The most common question asked is “how much will it cost for you to deliver a penetration test to us?”. Rather than responding to those questions each time with the same exact answer, we thought it might be best to write a detailed yet simple blog entry on the subject. We suspect that you’ll have no trouble understanding the pricing methods described herein because they’re common sense. The price for a genuine penetration test is based on the amount of human work required to successfully deliver the test.
The amount of human work depends on the complexity of the infrastructure to be tested. The infrastructure’s complexity depends on the configuration of each individual network connected device. A network connected device is anything including but not limited to servers, switches, firewalls, telephones, etc. Each unique network connected device provides different services that serve different purposes. Because each service is different each service requires different amounts of time to test correctly. It is for this exact reason that a genuine penetration test cannot be priced based on the number of IP addresses or number of devices. It does not make sense to charge $X per IP address when each IP address requires a different amount of work to test properly. Instead, the only correct way to price a genuine penetration test is to assess the time requirements and from there derive workload.
At Netragard the workload for an engagement is based on science and not an arbitrary price per IP. Our pricing is based on something that we call Time Per Parameter (TPP). The TPP is the amount of time that a Netragard researcher will spend testing each parameter. A parameter is either a service being provided by […]