Unfortunately the age old adage “you get what you pay for” has never been more true than in the penetration testing industry. We often hear from potential clients that are seeking a new penetration testing partner because they had previously gone with the cheapest quote and are now “paying the price” (pun intended). A response we see a lot is:
We received multiple quotes and we really feel like you guys are the best fit, but and after reviewing and discussing with the “decision makers,” we’ve decided to go with the cheapest vendor.
Why wouldn’t I want to go with the cheapest quote?
As with many service-based industries, pricing in penetration testing can be an indicator of quality, to a certain extent. Really we’re just talking about the lowest and highest ends of the spectrum, because in the mid-range of pricing, you’re probably getting more realistic numbers. But some information security vendors are designed to be the absolute cheapest to allow you to check a box. These are the ones we’d caution against if you’re really concerned with security. Many times if you go with that cheapest quote, unfortunately, the IT and/or Security Team may be stuck with a vendor that:
- delivers lackluster reports
- is hard to communicate with or get in touch with, especially after the final reports are delivered
- arbitrarily raises prices in following years
- puts under-qualified resources on your project to meet that lower price point
Additionally, often times the cheapest quote is not truly what you are looking for because the project has been scoped out incorrectly, meaning the final product won’t meet your needs or intentions. Sometimes, you’ll be getting a lesser quality of test in a vulnerability scan rather than a true penetration test. Other times, you may not be getting full coverage for your intended scope. Ultimately, you just want to make sure you’re not only comparing price, but also detailed scope, expected output/deliverables, and level of expertise of the testing resources.
So I shouldn’t go with the cheapest quote, but how do I decide from the other quotes?
This is a great question that all goes back to the proper vetting of your penetration testing firm. Be sure to ask any and all questions you have to ensure the firm understands what you are asking for, you understand what you are getting, and you feel confident that this firm can satisfy your requirements. Also, consider asking questions about:
- how they will conduct testing and their methodology
- what tools they will be leveraging
- what certifications/credentials the engineers assigned to the project hold
Often, cost-conscience senior management will focus solely on price as they have responsibility for the budget. However, helping them understand the true differences between firms/quotes can help you ensure that you are getting the most value for that precious budget.