What’s the cost of a pen test?

Pen test costs vary based on a set of variables. The most common variables to affect the cost of penetration testing services are:

Complexity:  the number of physical sites, and size / complexity of the environment and network devices to be assessed are probably the biggest factors in your pen test quote. The more sites and the more complex an environment, the more labour required to scan the network and expose web applications seeking every possible vulnerability.

Methodology:  different pen testers have their own ways of conducting their penetration testing. Some use more expensive tools than others, which could increase the price. More expensive tools could reduce the time of your test, and produce higher quality results.

Experience:  pen testers with more experience are more expensive. Beware of pen testers that offer prices that are too good to be true. They probably aren’t doing a thorough job. Look for penetration testers with credentials like CEH, CISSP or CREST.

Onsite:  most penetration tests can be done offsite, however; in cases that involve large/complex environments, an onsite visit might be required to adequately test business security. Onsite visits are also required if physical security or social engineering penetration testa are requird.

Remediation:  good pen testers will include remediation assistance and/or retesting in their price. Others provide test results and disappear.

The time it takes to conduct a pen test therefore varies based on the size of a client’s network, the complexity of that network, and the penetration test staff members assigned. A small environment can be done in a few days, but a large environment can take several weeks.

Typicall, medium complexity penetration tests extending over several weeks, can start around £10,000 but can rise to well above £20,000 as complexity or scope increace.

Remember, a hacker only needs one hole to get into your network and steal data. Pen testers work hard to find as many holes as possible that could allow you to be compromised. You are paying a professional team to manually look through the nooks and crannies of your business to determine what’s exploitable.