Tag: Penetration Test Cost

  • Penetration Testing Pricing: How Much is Too Little or Too Much?

    Penetration Testing Pricing: How Much is Too Little or Too Much?

    It’s been two years since we checked in about this, and the penetration testing industry has made a lot of changes in that time. Historically, customers could choose between vulnerability scanning and manual penetration testing. The primary challenge for the prospective customer was determining what a company was actually offering and if they were truly doing the same quality of work as other companies quoting services of similar names.

    However, in the last couple of years other service variants have entered the market. Many companies are now offering Penetration Testing as a Service (PTaaS) and now AI penetration testing is gaining traction in the marketplace as well.

    What does this mean for companies shopping for a penetration test? It means that, more than ever, you have to be able to sift through the sales talk and fancy service briefs to understand what the offering truly is and how it compares to the other quotes you are reviewing.

    Let’s look at each of these offerings what you are likely to see:

    Vulnerability Scanning

    This is the basic automated scan running across your environment looking for low hanging fruit: out-of-date software, unpatched systems, common vulnerabilities that can be picked up by automated rules, default passwords, etc. While the results often include false positives or vulnerabilities that can’t actually be furthered for a true attack, a vulnerability scan is still a good place to start.

    While vulnerability scanners are useful tools, they are not without limits. There are many exposures that they will not detect.

    When incorporating vulnerability scanners as part of your security strategy, Raxis recommends performing authenticated scanning and assigning team members to regularly review the scans and correct discovered issues.

    For customers who don’t require a penetration test for compliance or who want to add budget-friendly year-round scanning to their annual penetration test, Raxis Protect offers frequent scanning of your environment using best of breed scanning technologies. Raxis Protect is not a penetration test and does not include manual testing, but it does provide access to chat with the Raxis penetration testing team about reported findings so your team can understand and remediate them for a more secure environment.

    Penetration Testing

    Penetration Testing

    Arguably the gold standard for determining true business risk, penetration testing uses skilled engineers to emulate the attacks of a bad actor. While penetration tests may include a vulnerability scan to discover possible entry points and reportable issues, the penetration tester will spend a majority of the time identifying gaps in the environment and looking for creative ways to exploit those vulnerabilities and to gain further access within the network or application.

    The ultimate goal is to pivot to other systems, create chained attacks that escalate privilege, and ultimately gain persistent access to the environment while accessing sensitive information.

    This attack simulation provides businesses with an understanding of what real-world attackers could accomplish inside their environments, allowing them to correct issues and shore up defenses. However, it is a point in time assessment that is usually performed annually or quarterly, depending on the company’s needs and budget, changes in the environment, and appetite for accepting risk.

    Raxis Strike is our new name for these traditional penetration tests, and we still find many customers requesting these on a regular basis.

    Penetration Testing as a Service (PTaaS)

    PTaaS has evolved in our industry as a method to address the limitation of penetration testing as a point-in-time assessment. However, there is still no standard definition for PTaaS from one company to another.

    Some companies consider PTaaS an “on-demand” service that kicks off a penetration test upon request. Others provide a certain number of penetration tests during a year. Still others dress up an ongoing vulnerability scan – or a grouping of automated scans and exploits – and call it PTaaS.

    Finding a middle ground that allows ongoing testing without breaking the bank is the trick.

    Raxis Attack is PTaaS designed to be scoped to fit your needs and budget. Attack uses best-in-class scanning for continual scanning complimented with unlimited on-demand penetration testing requests for either individual findings or for the entire environment. And of course, even though you receive results throughout the year, we can still create a PDF report of your current findings to fulfill penetration testing compliance mandates.

    We believe PTaaS is about collaboration – so Attack customers also have access to ongoing chat and video conferencing with the same Raxis engineers who perform our traditional penetration tests. We view it as a “fractional penetration testing team” at your service all year long.

    Ultimately, you should take a deep dive with each company to truly understand what they are offering and which level of service is the best fit for your organization.

    Price vs Quality

    AI Penetration Testing

    Like most industries, AI is making its dent in offensive security as well. AI is often hailed as the silver bullet to all security woes. However, in reality, AI is still limited in what it can do and is very likely not the only tool you need.

    Some companies claim their AI services can do everything manual testing can do and more. In our experience, these claims are often overstated. We have yet to see an AI solution that can truly think outside the box and manipulate systems the same way a seasoned engineer is able to.

