Tag: Penetration Test Cost

  • How to Hire a Penetration Testing Firm Part Two

    I’m Bonnie Smyre, Raxis’ Chief Operating Officer, back with the second in our two-part feature about how to hire a penetration testing firm. This time, we’re suggesting some questions to ask and answers to listen for in the selection process.

    Bonnie Smyre, Raxis COO

    In the first article on this topic, I focused on the six things you and your company should do to begin your search for a pentesting firm. We discussed the importance of identifying why you need a pentest, understanding the data and systems that are at risk, figuring out what type of tests you need, consulting with trusted advisors, as well as checking ratings, reviews, and references.

    If you followed those steps, you’re well-prepared to begin your interviews with prospective firms. Toward that end, here are some questions you should ask during your conversations and some key points you should be listening for in the answers.

    Question 1: What is your experience in performing the type of penetration testing our company is looking for?

    At Raxis, we’re happy to tell you how many and what kind of tests we’ve done and share with you some of our most common findings. If we don’t think the pentest you’re shopping for is going to accomplish your goals, we’ll tell you why and recommend a different type of engagement that will. That’s part of our job as professionals, and we have found that it makes for a better customer experience and often saves time and money.

    On the other hand, if the firm you’re interviewing continually tries to steer you toward more expensive testing or something far different than you think you need, that can be a big red flag. They may be trying to upsell you, or they may simply not have the expertise to conduct it.

    A point we make frequently is that vulnerability scanning is not the same as penetration testing. So, also beware of firms that try to downplay your needs and tell you one is as good as the other. Raxis might recommend a vulnerability scan, but we will never tell you that it should supplant a genuine pentest.

    Question 2: Tell me about your experience in my industry?

    Obviously similar to question 1, this one is based on your reasons for doing a penetration test. If your business is regulated and subject to special laws, rules, or industry requirements, you’ll save a lot of time with pentesters who are familiar with them. For example, if your company takes electronic payments, Raxis knows the Payment Card Industry Data Security Standards (PCI-DSS), and we can plan our testing to make sure you’re compliant.

    When you ask this question, listen to see if the pentesting company proactively mentions any applicable regulations in your field – such as HIPAA compliance for health care organizations or FINRA, GLBA, or SOX, for financial institutions. If they don’t, ask and make sure they understand your needs so that you don’t have to pay for more testing later.

    Question 3: How comprehensive is your reporting?

    The goal of penetration testing should be to give your team actionable results that enable them to prioritize issues and begin resolving them in order of severity. Ask potential pentesting firms to provide a sample report. Does it summarize the issues for executives? Does it categorize the findings effectively and provide sufficient detail for your team members?

    Raxis includes storyboards so that your team can see exactly what we did and how. We also exfiltrate and redact sensitive data when we can. That’s powerful proof of what bad guys can do if your network isn’t secured.

    Also, be sure to ask whether they report where your defenses were solid. This can be especially important when you’re building a cybersecurity budget. Many Raxis clients have found it helpful to show their leadership examples of where previous security enhancements are working well. (And it shows you that those defenses were in fact checked.)

    Question 4: Who are the people I’ll be dealing with? What are their qualifications?

    Be sure that the companies you interview can identify the person who will serve as your point of contact throughout the testing, to work with you on scheduling or to quickly resolve problems that can cost precious time.

    The company should also be willing to tell you about the experience and certifications of team members. It’s a good idea to ask whether the team that conducts your test will include members with similar qualifications so you know it’s not a bait-and-switch.

    At Raxis, the diverse skillsets our team members bring to the table are one of our greatest strengths and something we like to talk about. Before they became penetration testers, our people were corporate cybersecurity leaders, software engineers, web developers, and network admins. And they also bring to the table computer hardware, electronics, mechanical, and IoT experience.

    Question 5: How much will it cost and why?

    Raxis’ CEO Mark Puckett addressed pentest pricing in a recent blog post that goes into detail about the factors that can and should drive the cost of a high-quality penetration test. In summary, the scope of the testing, the time it will take, and the skills of the testers are all cost drivers.

    If the firm mentions additional services they provide, be sure to ask if those are covered in the cost you’ve been quoted, or if there is an additional fee. And ask if there is a minimum engagement time.

    Minimums are common in the industry. Raxis requires three days, but we’ve seen other companies with seven to 10-day minimums. Make sure you ask this early in the conversation. Otherwise, you could waste time you don’t have being sold services you don’t need.

    Conclusion

    Hiring the right penetration testing firm necessarily involves a lot of research and careful consideration. After all, you need a company that can bring to bear all the skills, determination, and devious creativity of black hat hackers – and still act as your trusted security advisor, providing actionable reporting on your vulnerabilities.

    The preparation outlined in part one, along with the questions above, should help you find the best match for your specific needs.

    Of course, we hope you choose Raxis, and we’re ready to put you in touch with our experts whenever you’re ready to talk.

     

    Want to learn more? Take a look at the first part in our How to Hire a Penetration Testing Firm Series.

  • How Much Should You Pay for a Penetration Test?

    “Even after 10 years as CEO of Raxis, I’m still amazed at the wildly different pricing attached to a vast and loose array of services broadly labeled as penetration tests. I know something is amiss when I see quotes range from $1,500 to $18,000 per week (and more) for what is ostensibly the same work.“

    Mark Puckett, Raxis CEO

    I understand and appreciate the confusion among companies large and small who need this essential service, but who have no good way of knowing whether they’re getting a bargain or being fleeced. That’s why, once again, I’m stepping in with a straightforward guide that I hope will be helpful to any business that needs to test its cyber defenses against professional, ethical hackers.

