s subset, such as just the critical/high severity vulnerabilities.
- Night Testing– Although not every penetration testing firm will charge additionally for after-hours testing, many do. After-hours testing might reduce the impact of a penetration test, but many times they are not necessary. Work with your penetration testing firm if you are worried about production impacts. It is likely most of the test can still be performed during daylight hours, and only certain hosts or activities need to be saved for after hours.
- Skill of the Engineers –This one is much harder to quantify. We have clients come to us and ask why they are receiving quotes anywhere from $5,000 to $15,000 for an internal penetration test and wondering why the ranges vary so much. Although we have found that sometimes the issue comes down to scoping, a lot of the time, it varies depending on the skill-level of the engineer (or team of engineers) that will be performing your assessment, and therefore the quality of work you will get. Check out our blog on the top 5 reasons penetration testing quotes vary.