    We’ve also seen cases where common tools are scripted to run automatically in an environment using basic known attacks, and that offering is incorrectly branded as an AI-based solution. The concern is that many of those tools, if left unattended, can take down systems and cause other stability concerns.

    If you are considering an AI solution, look closely at the solution and make sure it’s truly offering what what you need.

    So, What Does this Cost Me?

    In the US, vulnerability scans are still the lowest cost of the four methods we discussed above. Often running from a few hundred dollars to a few thousand, depending on the size of your environment and whether the scanning is for regulatory compliance reasons, vulnerability scanning should be an integral part of your security program, but it does not check the penetration test box for compliance, and it doesn’t give you a full picture of your security gaps.

    Likewise, penetration testing pricing will differ depending on the size of the organization and the size and depth of your scope. Most reputable US penetration testing companies will start around $5,000 and go up to well into the six figures. Often these tests can be time-boxed to fit your objectives and budget.

    PTaaS pricing still varies greatly. Factors such as the scope and frequency of testing, the level of manual testing vs automation, the depth of reporting and remediation guidance, and the inclusion of additional features like continuous monitoring all influence the total cost. As a general rule of thumb, the annual cost of a PTaaS subscription is often roughly the price of two traditional penetration tests, but this is only a rough estimate.

    AI Penetration testing tends to be far cheaper than traditional penetration testing and PTaaS primarily because it’s an automated system with little to no human oversight. While it might technically check the box for compliance requirements, Raxis still believes AI testing is best used as a supplemental tool to other forms of adversarial attack simulation. From what we’ve seen, AI testing can start as low as $500 in some instances and increase from there.

    In Summary

    Whatever method you choose for your organization, to accurately assess pricing and select the best solution for your organization, start by discussing your specific requirements with multiple providers and requesting detailed proposals outlining their approaches, deliverables, and associated costs. This will allow you to compare the offerings and to choose the one that strikes the right balance between coverage, quality, and value for your needs and budget.

  • How to Hire a Penetration Testing Firm Part Two

    How to Hire a Penetration Testing Firm Part Two

    I’m Bonnie Smyre, Raxis’ Chief Operating Officer, back with the second in our two-part feature about how to hire a penetration testing firm. This time, we’re suggesting some questions to ask and answers to listen for in the selection process.

    Bonnie Smyre, Raxis COO

    In the first article on this topic, I focused on the six things you and your company should do to begin your search for a pentesting firm. We discussed the importance of identifying why you need a pentest, understanding the data and systems that are at risk, figuring out what type of tests you need, consulting with trusted advisors, as well as checking ratings, reviews, and references.

    If you followed those steps, you’re well-prepared to begin your interviews with prospective firms. Toward that end, here are some questions you should ask during your conversations and some key points you should be listening for in the answers.

    Question 1: What is your experience in performing the type of penetration testing our company is looking for?

    At Raxis, we’re happy to tell you how many and what kind of tests we’ve done and share with you some of our most common findings. If we don’t think the pentest you’re shopping for is going to accomplish your goals, we’ll tell you why and recommend a different type of engagement that will. That’s part of our job as professionals, and we have found that it makes for a better customer experience and often saves time and money.

    On the other hand, if the firm you’re interviewing continually tries to steer you toward more expensive testing or something far different than you think you need, that can be a big red flag. They may be trying to upsell you, or they may simply not have the expertise to conduct it.

    A point we make frequently is that vulnerability scanning is not the same as penetration testing. So, also beware of firms that try to downplay your needs and tell you one is as good as the other. Raxis might recommend a vulnerability scan, but we will never tell you that it should supplant a genuine pentest.

    Question 2: Tell me about your experience in my industry?

    Obviously similar to question 1, this one is based on your reasons for doing a penetration test. If your business is regulated and subject to special laws, rules, or industry requirements, you’ll save a lot of time with pentesters who are familiar with them. For example, if your company takes electronic payments, Raxis knows the Payment Card Industry Data Security Standards (PCI-DSS), and we can plan our testing to make sure you’re compliant.

    When you ask this question, listen to see if the pentesting company proactively mentions any applicable regulations in your field – such as HIPAA compliance for health care organizations or FINRA, GLBA, or SOX, for financial institutions. If they don’t, ask and make sure they understand your needs so that you don’t have to pay for more testing later.