    Rules of Thumb
    • As with other professional services, the adage that you get what you pay for does hold true in penetration testing. A quote that’s a lot lower than reputable competitors is cause for skepticism, as is one that is substantially higher. Fortune 500 companies may well need multi-month testing that can cost $250,000 and more, but it’s unlikely smaller firms do.
    • There are some external factors that can affect the price of a penetration test – whether it’s conducted onsite or remotely, or whether it’s a remedial test. For the purposes of this guide, we’ll stick with just the testing itself.
    • The scope is everything. Be certain that what you discuss is exactly what you are getting for the price. Consider carefully what you’re trying to achieve. Are you serious about preventing hackers from hijacking your network, stealing your data, or holding it for ransom? That’s a different objective than simply checking a box to comply with laws or industry regulations.
    The Differentiators

    When you’re considering a company to perform a penetration test, there are three major factors you should take into account alongside cost. They are the skillsets of the pentesters who will actually be doing the work, the time they propose to spend doing it, and the methodology they will employ in the process. Reputable firms like Raxis will spend the time necessary upfront to make certain you know what to expect before you sign a contract.

    Skillsets

    Not all pentesters are the same, and the pricing should reflect that. For example, some testers are phenomenal at hacking Windows systems, but are not nearly as strong when it comes to Linux or mobile technology. Many environments have a mix of Linux, Windows, Android, iOS, Mac OS X, Cisco IOS, wireless networks, and others. Make certain that the team you select is well-versed in all the technologies you have in scope so they can perform a valid test.

    Earth with a question mark

    To reiterate, you should know exactly who will be doing the testing. Just because a company is based in the US does not mean that its testers are. Some firms cut costs by using un-credentialed, offshore teams to do their work. That may or may not be a cause for concern if it’s disclosed upfront. If it’s not, however, I would consider that a big red flag. 

    Time Dedicated to the Job

    The amount of time penetration testers spend on jobs can really vary, and that will influence the price. Some pentesters believe that a week, two weeks, or even months are required to get a comprehensive test completed on your network. There are no hard and fast rules here, but the time should be proportional to the challenge.

    If you’re quoted anything less than a week, I would hope that it’s an extremely small scope of just a handful of IPs with a few services running on them. Otherwise, I’d be skeptical. The key here is to make sure the time spent on the job makes sense with what is in your scope. Also, remember to factor in complexity. For example, a single IP with a large customer facing web portal with 10 user roles will take a lot more time than 250 IP addresses that only respond to ping.

    Interestingly, I’ve heard that some of our competition is taking a week or more to quote the job.  I don’t understand the reasoning behind delays during the sales process, but I certainly recommend taking that into account when you make your decision.

    Methodology

    There are a few different ways to conduct penetration tests. I’ve broken them down into three types for reference.

    • Type A – The “Breach and Reach”: This type of test starts with the low hanging fruit and gains access as quickly as possible, just as a malicious hacker would. The goal is then to pivot, gain additional access to other systems, ensure retention of the foothold, and finally exfiltrate data. This is a true penetration test and demonstrates exactly what would happen in the event of a real-world breach. Some companies call this a “deep” penetration test as it gains access to internal systems and data. It’s the type of test that we prefer to do and what I would recommend as this is what the real adversarial hackers are doing.
    • Type B – The “360 Lock Check”: This test searches for every possible entry point and validates that it actually is exploitable. This validation is most often completed by performing the exploit and gaining additional privileges. The focus with this type is to find as many entry points as possible to ensure they are remediated. The underlying system might be compromised, but the goal is not to pivot, breach additional systems, or to exfiltrate data. This type is often useful for regulatory requirements as it provides better assurance that all known external security vulnerabilities are uncovered.
    • Type C – The “Snapshot”: This is more of a vulnerability scan in which the results from the scanner report are validated and re-delivered within a penetration testing report. Many lower-cost firms are calling this a penetration test, but that is not what it is. However, it may be all you need. If so, Raxis offers a vulnerability scan on an automatic, recurring basis, and it is very useful in discovering new security risks that are caused by changes to the environment or detecting emerging threats. (And no, it’s not a pen test.)

    If you’re serious about security, I strongly recommend testing that ensures both Type A and Type B are part of the scope. That means testing even a small range of IPs can often take a week. However, it is the most comprehensive way to pentest your environment and meet regulatory requirements as well. Type A tests for the ability to pivot and exfiltrate information. Type B will get you that comprehensive test of any vulnerabilities found to ensure that you’re fixing real issues and not false positives.

    In an upcoming post we’ll tell you about a new capability offered through Raxis One. This is pentesting that leverages the power of AI to extend and enhance the capabilities of our talented team of elite ethical hackers. Raxis Pentest AI is considered a hybrid of all three types of testing mentioned above in that it combines continual monitoring and random testing to find and exploit vulnerabilities as soon as they appear.

    The most important advice I can offer anyone shopping for penetration testing services is to ask a lot of questions. High-quality, reputable companies like Raxis will be happy to put experts on the phone with you to provide answers. You can draw your own conclusions about any who won’t.