[ale] OT: Pen test cost

Brian Mathis brian.mathis+ale at betteradmin.com
Wed Jul 15 12:29:44 EDT 2015

You should be clear if they are doing a "penetration test" or a "network
scan" -- they are not the same.  A network scan just scans your IPs for
anything that's open and reports on potentially vulnerable
software/versions running on those ports.  A real penetration test is
typically more in depth and often focused on a single application where
they actually login to it and try to break out of the security
protections.  Both are valuable things to have done, but make sure you are
very clear on the difference (though I would not be so upfront to your
client as they might be happy with a network scan instead of a full pen

It sounds like you're talking about a network scan, which is still a lot of
work as Jim mentioned.  For this price, I would expect a pretty in-depth
analysis of your environment, so you might want to go back to them and get
a full list of the methodology they're going to use for the scan (what
tools, how will they process and present them, etc...).  This would be a
lot of money for something like a simple nmap scan, but if they're probing
deeper then it's worth paying for.

Also keep in mind that external companies are always paid to find
*something*, so if you're systems are really locked down it might be worth
it to plant something "easy" to find which will also serve as a gauge for
you to tell how thorough they were with the scan.

❧ Brian Mathis

On Wed, Jul 15, 2015 at 8:22 AM, Edward Holcroft <eholcroft at mkainc.com>

> Folks,
> I have a quote for a pen test for my company. It comes to $15k and they
> will be looking at about 50 public IP's. They will give us a full report,
> as well as a general report for our client that has demanded the testing.
> They also offer a re-test as part of the deal once we have addressed any
> potential holes that they discover.
> These guys come highly recommended by someone from this list, so I'm ready
> to pull the trigger on it. But having no experience in this field, I was
> just wondering if someone can comment on the pricing. Is this typical? Dies
> it sound about right?
> I realize this is like asking "How long's a piece of string?" but I'd be
> grateful for any advice. I just need to know if this is in the ball park or
> if it's nuts.
> cheers
> ed
> --
> Edward Holcroft | Madsen Kneppers & Associates Inc.
> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
> O (770) 446-9606 | M (770) 630-0949
> NOTICE: This message may be confidential and/or privileged. If you are not
> the intended recipient, please notify the sender immediately then delete it
> - you should not copy or use it for any purpose or disclose its content to
> any other person. Internet communications are not secure. You should scan
> this message and any attachments for viruses. Any unauthorized use or
> interception of this e-mail is illegal.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150715/553fee98/attachment.html>

More information about the Ale mailing list