    Question 3: How comprehensive is your reporting?

    The goal of penetration testing should be to give your team actionable results that enable them to prioritize issues and begin resolving them in order of severity. Ask potential pentesting firms to provide a sample report. Does it summarize the issues for executives? Does it categorize the findings effectively and provide sufficient detail for your team members?

    Raxis includes storyboards so that your team can see exactly what we did and how. We also exfiltrate and redact sensitive data when we can. That’s powerful proof of what bad guys can do if your network isn’t secured.

    Also, be sure to ask whether they report where your defenses were solid. This can be especially important when you’re building a cybersecurity budget. Many Raxis clients have found it helpful to show their leadership examples of where previous security enhancements are working well. (And it shows you that those defenses were in fact checked.)

    Question 4: Who are the people I’ll be dealing with? What are their qualifications?

    Be sure that the companies you interview can identify the person who will serve as your point of contact throughout the testing, to work with you on scheduling or to quickly resolve problems that can cost precious time.

    The company should also be willing to tell you about the experience and certifications of team members. It’s a good idea to ask whether the team that conducts your test will include members with similar qualifications so you know it’s not a bait-and-switch.

    At Raxis, the diverse skillsets our team members bring to the table are one of our greatest strengths and something we like to talk about. Before they became penetration testers, our people were corporate cybersecurity leaders, software engineers, web developers, and network admins. And they also bring to the table computer hardware, electronics, mechanical, and IoT experience.

    Question 5: How much will it cost and why?

    Raxis’ CEO Mark Puckett addressed pentest pricing in a recent blog post that goes into detail about the factors that can and should drive the cost of a high-quality penetration test. In summary, the scope of the testing, the time it will take, and the skills of the testers are all cost drivers.

    If the firm mentions additional services they provide, be sure to ask if those are covered in the cost you’ve been quoted, or if there is an additional fee. And ask if there is a minimum engagement time.

    Minimums are common in the industry. Raxis requires three days, but we’ve seen other companies with seven to 10-day minimums. Make sure you ask this early in the conversation. Otherwise, you could waste time you don’t have being sold services you don’t need.

    Conclusion

    Hiring the right penetration testing firm necessarily involves a lot of research and careful consideration. After all, you need a company that can bring to bear all the skills, determination, and devious creativity of black hat hackers – and still act as your trusted security advisor, providing actionable reporting on your vulnerabilities.

    The preparation outlined in part one, along with the questions above, should help you find the best match for your specific needs.

    Of course, we hope you choose Raxis, and we’re ready to put you in touch with our experts whenever you’re ready to talk.

     

    Want to learn more? Take a look at the first part in our How to Hire a Penetration Testing Firm Series.

  • How Much Should You Pay for a Penetration Test?

    How Much Should You Pay for a Penetration Test?

    “Even after 10 years as CEO of Raxis, I’m still amazed at the wildly different pricing attached to a vast and loose array of services broadly labeled as penetration tests. I know something is amiss when I see quotes range from $1,500 to $18,000 per week (and more) for what is ostensibly the same work.“

    Mark Puckett, Raxis CEO

    I understand and appreciate the confusion among companies large and small who need this essential service, but who have no good way of knowing whether they’re getting a bargain or being fleeced. That’s why, once again, I’m stepping in with a straightforward guide that I hope will be helpful to any business that needs to test its cyber defenses against professional, ethical hackers.

    Rules of Thumb
    • As with other professional services, the adage that you get what you pay for does hold true in penetration testing. A quote that’s a lot lower than reputable competitors is cause for skepticism, as is one that is substantially higher. Fortune 500 companies may well need multi-month testing that can cost $250,000 and more, but it’s unlikely smaller firms do.
    • There are some external factors that can affect the price of a penetration test – whether it’s conducted onsite or remotely, or whether it’s a remedial test. For the purposes of this guide, we’ll stick with just the testing itself.
    • The scope is everything. Be certain that what you discuss is exactly what you are getting for the price. Consider carefully what you’re trying to achieve. Are you serious about preventing hackers from hijacking your network, stealing your data, or holding it for ransom? That’s a different objective than simply checking a box to comply with laws or industry regulations.
    The Differentiators

    When you’re considering a company to perform a penetration test, there are three major factors you should take into account alongside cost. They are the skillsets of the pentesters who will actually be doing the work, the time they propose to spend doing it, and the methodology they will employ in the process. Reputable firms like Raxis will spend the time necessary upfront to make certain you know what to expect before you sign a contract.

    Skillsets

    Not all pentesters are the same, and the pricing should reflect that. For example, some testers are phenomenal at hacking Windows systems, but are not nearly as strong when it comes to Linux or mobile technology. Many environments have a mix of Linux, Windows, Android, iOS, Mac OS X, Cisco IOS, wireless networks, and others. Make certain that the team you select is well-versed in all the technologies you have in scope so they can perform a valid test.

    Earth with a question mark

    To reiterate, you should know exactly who will be doing the testing. Just because a company is based in the US does not mean that its testers are. Some firms cut costs by using un-credentialed, offshore teams to do their work. That may or may not be a cause for concern if it’s disclosed upfront. If it’s not, however, I would consider that a big red flag. 

    Time Dedicated to the Job

    The amount of time penetration testers spend on jobs can really vary, and that will influence the price. Some pentesters believe that a week, two weeks, or even months are required to get a comprehensive test completed on your network. There are no hard and fast rules here, but the time should be proportional to the challenge.

    If you’re quoted anything less than a week, I would hope that it’s an extremely small scope of just a handful of IPs with a few services running on them. Otherwise, I’d be skeptical. The key here is to make sure the time spent on the job makes sense with what is in your scope. Also, remember to factor in complexity. For example, a single IP with a large customer facing web portal with 10 user roles will take a lot more time than 250 IP addresses that only respond to ping.

    Interestingly, I’ve heard that some of our competition is taking a week or more to quote the job.  I don’t understand the reasoning behind delays during the sales process, but I certainly recommend taking that into account when you make your decision.

    Methodology

    There are a few different ways to conduct penetration tests. I’ve broken them down into three types for reference.

    • Type A – The “Breach and Reach”: This type of test starts with the low hanging fruit and gains access as quickly as possible, just as a malicious hacker would. The goal is then to pivot, gain additional access to other systems, ensure retention of the foothold, and finally exfiltrate data. This is a true penetration test and demonstrates exactly what would happen in the event of a real-world breach. Some companies call this a “deep” penetration test as it gains access to internal systems and data. It’s the type of test that we prefer to do and what I would recommend as this is what the real adversarial hackers are doing.
    • Type B – The “360 Lock Check”: This test searches for every possible entry point and validates that it actually is exploitable. This validation is most often completed by performing the exploit and gaining additional privileges. The focus with this type is to find as many entry points as possible to ensure they are remediated. The underlying system might be compromised, but the goal is not to pivot, breach additional systems, or to exfiltrate data. This type is often useful for regulatory requirements as it provides better assurance that all known external security vulnerabilities are uncovered.
    • Type C – The “Snapshot”: This is more of a vulnerability scan in which the results from the scanner report are validated and re-delivered within a penetration testing report. Many lower-cost firms are calling this a penetration test, but that is not what it is. However, it may be all you need. If so, Raxis offers a vulnerability scan on an automatic, recurring basis, and it is very useful in discovering new security risks that are caused by changes to the environment or detecting emerging threats. (And no, it’s not a pen test.)

    If you’re serious about security, I strongly recommend testing that ensures both Type A and Type B are part of the scope. That means testing even a small range of IPs can often take a week. However, it is the most comprehensive way to pentest your environment and meet regulatory requirements as well. Type A tests for the ability to pivot and exfiltrate information. Type B will get you that comprehensive test of any vulnerabilities found to ensure that you’re fixing real issues and not false positives.

    In an upcoming post we’ll tell you about a new capability offered through Raxis One. This is pentesting that leverages the power of AI to extend and enhance the capabilities of our talented team of elite ethical hackers. Raxis Pentest AI is considered a hybrid of all three types of testing mentioned above in that it combines continual monitoring and random testing to find and exploit vulnerabilities as soon as they appear.

    The most important advice I can offer anyone shopping for penetration testing services is to ask a lot of questions. High-quality, reputable companies like Raxis will be happy to put experts on the phone with you to provide answers. You can draw your own conclusions about any who won’t.